A&O Shearman | FinReg

UK Regulators Finalize Rules on Critical Third Parties to the UK Financial Sector

November 12, 2024

The Prudential Regulation Authority and Financial Conduct Authority have published a joint policy statement on operational resilience for critical third parties (CTPs) in the U.K. financial sector, which includes their final rules for CTPs. The overall objective of the final policy is to manage risks to the stability of, or confidence in, the U.K. financial system that may arise due to a failure in, or disruption to, the services that a CTP provides to one or more authorised persons, relevant service providers and/or financial market infrastructure entities.

The rules will take effect from January 1, 2025, but will only apply to individual CTPs from the date their HM Treasury CTP designations come into force. HM Treasury has not yet made any such CTP designations.

Read more.

Topics : Brexit for Financial Services, Operational Resilience

European Commission Adopts Regulatory Technical Standards on Conduct of Oversight Activities under EU Digital Operational Resilience Act

October 24, 2024

The European Commission has adopted a Commission Delegated Regulation supplementing the EU Digital Operational Resilience Act with regard to Regulatory Technical Standards on harmonization of conditions enabling the conduct of the oversight activities. The draft RTS cover: (i) the information to be provided by an ICT third-party service provider in the application for a voluntary request to be designated as critical; (ii) the information to be submitted by the ICT third–party service providers that is necessary for the Lead Overseer to carry out its duties; and (iii) the details of the competent authorities' assessment of the measures taken by critical third party providers based on the recommendations of the Lead Overseer. Separate RTS will be adopted focusing on the criteria for determining the composition of the joint examination team, their designation, tasks, and working arrangements. The Delegated Regulation shall enter into force 20 days after publication in the OJ. DORA will apply as of January 17, 2025.

Topic : Operational Resilience

European Commission Adopts Implementing Technical Standards and Regulatory Technical Standards on Notification of Major ICT-Incidents and Cyber Threats under EU Digital Operational Resilience Act

October 23, 2024

The European Commission has adopted the following legislation supplementing the EU Digital Operational Resilience Act: (i) Commission Delegated Regulation containing Regulatory Technical Standards specifying the content and time limits for the initial notification of, and intermediate and final report on, major ICT-related incidents, and the content of the voluntary notification for significant cyber threats; and (ii) Commission Implementing Regulation laying down Implementing Technical Standards with regard to the standard forms, templates, and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat. The Council of the European Union and the European Parliament will now scrutinize the Delegated Regulation. If neither object, it will be published in the Official Journal of the European Union. The Implementing Regulation will be published in the Official Journal without further scrutiny. Both Regulations will enter into force 20 days after publication in the Official Journal of the European Union. DORA will apply as of January 17, 2025.

Topic : Operational Resilience

Financial Stability Board Letter to G20 Finance Ministers and Central Bank Governors – Cyber and Operational Resilience

October 22, 2024

The Financial Stability Board has published a letter sent to G20 finance ministers and central bank governors providing an update on various workstreams, including on cyber and operational resilience. The FSB notes that cyber and operational resilience risks continue to pose a threat to financial stability and is therefore delivering, for public consultation, a common Format for Incident Reporting Exchange (FIRE). FIRE is designed to enhance convergence in incident reporting, address operational challenges arising from reporting to multiple authorities and foster better communication amongst authorities. After public consultation, the FSB expects to publish the final version of FIRE by Q2 2025. The FSB's other publications include: (i) G20 status reports on crypto-asset policy implementation; (ii) a report on the financial stability implications of tokenisation; (iii) G20 roadmap progress reports on cross-border payments; and (iv) a report on lessons learned from the March 2023 banking turmoil.

Topic : Operational Resilience

Revised Eurosystem Cyber Resilience Strategy Published

October 18, 2024

The Eurosystem revised its cyber resilience strategy to further address evolving cyber threats. The revised strategy updates the original 2017 Strategy taking account of the evolving threat landscape and leveraging industry best practices, lessons learnt from the original strategy and the practical application of the Cyber Guidance issued by the Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions.

