A&O Shearman | FinReg | Blog
Financial Regulatory Developments Focus
This links to the home page


The following posts provide a snapshot of selected UK, EU and global financial regulatory developments of interest to banks, investment firms, broker-dealers, market infrastructures, asset managers and corporates.

  • EU Technical Standards on classification of ICT-Related Incidents, Contractual Arrangements Policy and Risk Management Tools Published
    June 25, 2024

    The following three regulatory technical standards supplementing the Digital Operational Resilience Act have been published in the Official Journal of the European Union:
    • RTS on the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents (Delegated Regulation 2024/1772).
    • RTS specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (Delegated Regulation 2024/1773).
    • RTS specifying ICT risk management tools, methods, processes and policies and the simplified ICT risk management framework (Delegated Regulation 2024/1774).

    The Delegated Regulations will enter into force on July 15, 2024, the twentieth day following their publication in the Official Journal.
  • UK Prudential Regulation Authority Delays Publication of Second Resolvability Assessment Due to General Election
    June 6, 2024

    The Prudential Regulation Authority has published a modification by consent of Rule 4.1 of the Resolution Assessment Part of the PRA Rulebook. The PRA explains that, as with previous general elections, it will be following the Cabinet Office's election guidance, which includes limiting communications activities until after the election. In line with this approach, the Bank of England and PRA have chosen to delay publication of the second Resolvability Assessment Framework assessment of the major U.K. banks to early August. The publication of the BoE's assessment was due by June 14, 2024, alongside firms' own public disclosures (as required by Rule 4.1 of the Resolution Assessment Part of the PRA Rulebook). As such, the PRA is offering a modification by consent to delay the deadline for firms to publish their RAF disclosures from the second Friday in June, to the second Friday in August at the latest. Each firm that wishes to take advantage of this modification should consider the terms of the direction.
  • International Organization of Securities Commissions Report on Trading Venues' Resilience
    June 5, 2024

    The International Organization of Securities Commissions has published its final report on market outages. The report examines key findings from recent market outages on listing trading venues in IOSCO jurisdictions and builds on past IOSCO work on operational resilience and business continuity planning to identify good practices for listing trading venues that may enhance market-wide resilience in the event of a market outage.

    The good practices include: (a) establishing and publishing an outage plan; (b) implementing a communication plan, which provides, through an appropriate communication channel, initial notice (as soon as practicable) of the outage to market participants and the general public and, thereafter, regular updates to all market participants on the status of the outage and the recovery pathway; (c) communicating information relevant to the reopening of trading in a timely and simultaneous manner to all market participants, providing clarity on the status of orders and ensuring an adequate period of notice before the resumption of trading; (d) ensuring the processes and procedures that trading venues will follow to operate a closing auction and/or to establish alternative closing prices are published in the outage plan and communicated to all market participants during an outage; and (e) conducting and sharing with the relevant regulators a lessons-learnt exercise of the market outage and adopt a post-outage plan, with clearly defined timelines and allocation of responsibilities for remediation, designed to reduce the likelihood of future incidents and to improve the ability of the trading venue to effectively respond to outages.

    Read more.
  • European Central Bank Consults on Draft Guide on Outsourcing Cloud Services
    June 3, 2024

    The European Central Bank has opened a consultation on a draft guide on outsourcing cloud services to cloud service providers. The guide aims to clarify both the ECB's understanding of related legal requirements, including those under the EU's Digital Operational Resilience Act and the Capital Requirement Directive, and its expectations for the banks it supervises. The guide sets out detailed supervisory expectations, drawing on risks and best practices observed in the context of ongoing supervision and dedicated on-site inspections. It covers topics including: (i) the governance of cloud services; (ii) the availability and resilience of cloud services; (iii) ICT security, data confidentiality and integrity; (iv) exit strategy and termination rights; and (v) oversight monitoring and internal audits. The deadline for comments is July 15, 2024.
  • Delegated Regulations under the EU Digital Operational Resilience Act Published
    May 30, 2024

    The following Delegated Regulations supplementing Digital Operational Resilience Act have been published in the Official Journal of the European Union:
    • Delegated Regulation (EU) 2024/1502 on the criteria for the designation of ICT third-party service providers as critical for financial entities.
    • Delegated Regulation (EU) 2024/1505 determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid.

    Both Delegated Regulations will enter into force on June 19, 2024, except for the systemic assessment sub-criterion on the ICT third-party service provider's dependency on subcontractors, which will be effective as of January 16, 2025.
  • UK Financial Conduct Authority Shares Insights on Firms’ Preparations for Operational Resilience
    May 28, 2024

    The Financial Conduct Authority has set out its observations and insights on the preparations firms have made towards complying with its operational resilience rules ahead of March 31, 2025. The FCA expects firms to use these observations to review their approach and assess their readiness on the following key areas of the policy:
    • important business services;
    • impact tolerance;
    • mapping and third parties;
    • scenario testing;
    • vulnerabilities and remediation;
    • response and recovery plans; and
    • governance and self-assessment.

