Vendors Feel Heat as Regulators Pile Pressure on Third-Party Resiliency

Third-party providers could get a taste of what it’s like to be as heavily regulated as their clients, under newly proposed rules in the UK covering operational resilience and outsourcing that are intended to zero in on third- and fourth-party risk.

The new laws will require fintech firms to scrutinize their control frameworks for dealing with system failures—which includes mapping out systems, identifying important business services, and establishing impact tolerance.

Vendors will have to hand over detailed information about their operations to clients to comply with the proposed laws. And some expect the major cloud providers—Amazon (AWS), Microsoft Azure, and Google Cloud—to push back on how much information they will disclose, because of their market share and dominance in the industry.

“It’s going to be one of the big caveats. Who you’re dealing with is going to determine the amount of information you get and the service levels you agree, and the cloud providers generally run the extreme of giving the least,” says Douglas Wilbert, a managing director in the risk and compliance practice at Protiviti, a California-based consultancy firm.

Similarly, Jason Harell, head of business and cybersecurity partnerships at the Depository Trust and Clearing Corp., says fintech companies will be reluctant to part with information that will give industry firms an intimate view of their operations.

“From a third-party perspective, that would require them to provide potentially sensitive information about their operations in order to demonstrate that they have the ability to recover quickly,” he adds.

On December 5, the Bank of England (BoE), the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) jointly released a series of consultation papers aimed at strengthening the operational resilience of financial services firms and modernizing the regulatory framework on outsourcing and third-party risk management. The consultations follow the UK authorities’ discussion paper, Building the UK Financial Sector’s Operational Resilience, published in July 2018.

The proposed rules require institutions to determine which business services are critical to the market and what is the maximum tolerable disruption to services they can withstand, and prove how they or their critical third-party providers can recover from a failure within the necessary period of time to avoid “intolerable risk,” according to one of the papers, which compliment each other.

Institutions have been subject to operational scrutiny for years, so why the fuss now?

The difference in the latest proposed rules is that there is a greater focus on third- and fourth-party risk, and being able to manage firms’ growing networks of outsourced vendors.

Many institutions rely on one or two major service providers, like the big three cloud providers, to manage critical operations, such as clearing and settlement, asset servicing and data management. 

“The challenge is that it is difficult for financial institutions to understand the resilience capabilities of third-party vendors to recover their services in a defined timeframe,” Harrell says. “It is therefore challenging to demonstrate that [the banks who require these third-party services] can recover their important business services in a specific timeframe.”

Changing Relationships

In some cases, the new pressure on outsourcing could make it more difficult to work with third parties in the future, says David Ostojitsch, director of technology and operations at the Association for Financial Markets in Europe (AFME), due to the level of information needed to understand vendor and sub-outsourcing behavior, prompting firms to manage certain operations in-house instead.

And the growth of outsourcing and interconnectedness has cybersecurity implications. “One thing about cybersecurity is the contagion risk—it is a big part, as financial services are only getting more and more connected,” Ostojitsch says.

Implementing the proposed laws won’t be cheap. Wilbert says that for institutions to implement these rules effectively, they will have to install front-to-back mapping of important business services to have a holistic view of data flows, system resiliency and the web of inter-connected risks. Additionally, institutions may have to consider whether to employ an independent auditor to validate their third parties’ systems and ensure that they can recover in the appropriate timeframe.

“They’ll come in and validate that the firm can recover within the service level agreement (SLA) that was signed with a fintech. This is one of the things to note—the SLA is going to determine what the resiliency looks like and what the risk looks like, and if you’re going to want more than what’s in your SLA, you’re either going to have to pay for it or wait until your SLA is up and sign a new one,” Wilbert says.

Adding to the complexity is the management of fourth-party risk. Institutions must be aware of the criticality and tolerance not only of their own third-party suppliers, but also of those vendors’ third-party providers—a logistical nightmare when trying to keep track of the constant turnover of providers.

A third party is contractually responsible for its fourth-party vendor and must inform its clients when changes are made to its fourth-party network. The problem is that a fourth party is not contractually bound to provide information to it clients’ client—or the institution in this example—making it increasingly challenging to validate the resiliency of the fourth party. Another concern is that contractual clauses across multiple parties can become overly complicated, particularly when trying to source the root of a failure or provide justification to a regulator.

“The management of fourth-party risk is largely through indirect contractual relationships through the third-party vendor where the third-party vendor is responsible for the fourth-party oversight,” Harrell says. “Financial institutions must place trust in their vendors to have sufficient oversight.”

The consultation for operational resilience and outsourcing requirements closes on April 3. The UK regulators are expected to publish the final version of the Operational Resilience draft in the second half of 2020 and the implementation date for the proposals is scheduled for the second half of 2021.

AWS, Microsoft and Google did not respond to requests for comment in time for publication.