Michael Walford-Williams, Managing Director at Westbourne, a risk management consultancy for the financial services and finTech industry, examines the relationship between Financial Services and the Cloud, actions the regulators are taking, what this means for FinTech firms, and what FinTech's that are reliant on third party providers (especially Cloud Service Providers) can do to improve and fulfil the regulators obligations.
The UK regulators have now recently outlined their expectations for Operational Resilience of third parties, including Cloud Service Providers. This leaves many FinTech firms asking, “What will we do if our Cloud Service Provider fails," "Will we be compliant if we use a single Cloud Service Provider?” and “Are we resilient enough?”
The financial services industry is more reliant on Cloud Service Providers (CSPs) than ever before. But recent outages, like the one in London on the hottest day ever recorded in July 1 ,and others over the last few years 2 remind us that even the tech giants are not invulnerable. In fact, they can pose a risk to the firms that use them and to the wider financial industry.
The UK financial regulators have now recognised these risks and are taking action. UK regulators have recently outlined their expectations for Operational Resilience, with the resilience of third parties including CSPs very much at its heart. In addition, HM Treasury has recently released a policy statement 3outlining their intent together with the supervisory authorities (PRA, FCA and Bank of England) to regulate critical third parties to the financial sector (including CSPs), under new powers given by the Financial Services and Markets Bill.
All this now has FinTech firms asking, sometimes for the first time, “What will we do if our CSP fails?” and “are we resilient enough?”
Relationship between Financial Services and the cloud?
This scrutiny is partly driven by the huge shift to the cloud that’s taken place in the past few years. In 2020 4, 91% of Financial Services firms were actively using cloud services or planned to in the next 9 months. Today, that figure is much higher, with a new breed of finTech and financial services built from the ground up on cloud platforms, keen to make use of the benefits of outsourcing their technology infrastructure. The vast majority are heavily invested in the industry’s three biggest players - Microsoft, Amazon and Google.
Regulators have identified CSPs as one of the most critical third party dependencies for many firms and are worried about the systemic risks that come from an industry that’s reliant on a handful of tech giants.
What are the Regulators doing?
Despite the intention to regulate critical third parties directly, the regulators have made it clear that they still expect firms will, “continue to have primary responsibility for managing risks stemming from their outsourcing and third party dependencies” 5. That means that regulated financial services firms are still on the hook for managing the risks associated with using cloud providers, including service availability and data security.
In the last newsletter we looked at the new Operational Resilience regulations in the UK, and how as part of implementing an Operational Resilience framework, firms will need to identify their ‘important business services’, map supporting elements such as teams and technology (including where outsourced to a third party), and to test their important business services against severe yet plausible scenario tests. The regulators are now looking to clarify what they think this means in practice and how they expect firms to respond.
Speaking at the City & Financial Operational Resilience for Financial Services Summit in May, Duncan Mackinnon of the PRA set out the PRA’s expectations for how firms should take Operational Resilience forward over the transition period between now and March 2025, and made specific references to how firms should approach Operation Resilience for critical third party dependencies.
Some key points made were:
● Scenarios around ‘data integrity’ and ‘third party disruptions’ should be included aspart of scenario testing. 6
● Firms will be expected to build resilience for vulnerabilities identified, “Firms may have to build substitutability into the way services are delivered. For example, they might build an additional data centre or facility, such that when failures occur, services can be transferred and delivered to the same standard by different means.” 7
This will include for vulnerabilities relating to third parties. This indicates that even when firms have built resilience within one cloud provider, including making use of disparate availability zones, and inter-regional replication etc, the regulators might not see this as enough. They regard disruption to the entirety of services from a single third party provider such as Google, Amazon or Microsoft as a ‘severe yet plausible scenario’ so this is something that firms should test against and be resilient to.
Where they talk about ‘substitutability’ in the way services are delivered, this could be achieved in a number of ways. For example, moving to a hybrid model that incorporates both third party cloud and on-premises technology, or to a model that uses more than one CSP, but the underlying principle is that the service provided by the CSP should continue in the event of a disruption to the third party.
The PRA do, however, understand that this may not be easy, and will come at a cost for many firms. So, they also expect Operational Resilience to “become a major consideration in their investment programmes.”8 For this reason they want Operational Resilience to be on the agenda at the highest level of decision making within firms.
Increased scrutiny on cloud service providers
Despite the measures put in place under Operational Resilience and Third Party risk management regulations, the regulators are aware that “no single firm or FMI can adequately monitor or manage the systemic risks that certain third parties pose to the supervisory authorities’ objectives” 9, The regulators know that when it comes to the systemic risk posed by the financial sector’s increasing reliance on a small number of third parties including CSPs, this is a risk that they must manage, and to that end are seeking new powers to directly
regulate critical service providers to the financial industry.