    Read more.
  • European Systemic Risk Board Publishes Recommendation on Pan-European Systemic Cyber Incident Coordination Framework

    The European Systemic Risk Board has published a Recommendation on a pan-European systemic cyber incident coordination framework for EU national regulators. The ESRB observes that major cyber incidents may pose a systemic risk to the financial system, as they are capable of disrupting critical financial services and operations. This could in turn lead to contagion or an erosion of confidence in the financial system. The COVID-19 pandemic has also brought the threat of cyber incidents to the fore, as the number of cyber incidents reported to the ECB increased by 54% between 2019 and 2020. The Recommendation aims to build on the proposed roles of the European Supervisory Authorities under the EU's proposed Regulation on digital operational resilience for the financial sector. DORA is intended to strengthen digital operational resilience considering the risks arising from the increase in digital opportunities within the financial sector.

    Read more.
  • European Supervisory Authorities Publish Joint Response on Proposed EU Digital Operational Resilience Act

    The European Supervisory Authorities (the European Securities and Markets Authority, the European Banking Authority and the European Insurance and Occupational Pensions Authority) have published a letter to the European Parliament, the Council of the European Union and the European Commission, setting out responses to the proposed EU Digital Operational Resilience Act, a new piece of EU regulation on digital operational resilience for the financial sector. The European Commission first published the draft DORA in September 2020. It forms part of the European Commission's digital finance strategy, which aims to embrace digital finance for the benefit of consumers and businesses while ensuring digital transformation is soundly regulated. The DORA is particularly focused on combatting risks arising from information and communication technologies in order to protect operational resilience and the performance of the financial system.

    Read more.
  • European Commission Proposals for Digital Operational Resilience Regulation and Amending Directive 

    The European Commission has published proposals for a new EU Regulation on digital operational resilience for the financial sector and a new EU Directive amending certain pieces of existing EU financial services legislation to strengthen digital operational resilience and provide legal certainty on crypto-assets. The new legislation has been proposed as a result of the risks arising from the increase in digital opportunities within the financial sector. There are currently no detailed rules at EU level on digital operational resilience, exposing the need for comprehensive and harmonized legislation governing this area.

    Read more.
  • Basel Committee on Banking Supervision Proposes Principles for Operational Risk

    The Basel Committee on Banking Supervision has opened a consultation on proposed principles for operational resilience and updated Principles for the Sound Management of Operational Risk (PSMOR). The consultation closes on November 6, 2020.

    Read more.
  • UK Conduct Regulator Update on COVID-19 Response and 2020 Expectations

    The U.K. Financial Conduct Authority’s Executive Director of Supervision for Investment, Wholesale and Specialists, Megan Butler, has given a speech setting out the FCA’s current priorities, its expectations of firms during the COVID-19 pandemic and the outcomes it is focusing on for the wealth management sector, as well as the future priorities for financial regulation.
    The FCA initially prioritized immediate relief for firms and consumers, including on mortgages and unsecured lending products, at the outset of the COVID-19 crisis, but is now looking at how it will respond to the challenges of COVID-19 on a more long-term basis. This longer-term approach includes ensuring a good level of operational resilience (in line with the FCA’s ongoing consultation on that topic), that markets can continue to function well, that customers are treated fairly and protected from scams and that the FCA understands firms’ financial resilience so that they can fail in an orderly manner. 

    Read more.
  • UK Regulators Launch Consultation on Operational Resilience in Financial Services

    The Bank of England, U.K. Prudential Regulation Authority and U.K. Financial Conduct Authority have published a shared policy summary and consultation papers on strengthening operational resilience in the financial services sector. The consultation impacts banks, building societies, PRA-designated investment firms, firms subject to the Solvency II Directive, recognized investment exchanges, CCPs, central securities depositories, payment system operators, FCA enhanced scope SM&CR firms and entities authorized and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011. Responses to the consultation should be submitted by April 3, 2020.

    Read more.
  • UK Parliamentary Committee Launches Inquiry Into Operational Resilience in the Financial Services Sector

    The U.K. Treasury Committee has announced the launch of a new Inquiry into IT failures in the financial services sector. The Inquiry has been launched in response to recent IT failures at a number of financial institutions that have led to consumers being unable to access their bank accounts or becoming subject to fraud.

    The Committee will assess the causes and consequences of these recent IT failures. Among other things, the Committee will consider the extent to which such incidents are becoming more frequent, sources of concentration risk in the financial sector, the impact of legacy IT systems, the effect of outsourcing on operational resilience, best practices in responding to operational incidents and whether the U.K. regulators are able to regulate firms' capabilities for responding to such incidents.

    Written submissions can be made to the Committee by January 18, 2019. The Committee will also appoint a special advisor to provide policy advice to the Committee on the issues. Individuals interested in the role should respond to the call for Expressions of Interest.

    View the announcement.
  • UK Regulators Seek Views on Improving Operational Resilience of Firms and Financial Market Infrastructures

    The Bank of England, the U.K. Prudential Regulation Authority and the U.K. Financial Conduct Authority have published a joint discussion paper entitled "Building the UK financial sector’s operational resilience." The Discussion Paper is aimed at opening a dialogue with the financial services industry on achieving what the Authorities view as a "step change" in the operational resilience of firms and Financial Market Infrastructures and at generating debate about the expectations regulators and the wider public might have of the operational resilience of financial services institutions.

    While the existing regulatory framework already supports operational resilience, the BoE, PRA and FCA are together considering the extent to which they might supplement existing policies, to improve the resilience of the financial system as a whole and increase the focus on operational resilience within firms and FMIs.

    Read more.