Revisions to the strategy include: (i) the incorporation of new non-FMI entities that are overseen under the Eurosystem oversight framework for electronic payment instruments, schemes and arrangements – the PISA framework. These entities are encouraged to use tools developed by the Eurosystem to periodically assess and continuously enhance their cyber resilience; (ii) measures to address threats linked to geopolitical tensions or technological innovation such as artificial intelligence and quantum computing; and (iii) amendments to take into account recent EU regulation, namely the EU Digital Operational Resilience Act, which applies to certain FMIs covered by the strategy including central securities depositories and central counterparties. The strategy also includes a new overarching component for monitoring implementation, which is designed to promote harmonisation.

Topic : Operational Resilience

European Central Bank Publishes Paper on TIBER-EU and EU Digital Operational Resilience Act Requirements

September 26, 2024

The European Central Bank has published a paper outlining how the European framework for threat intelligence-based ethical red teaming, the TIBER-EU framework, can help competent authorities and financial entities fulfil their threat-led penetration testing requirements under the EU Digital Operational Resilience Act. TIBER-EU is a common European framework that delivers a controlled, bespoke and intelligence-led red team test of financial entities' critical live production systems. It was established as a tool for testing and improving key elements of the cyber resilience of participating financial entities, while focusing heavily on the learning opportunities provided by the testing. The ECB suggests that guiding and performing threat-led penetration testing on the basis of the DORA regulatory technical standards alone will be challenging given the high standards required by such tests but that TIBER-EU will alleviate these difficulties to a large extent and provides a framework that can be used to fulfil the DORA threat-led penetration testing requirements. The paper considers the benefits of the TIBER-EU framework for authorities and financial entities subject to DORA.

Topic : Operational Resilience

European Central Bank Supervisory Board Speech on Banks' Operational Resilience

September 4, 2024

The European Central Bank has published a speech by Frank Elderson, ECB Executive Board member and Supervisory Board Vice-Chair, on banks' operational resilience. Operational resilience has become a key priority for regulators globally. Mr Elderson notes that EU's Digital Operational Resilience Act, which applies from January 17, 2025, will significantly enhance IT and cyber risk management. However, the ECB's cyber resilience stress test earlier this year illustrated that there is scope for improvement, and the ECB appeals to Eurozone banks to prioritize operational and cyber resilience.

Read more.

Topic : Operational Resilience

Final Technical Standards on Subcontracting ICT Services Under the EU Digital Operational Resilience Act

July 26, 2024

The European Supervisory Authorities have published a final report on draft regulatory technical standards to specify the elements that a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions as mandated by Article 30(5) of the Digital Operational Resilience Act. The draft RTS set out requirements when the use of subcontracted ICT services supporting critical or important functions or material parts thereof by ICT third-party service providers is permitted by financial entities and set out the conditions applying to such subcontracting. In particular, the draft RTS require financial entities to assess the risks associated with subcontracting during the precontractual phase, which includes the due diligence process.

The draft RTS also set out requirements regarding the implementation, monitoring, and management of contractual arrangements regarding the subcontracting conditions for the use of ICT services supporting critical or important functions or material parts thereof ensuring that financial entities are able to monitor the entire ICT subcontracting chain of ICT services supporting critical or important functions. The ESAs will now submit the draft RTS to the European Commission for adoption.

Topic : Operational Resilience

King's Speech 2024

July 17, 2024

The King's speech to Parliament sets out the new government's legislative program. The government has published background briefing notes relating to the King's Speech, providing a summary of the legislation to be brought forward. The Bills announced, in relation to financial services, include:

A Bank Resolution (Recapitalisation) Bill, which would aim to enhance the U.K.'s resolution regime, providing the Bank of England with a more flexible toolkit to respond to the failure of small banks. The Bill would expand the statutory function of the Financial Services Compensation Scheme to provide funds to the BoE upon request, to be used where necessary to support the resolution of a failing bank. The FSCS would then recover the funds provided by charging levies on the banking sector, similar to the current arrangements for funding depositor pay-outs in insolvency. Credit unions will not be in scope of this levy. The BoE will also be provided with the power to require a bank in resolution to issue new shares, facilitating the use of FSCS funds to meet a failing bank's recapitalization costs.

