A&O Shearman | FinReg

Final Technical Standards on Subcontracting ICT Services Under the EU Digital Operational Resilience Act

July 26, 2024

The European Supervisory Authorities have published a final report on draft regulatory technical standards to specify the elements that a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of the Digital Operational Resilience Act. The draft RTS set out requirements when the use of subcontracted ICT services supporting critical or important functions or material parts thereof by ICT third-party service providers is permitted by financial entities and set out the conditions applying to such subcontracting. In particular, the draft RTS require financial entities to assess the risks associated with subcontracting during the precontractual phase, which includes the due diligence process.

The draft RTS also set out requirements regarding the implementation, monitoring, and management of contractual arrangements regarding the subcontracting conditions for the use of ICT services supporting critical or important functions or material parts thereof ensuring that financial entities are able to monitor the entire ICT subcontracting chain of ICT services supporting critical or important functions. The ESAs will now submit the draft RTS to the European Commission for adoption.

Topic : Operational Resilience

King's Speech 2024

July 17, 2024

The King's speech to Parliament sets out the new government's legislative program. The government has published background briefing notes relating to the King's Speech, providing a summary of the legislation to be brought forward. The Bills announced, in relation to financial services, include:

A Bank Resolution (Recapitalisation) Bill, which would aim to enhance the U.K.'s resolution regime, providing the Bank of England with a more flexible toolkit to respond to the failure of small banks. The Bill would expand the statutory function of the Financial Services Compensation Scheme to provide funds to the BoE upon request, to be used where necessary to support the resolution of a failing bank. The FSCS would then recover the funds provided by charging levies on the banking sector, similar to the current arrangements for funding depositor pay-outs in insolvency. Credit unions will not be in scope of this levy. The BoE will also be provided with the power to require a bank in resolution to issue new shares, facilitating the use of FSCS funds to meet a failing bank's recapitalization costs.

Topic : Operational Resilience

EU Technical Standards on classification of ICT-Related Incidents, Contractual Arrangements Policy and Risk Management Tools Published

June 25, 2024

The following three regulatory technical standards supplementing the Digital Operational Resilience Act have been published in the Official Journal of the European Union:

RTS on the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents (Delegated Regulation 2024/1772).
RTS specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (Delegated Regulation 2024/1773).
RTS specifying ICT risk management tools, methods, processes and policies and the simplified ICT risk management framework (Delegated Regulation 2024/1774).

The Delegated Regulations will enter into force on July 15, 2024, the twentieth day following their publication in the Official Journal.

Topic : Operational Resilience

EU Consultation on Draft Technical Standards for Operational Risk Loss under Third Capital Requirements Regulation

June 6, 2024

The European Banking Authority has opened a consultation on a package of draft regulatory technical standards that aim to standardize the collection and the record of operational risk losses and to provide clarity on the exemptions for the calculation of the annual operational risk loss and on the adjustments to the loss data set that banks must perform in case of merged or acquired entities or activities. The package consists of:

Draft RTS on establishing a risk taxonomy on operational risk, which provide a list of operational risk event types, categories, and attributes that institutions must use when recording operational risk loss events in line with the current framework and the international standards.
Draft RTS on the conditions under which it would be unduly burdensome for an institution to calculate the annual operational risk loss. In such cases, the draft RTS allow for a temporary waiver from the requirement to calculate the annual operational risk loss.
Draft RTS on the adjustments to an institution's loss data set following the inclusion of losses from merged or acquired entities or activities, which provide indications on the currency and the risk taxonomy to be used when incorporating the loss data set of merged entities or activities.

The deadline for comments is September 6, 2024. The EBA intends to finalize the draft RTS by the end of 2024.

Topics : Bank Prudential Regulation & Regulatory Capital, Operational Resilience

UK Prudential Regulation Authority Delays Publication of Second Resolvability Assessment Due to General Election

June 6, 2024

The Prudential Regulation Authority has published a modification by consent of Rule 4.1 of the Resolution Assessment Part of the PRA Rulebook. The PRA explains that, as with previous general elections, it will be following the Cabinet Office's election guidance, which includes limiting communications activities until after the election. In line with this approach, the Bank of England and PRA have chosen to delay publication of the second Resolvability Assessment Framework assessment of the major U.K. banks to early August. The publication of the BoE's assessment was due by June 14, 2024, alongside firms' own public disclosures (as required by Rule 4.1 of the Resolution Assessment Part of the PRA Rulebook). As such, the PRA is offering a modification by consent to delay the deadline for firms to publish their RAF disclosures from the second Friday in June, to the second Friday in August at the latest. Each firm that wishes to take advantage of this modification should consider the terms of the direction.

