EBA Outsourcing Guidelines or Operational Resilience – which to prioritise?
I have been focusing on a couple of areas within my fintech practice recently – the upcoming EBA Outsourcing Guidelines and Operational Resilience (OpRes). As two hot topics in financial regulation at the moment, it is worth starting at the beginning by defining them and ending by suggesting where we go from here.
Current financial regulation on outsourcing
We used to be pretty familiar with the outsourcing rules in financial regulation, as banks and other financial services firms were subject to SYSC 8 for a long time and the Committee of European Banking Supervisors’ (CEBS) Guidelines on Outsourcing since 2006.
Over the past couple of years, we have also seen the UK Financial Conduct Authority (FCA) attempting to settle on a position around the use of cloud computing, with varying degrees of application to banking.
Current regulation on the outsourcing of critical or important functions has been taken on by MiFID 2’s Implementing Regulation. SYSC 8’s scope has been reduced accordingly to apply to UCITS Investment Trusts only, resulting in what seems to be a regulatory gap. I say seems as I have never been asked by a client to advise on the current position on the regulation of outsourcing. Everyone has instead been distracted by the impending introduction of the Guidelines, with the draft being issued in Q4 2018 and the revised version in Q1 2019.
I also haven’t got my head around whether the MiFID 2 outsourcing rules will continue to apply after the Guidelines come into force on 30 September 2019. I will address this conundrum in due course in a later edition, along with the impact of Brexit on the applicability of the Guidelines to UK firms.
As consumers and firms come to rely more heavily on technology in financial services, the availability and stability of firms’ IT systems has become crucial to the financial sector.
The vulnerabilities that that reliance creates have been well illustrated by the increasing number of high profile and high impact operational incidents from cyber-attacks to IT failures.
Many of these concerns have intensified as firms (and the economies in which they operate) have become more vulnerable through the opening of digital access routes; the increasing adoption of fintech; the greater use of (and reliance on) outsourcing; the widening range of cyber threats; and the demands of customers for high quality and instantaneous services.
The UK Treasury Committee launched last week a new inquiry into IT failures in the financial services sector, which have been significant in the last few years. The Committee will examine the ability of firms, particularly incumbent banks, to guard against service disruptions and to put things right in the event they occur.
These concerns have been encapsulated within the concept of OpRes. The term isn’t new, however. It used to be spoken about in terms of Operational risk (OpRisk) before it was spun off on its own.
The EBA has touched on the subject, although the rest of the EU hasn’t really latched on to it in the same way as the UK financial regulators have.
The three UK financial regulators jointly issued a Discussion Paper formally introducing the concept of OpRes in July 2018, which ended with them saying that they intend to issue more formal rules later.
The Bank of England has since confirmed that it will take on the mantle by issuing something in Q4 2019. It has also taken on the responsibility of defining the concept as: “an organisation’s ability to protect or sustain its critical functions, and underlying assets, while adapting to expected or unexpected occurrences of operational stress or disruption”.
As mentioned above, firms and their regulators have traditionally focused on OpRisk, rather than OpRes. I know I did when I headed up a legal and compliance function in a bank.
OpRisk refers to: “the risk of loss, resulting from inadequate or failed internal processes, people or systems, or from external events”.
While OpRisk looks at reducing the probability of disruption to their systems, people and processes as a result of an event, OpRes looks more broadly, not only at the consequence of a disruption but also the cause of it.
Delving more deeply, OpRes addresses the ability of firms (and the financial sector as a whole) to prevent, respond to, recover and learn from operational disruptions.
It is for this more holistic reason that OpRes has become the focus of the UK financial regulators, who now consider it to be no less important than financial resilience.
OpRes is the new, grown up way of regulating the financial sector.
EBA Outsourcing Guidelines
Firms are already undertaking multiple risk management activities under the broad umbrella of operational resilience despite the absence of any specific rules around it. Cyber security and third party risk management (which outsourcing is a part of) are two examples.
This position was confirmed in the FCA’s and UK Prudential Regulation Authority’s (PRA) joint investigation into Raphaels Bank that resulted in a £1.89 million fine for failing to manage its outsourcing arrangements properly, in which they pointed to OpRes and their Discussion Paper on the subject.
Third party risk management, including outsourcing, is one of the five challenges that stand as pillars within the Discussion Paper. Outsourcing will therefore become a sub-set of that concept, once rules on it are issued.
As the FCA and PRA went on to say in the Raphaels case: “outsourcing is an important part of a firm’s operational resilience, and particularly so in the case of Raphaels given the level of reliance on outsourcing in its business model”.
However, if OpRes is so important and yet the Guidelines come into force on 30 September 2019, what should firms be focussing on?
The Guidelines will become current regulation before the introduction of any OpRes rules and therefore should be observed and followed when it comes to a firms’ supply chain relationships in the meantime.
Compliance with them will fit neatly within any OpRes rules, when they finally appear.
Firms should therefore continue to prepare their supply chain relationships to be compliant with the upcoming EBA Guidelines.
As ever, compliance becomes a case of planning ahead, so bearing the EBA Guidelines in mind will be key.
By Howard Womersley Smith, partner at Reed Smith