Topic : Operational Resilience

EU Technical Standards on classification of ICT-Related Incidents, Contractual Arrangements Policy and Risk Management Tools Published

June 25, 2024

The following three regulatory technical standards supplementing the Digital Operational Resilience Act have been published in the Official Journal of the European Union:

RTS on the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents (Delegated Regulation 2024/1772).
RTS specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (Delegated Regulation 2024/1773).
RTS specifying ICT risk management tools, methods, processes and policies and the simplified ICT risk management framework (Delegated Regulation 2024/1774).

The Delegated Regulations will enter into force on July 15, 2024, the twentieth day following their publication in the Official Journal.

Topic : Operational Resilience

EU Consultation on Draft Technical Standards for Operational Risk Loss under Third Capital Requirements Regulation

June 6, 2024

The European Banking Authority has opened a consultation on a package of draft regulatory technical standards that aim to standardize the collection and the record of operational risk losses and to provide clarity on the exemptions for the calculation of the annual operational risk loss and on the adjustments to the loss data set that banks must perform in case of merged or acquired entities or activities. The package consists of:

Draft RTS on establishing a risk taxonomy on operational risk, which provide a list of operational risk event types, categories, and attributes that institutions must use when recording operational risk loss events in line with the current framework and the international standards.
Draft RTS on the conditions under which it would be unduly burdensome for an institution to calculate the annual operational risk loss. In such cases, the draft RTS allow for a temporary waiver from the requirement to calculate the annual operational risk loss.
Draft RTS on the adjustments to an institution's loss data set following the inclusion of losses from merged or acquired entities or activities, which provide indications on the currency and the risk taxonomy to be used when incorporating the loss data set of merged entities or activities.

The deadline for comments is September 6, 2024. The EBA intends to finalize the draft RTS by the end of 2024.

Topics : Bank Prudential Regulation & Regulatory Capital, Operational Resilience

UK Prudential Regulation Authority Delays Publication of Second Resolvability Assessment Due to General Election

June 6, 2024

The Prudential Regulation Authority has published a modification by consent of Rule 4.1 of the Resolution Assessment Part of the PRA Rulebook. The PRA explains that, as with previous general elections, it will be following the Cabinet Office's election guidance, which includes limiting communications activities until after the election. In line with this approach, the Bank of England and PRA have chosen to delay publication of the second Resolvability Assessment Framework assessment of the major U.K. banks to early August. The publication of the BoE's assessment was due by June 14, 2024, alongside firms' own public disclosures (as required by Rule 4.1 of the Resolution Assessment Part of the PRA Rulebook). As such, the PRA is offering a modification by consent to delay the deadline for firms to publish their RAF disclosures from the second Friday in June, to the second Friday in August at the latest. Each firm that wishes to take advantage of this modification should consider the terms of the direction.

Topics : Bank Prudential Regulation & Regulatory Capital, Operational Resilience

International Organization of Securities Commissions Report on Trading Venues' Resilience

June 5, 2024

The International Organization of Securities Commissions has published its final report on market outages. The report examines key findings from recent market outages on listing trading venues in IOSCO jurisdictions and builds on past IOSCO work on operational resilience and business continuity planning to identify good practices for listing trading venues that may enhance market-wide resilience in the event of a market outage.

The good practices include: (a) establishing and publishing an outage plan; (b) implementing a communication plan, which provides, through an appropriate communication channel, initial notice (as soon as practicable) of the outage to market participants and the general public and, thereafter, regular updates to all market participants on the status of the outage and the recovery pathway; (c) communicating information relevant to the reopening of trading in a timely and simultaneous manner to all market participants, providing clarity on the status of orders and ensuring an adequate period of notice before the resumption of trading; (d) ensuring the processes and procedures that trading venues will follow to operate a closing auction and/or to establish alternative closing prices are published in the outage plan and communicated to all market participants during an outage; and (e) conducting and sharing with the relevant regulators a lessons-learnt exercise of the market outage and adopt a post-outage plan, with clearly defined timelines and allocation of responsibilities for remediation, designed to reduce the likelihood of future incidents and to improve the ability of the trading venue to effectively respond to outages.

Read more.