Topics : Bank Prudential Regulation & Regulatory Capital, Operational Resilience

International Organization of Securities Commissions Report on Trading Venues' Resilience

June 5, 2024

The International Organization of Securities Commissions has published its final report on market outages. The report examines key findings from recent market outages on listing trading venues in IOSCO jurisdictions and builds on past IOSCO work on operational resilience and business continuity planning to identify good practices for listing trading venues that may enhance market-wide resilience in the event of a market outage.

The good practices include: (a) establishing and publishing an outage plan; (b) implementing a communication plan, which provides, through an appropriate communication channel, initial notice (as soon as practicable) of the outage to market participants and the general public and, thereafter, regular updates to all market participants on the status of the outage and the recovery pathway; (c) communicating information relevant to the reopening of trading in a timely and simultaneous manner to all market participants, providing clarity on the status of orders and ensuring an adequate period of notice before the resumption of trading; (d) ensuring the processes and procedures that trading venues will follow to operate a closing auction and/or to establish alternative closing prices are published in the outage plan and communicated to all market participants during an outage; and (e) conducting and sharing with the relevant regulators a lessons-learnt exercise of the market outage and adopt a post-outage plan, with clearly defined timelines and allocation of responsibilities for remediation, designed to reduce the likelihood of future incidents and to improve the ability of the trading venue to effectively respond to outages.

Read more.

Topics : Financial Market Infrastructure, Operational Resilience

European Central Bank Consults on Draft Guide on Outsourcing Cloud Services

June 3, 2024

The European Central Bank has opened a consultation on a draft guide on outsourcing cloud services to cloud service providers. The guide aims to clarify both the ECB's understanding of related legal requirements, including those under the EU's Digital Operational Resilience Act and the Capital Requirement Directive, and its expectations for the banks it supervises. The guide sets out detailed supervisory expectations, drawing on risks and best practices observed in the context of ongoing supervision and dedicated on-site inspections. It covers topics including: (i) the governance of cloud services; (ii) the availability and resilience of cloud services; (iii) ICT security, data confidentiality and integrity; (iv) exit strategy and termination rights; and (v) oversight monitoring and internal audits. The deadline for comments is July 15, 2024.

Topics : Bank Prudential Regulation & Regulatory Capital, Operational Resilience

Delegated Regulations under the EU Digital Operational Resilience Act Published

May 30, 2024

The following Delegated Regulations supplementing Digital Operational Resilience Act have been published in the Official Journal of the European Union:

Delegated Regulation (EU) 2024/1502 on the criteria for the designation of ICT third-party service providers as critical for financial entities.
Delegated Regulation (EU) 2024/1505 determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid.

Both Delegated Regulations will enter into force on June 19, 2024, except for the systemic assessment sub-criterion on the ICT third-party service provider's dependency on subcontractors, which will be effective as of January 16, 2025.

Topic : Operational Resilience

UK Financial Conduct Authority Shares Insights on Firms’ Preparations for Operational Resilience

May 28, 2024

The Financial Conduct Authority has set out its observations and insights on the preparations firms have made towards complying with its operational resilience rules ahead of March 31, 2025. The FCA expects firms to use these observations to review their approach and assess their readiness on the following key areas of the policy:

important business services;
impact tolerance;
mapping and third parties;
scenario testing;
vulnerabilities and remediation;
response and recovery plans; and
governance and self-assessment.

Topic : Operational Resilience

European Systemic Risk Board Publishes Recommendation on Pan-European Systemic Cyber Incident Coordination Framework

01/27/2022

The European Systemic Risk Board has published a Recommendation on a pan-European systemic cyber incident coordination framework for EU national regulators. The ESRB observes that major cyber incidents may pose a systemic risk to the financial system, as they are capable of disrupting critical financial services and operations. This could in turn lead to contagion or an erosion of confidence in the financial system. The COVID-19 pandemic has also brought the threat of cyber incidents to the fore, as the number of cyber incidents reported to the ECB increased by 54% between 2019 and 2020. The Recommendation aims to build on the proposed roles of the European Supervisory Authorities under the EU's proposed Regulation on digital operational resilience for the financial sector. DORA is intended to strengthen digital operational resilience considering the risks arising from the increase in digital opportunities within the financial sector.

Read more.

Topics : Cyber Security, Operational Resilience

European Supervisory Authorities Publish Joint Response on Proposed EU Digital Operational Resilience Act

02/09/2021

The European Supervisory Authorities (the European Securities and Markets Authority, the European Banking Authority and the European Insurance and Occupational Pensions Authority) have published a letter to the European Parliament, the Council of the European Union and the European Commission, setting out responses to the proposed EU Digital Operational Resilience Act, a new piece of EU regulation on digital operational resilience for the financial sector. The European Commission first published the draft DORA in September 2020. It forms part of the European Commission's digital finance strategy, which aims to embrace digital finance for the benefit of consumers and businesses while ensuring digital transformation is soundly regulated. The DORA is particularly focused on combatting risks arising from information and communication technologies in order to protect operational resilience and the performance of the financial system.