Discussion paper DP3/22, 10 released on the 21st June by the Bank of England, is the first step towards outlining how the regulators might go about managing this risk and includes three major components. i) Creating a framework to identify third parties as systemically important, ii) imposing minimum resilience standards on third parties that are and iii) Resilience testing of these third parties.
Is it the end of the road for Fintech firms’ reliant on a single Cloud Service Provider?
With these regulatory developments in mind, FinTechs and other financial institutions are now asking, ‘Will we be compliant if we use a single CSP?”
For the moment, the answer is: “Possibly”. Firms can still build their technology however they please, however they will need to demonstrate that they are not critically reliant on a single CSP such that the failure of the provider would cause them to breach impact tolerances for important business services. They will be able to do this through effective scenario testing of such a failure and well documented and tested exit plans. How firms achieve this will vary and will depend on the circumstances of the firm, the length / severity of their impact tolerances and how their technology infrastructure has been architected.
How firms will demonstrate they are not reliant on a single CSP will also vary, for example, some firms are employing a hybrid model between different cloud providers, some are using a hybrid of Cloud and proprietary “on premises” technology, while some may only look to have an agreement in place with a second provider, which would facilitate and accelerate migration if needed, without going as far as building out technology with the secondary provider.
What can FinTech firms do now?
Scenario Testing: Undertake scenario testing of certain scenarios involving a disruption to, or total loss of services to your cloud service provider. This doesn’t mean you have to ‘go to eleven’ straight away, the sophistication of the test and the severity of the scenario can mature over time, but you should start to understand what effect the loss of a CSP would have on your ability to deliver your “important business services”. It’s likely that you may have tested various third party components before, but firms should also look at a complete loss of third party scenario.
Investigate potential actions to reduce reliance on a single provider: If your scenarios show that impact tolerances could be in jeopardy in the event of a complete failure of the provider, look at potential actions to mitigate this. How can you increase your resilience if these scenarios were to happen? This could mean looking at ways to architect your technology infrastructure to rely less on a single provider. These may not be quick or easy fixes, - and the regulators are aware of this - but it’s best to start understanding what your options are and to develop a plan to increase resilience over time.
Include resilience in strategy decisions: Ensure that resilience is considered at the highest levels of strategic decision making. Up there with company strategic objectives, financial forecasting and cost efficiency, firms should ask themselves how certain strategy decisions affect resilience, especially in the light of the regulatory direction. It is often easier to build resilience by design rather than cater for it later down the road once a solution has been built out. This is particularly relevant when making decisions about using third party technology (e.g. CSPs ), outsourcing people and processes, and decisions about location strategy.
Whatever the situation of individual firms, CEOs and CTOs of FinTechs should be aware that they will continue to be asked questions about their reliance on third parties including Cloud Service Providers and their level of resilience in the event of a major disruption to those providers. Therefore if not already, resilience considerations should be front and centre in future business and technology strategies.This could be a tough challenge and for some firms not easily resolved, but this is the way things are moving, firms that get above the clouds now, will avoid the rain that’s most definitely coming later.
Article References:
3 - https://www.gov.uk/government/publications/critical-third-parties-to-the-finance-sector-policy-statement/critical-third-parties-to-the-finance-sector-policy-statement
5 - https://www.bankofengland.co.uk/-/media/boe/files/financial-policy-summary-and-record/2021/october-2021.pdf
6,7,8 - https://www.bankofengland.co.uk/speech/2022/may/duncan-mackinnon-speech-at-the-city-and-financial-9th-annual-operational-resilience
9 - https://www.bankofengland.co.uk/prudential-regulation/publication/2022/july/operational-resilience-critical-third-parties-uk-financial-sector
Operational Resilience & Third Party Providers - Are you Resilient Enough?
Written By
Michael Walford-Williams, Managing Director at Westbourne
Connect with Micheal Walford-Williams on LinkedIn
Could you benefit from Westbourne's services?
Westbourne is a risk management consultancy for the financial services and FinTech industry. As leading specialists in their field, they support firms of all sizes from startups to some of the world's largest financial institutions. They also provide expertise within global regulatory environments across the areas they support, most notably in the U.S, Singapore & Hong Kong.
Westbourne helps firms enhance the way they manage risk and meet regulatory requirements, with risk management frameworks that give you confidence in your operations. Providing risk management services to the next generation of financial firms they take advantage of the latest technologies and innovative methodologies to make risk management, simpler, more flexible and more effective, helping you achieve your goals faster.
Westbourne specialise in the following areas:
Click the link to learn more about Westbourne and their services