Topics : Financial Market Infrastructure, Operational Resilience

European Central Bank Consults on Draft Guide on Outsourcing Cloud Services

June 3, 2024

The European Central Bank has opened a consultation on a draft guide on outsourcing cloud services to cloud service providers. The guide aims to clarify both the ECB's understanding of related legal requirements, including those under the EU's Digital Operational Resilience Act and the Capital Requirement Directive, and its expectations for the banks it supervises. The guide sets out detailed supervisory expectations, drawing on risks and best practices observed in the context of ongoing supervision and dedicated on-site inspections. It covers topics including: (i) the governance of cloud services; (ii) the availability and resilience of cloud services; (iii) ICT security, data confidentiality and integrity; (iv) exit strategy and termination rights; and (v) oversight monitoring and internal audits. The deadline for comments is July 15, 2024.

Topics : Bank Prudential Regulation & Regulatory Capital, Operational Resilience

Delegated Regulations under the EU Digital Operational Resilience Act Published

May 30, 2024

The following Delegated Regulations supplementing Digital Operational Resilience Act have been published in the Official Journal of the European Union:

Delegated Regulation (EU) 2024/1502 on the criteria for the designation of ICT third-party service providers as critical for financial entities.
Delegated Regulation (EU) 2024/1505 determining the amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid.

Both Delegated Regulations will enter into force on June 19, 2024, except for the systemic assessment sub-criterion on the ICT third-party service provider's dependency on subcontractors, which will be effective as of January 16, 2025.

Topic : Operational Resilience

UK Financial Conduct Authority Shares Insights on Firms’ Preparations for Operational Resilience

May 28, 2024

The Financial Conduct Authority has set out its observations and insights on the preparations firms have made towards complying with its operational resilience rules ahead of March 31, 2025. The FCA expects firms to use these observations to review their approach and assess their readiness on the following key areas of the policy:

important business services;
impact tolerance;
mapping and third parties;
scenario testing;
vulnerabilities and remediation;
response and recovery plans; and
governance and self-assessment.

Topic : Operational Resilience

European Systemic Risk Board Publishes Recommendation on Pan-European Systemic Cyber Incident Coordination Framework

01/27/2022

The European Systemic Risk Board has published a Recommendation on a pan-European systemic cyber incident coordination framework for EU national regulators. The ESRB observes that major cyber incidents may pose a systemic risk to the financial system, as they are capable of disrupting critical financial services and operations. This could in turn lead to contagion or an erosion of confidence in the financial system. The COVID-19 pandemic has also brought the threat of cyber incidents to the fore, as the number of cyber incidents reported to the ECB increased by 54% between 2019 and 2020. The Recommendation aims to build on the proposed roles of the European Supervisory Authorities under the EU's proposed Regulation on digital operational resilience for the financial sector. DORA is intended to strengthen digital operational resilience considering the risks arising from the increase in digital opportunities within the financial sector.

Read more.

Topics : Cyber Security, Operational Resilience

European Supervisory Authorities Publish Joint Response on Proposed EU Digital Operational Resilience Act

02/09/2021

The European Supervisory Authorities (the European Securities and Markets Authority, the European Banking Authority and the European Insurance and Occupational Pensions Authority) have published a letter to the European Parliament, the Council of the European Union and the European Commission, setting out responses to the proposed EU Digital Operational Resilience Act, a new piece of EU regulation on digital operational resilience for the financial sector. The European Commission first published the draft DORA in September 2020. It forms part of the European Commission's digital finance strategy, which aims to embrace digital finance for the benefit of consumers and businesses while ensuring digital transformation is soundly regulated. The DORA is particularly focused on combatting risks arising from information and communication technologies in order to protect operational resilience and the performance of the financial system.

Read more.

Topic : Operational Resilience

European Commission Proposals for Digital Operational Resilience Regulation and Amending Directive

09/24/2020

The European Commission has published proposals for a new EU Regulation on digital operational resilience for the financial sector and a new EU Directive amending certain pieces of existing EU financial services legislation to strengthen digital operational resilience and provide legal certainty on crypto-assets. The new legislation has been proposed as a result of the risks arising from the increase in digital opportunities within the financial sector. There are currently no detailed rules at EU level on digital operational resilience, exposing the need for comprehensive and harmonized legislation governing this area.

Read more.