Read more.

Topic : Operational Resilience

European Commission Proposals for Digital Operational Resilience Regulation and Amending Directive

09/24/2020

The European Commission has published proposals for a new EU Regulation on digital operational resilience for the financial sector and a new EU Directive amending certain pieces of existing EU financial services legislation to strengthen digital operational resilience and provide legal certainty on crypto-assets. The new legislation has been proposed as a result of the risks arising from the increase in digital opportunities within the financial sector. There are currently no detailed rules at EU level on digital operational resilience, exposing the need for comprehensive and harmonized legislation governing this area.

Read more.

Topics : Cyber Security, Operational Resilience

Basel Committee on Banking Supervision Proposes Principles for Operational Risk

08/06/2020

The Basel Committee on Banking Supervision has opened a consultation on proposed principles for operational resilience and updated Principles for the Sound Management of Operational Risk (PSMOR). The consultation closes on November 6, 2020.

Read more.

Topics : Bank Prudential Regulation & Regulatory Capital, COVID-19, Operational Resilience

UK Conduct Regulator Update on COVID-19 Response and 2020 Expectations

06/04/2020

The U.K. Financial Conduct Authority’s Executive Director of Supervision for Investment, Wholesale and Specialists, Megan Butler, has given a speech setting out the FCA’s current priorities, its expectations of firms during the COVID-19 pandemic and the outcomes it is focusing on for the wealth management sector, as well as the future priorities for financial regulation.

The FCA initially prioritized immediate relief for firms and consumers, including on mortgages and unsecured lending products, at the outset of the COVID-19 crisis, but is now looking at how it will respond to the challenges of COVID-19 on a more long-term basis. This longer-term approach includes ensuring a good level of operational resilience (in line with the FCA’s ongoing consultation on that topic), that markets can continue to function well, that customers are treated fairly and protected from scams and that the FCA understands firms’ financial resilience so that they can fail in an orderly manner.

Read more.

Topics : Conduct & Culture, COVID-19, Operational Resilience

UK Regulators Launch Consultation on Operational Resilience in Financial Services

12/05/2019

The Bank of England, U.K. Prudential Regulation Authority and U.K. Financial Conduct Authority have published a shared policy summary and consultation papers on strengthening operational resilience in the financial services sector. The consultation impacts banks, building societies, PRA-designated investment firms, firms subject to the Solvency II Directive, recognized investment exchanges, CCPs, central securities depositories, payment system operators, FCA enhanced scope SM&CR firms and entities authorized and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011. Responses to the consultation should be submitted by April 3, 2020.

Read more.

Topics : Bank Prudential Regulation & Regulatory Capital, Financial Market Infrastructure, Operational Resilience, Payment Services

UK Parliamentary Committee Launches Inquiry Into Operational Resilience in the Financial Services Sector

11/23/2018

The U.K. Treasury Committee has announced the launch of a new Inquiry into IT failures in the financial services sector. The Inquiry has been launched in response to recent IT failures at a number of financial institutions that have led to consumers being unable to access their bank accounts or becoming subject to fraud.

The Committee will assess the causes and consequences of these recent IT failures. Among other things, the Committee will consider the extent to which such incidents are becoming more frequent, sources of concentration risk in the financial sector, the impact of legacy IT systems, the effect of outsourcing on operational resilience, best practices in responding to operational incidents and whether the U.K. regulators are able to regulate firms' capabilities for responding to such incidents.

Written submissions can be made to the Committee by January 18, 2019. The Committee will also appoint a special advisor to provide policy advice to the Committee on the issues. Individuals interested in the role should respond to the call for Expressions of Interest.

View the announcement.

Topics : Bank Prudential Regulation & Regulatory Capital, Consumer Protection, Cyber Security, Operational Resilience

UK Regulators Seek Views on Improving Operational Resilience of Firms and Financial Market Infrastructures

07/05/2018

The Bank of England, the U.K. Prudential Regulation Authority and the U.K. Financial Conduct Authority have published a joint discussion paper entitled "Building the UK financial sector’s operational resilience." The Discussion Paper is aimed at opening a dialogue with the financial services industry on achieving what the Authorities view as a "step change" in the operational resilience of firms and Financial Market Infrastructures and at generating debate about the expectations regulators and the wider public might have of the operational resilience of financial services institutions.

While the existing regulatory framework already supports operational resilience, the BoE, PRA and FCA are together considering the extent to which they might supplement existing policies, to improve the resilience of the financial system as a whole and increase the focus on operational resilience within firms and FMIs.

Read more.

Topics : Cyber Security, Financial Market Infrastructure, Operational Resilience

The following posts provide a snapshot of selected UK, EU and global financial regulatory developments of interest to banks, investment firms, broker-dealers, market infrastructures, asset managers and corporates.