Topics : Cyber Security, Operational Resilience

Basel Committee on Banking Supervision Proposes Principles for Operational Risk

08/06/2020

The Basel Committee on Banking Supervision has opened a consultation on proposed principles for operational resilience and updated Principles for the Sound Management of Operational Risk (PSMOR). The consultation closes on November 6, 2020.

Read more.

Topics : Bank Prudential Regulation & Regulatory Capital, COVID-19, Operational Resilience

UK Conduct Regulator Update on COVID-19 Response and 2020 Expectations

06/04/2020

The U.K. Financial Conduct Authority’s Executive Director of Supervision for Investment, Wholesale and Specialists, Megan Butler, has given a speech setting out the FCA’s current priorities, its expectations of firms during the COVID-19 pandemic and the outcomes it is focusing on for the wealth management sector, as well as the future priorities for financial regulation.

The FCA initially prioritized immediate relief for firms and consumers, including on mortgages and unsecured lending products, at the outset of the COVID-19 crisis, but is now looking at how it will respond to the challenges of COVID-19 on a more long-term basis. This longer-term approach includes ensuring a good level of operational resilience (in line with the FCA’s ongoing consultation on that topic), that markets can continue to function well, that customers are treated fairly and protected from scams and that the FCA understands firms’ financial resilience so that they can fail in an orderly manner.

Read more.

Topics : Conduct & Culture, COVID-19, Operational Resilience

UK Regulators Launch Consultation on Operational Resilience in Financial Services

12/05/2019

The Bank of England, U.K. Prudential Regulation Authority and U.K. Financial Conduct Authority have published a shared policy summary and consultation papers on strengthening operational resilience in the financial services sector. The consultation impacts banks, building societies, PRA-designated investment firms, firms subject to the Solvency II Directive, recognized investment exchanges, CCPs, central securities depositories, payment system operators, FCA enhanced scope SM&CR firms and entities authorized and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011. Responses to the consultation should be submitted by April 3, 2020.

Read more.

Topics : Bank Prudential Regulation & Regulatory Capital, Financial Market Infrastructure, Operational Resilience, Payment Services

UK Parliamentary Committee Launches Inquiry Into Operational Resilience in the Financial Services Sector

11/23/2018

The U.K. Treasury Committee has announced the launch of a new Inquiry into IT failures in the financial services sector. The Inquiry has been launched in response to recent IT failures at a number of financial institutions that have led to consumers being unable to access their bank accounts or becoming subject to fraud.

The Committee will assess the causes and consequences of these recent IT failures. Among other things, the Committee will consider the extent to which such incidents are becoming more frequent, sources of concentration risk in the financial sector, the impact of legacy IT systems, the effect of outsourcing on operational resilience, best practices in responding to operational incidents and whether the U.K. regulators are able to regulate firms' capabilities for responding to such incidents.

Written submissions can be made to the Committee by January 18, 2019. The Committee will also appoint a special advisor to provide policy advice to the Committee on the issues. Individuals interested in the role should respond to the call for Expressions of Interest.

View the announcement.

Topics : Bank Prudential Regulation & Regulatory Capital, Consumer Protection, Cyber Security, Operational Resilience

UK Regulators Seek Views on Improving Operational Resilience of Firms and Financial Market Infrastructures

07/05/2018

The Bank of England, the U.K. Prudential Regulation Authority and the U.K. Financial Conduct Authority have published a joint discussion paper entitled "Building the UK financial sector’s operational resilience." The Discussion Paper is aimed at opening a dialogue with the financial services industry on achieving what the Authorities view as a "step change" in the operational resilience of firms and Financial Market Infrastructures and at generating debate about the expectations regulators and the wider public might have of the operational resilience of financial services institutions.

While the existing regulatory framework already supports operational resilience, the BoE, PRA and FCA are together considering the extent to which they might supplement existing policies, to improve the resilience of the financial system as a whole and increase the focus on operational resilience within firms and FMIs.

Read more.

Topics : Cyber Security, Financial Market Infrastructure, Operational Resilience

The following posts provide a snapshot of selected UK, EU and global financial regulatory developments of interest to banks, investment firms, broker-dealers, market infrastructures, asset managers and corporates.