Digital finance: EU gets tough on operational resilience

Out-Law News | 28 Sep 2020 | 9:25 am | 3 min. read

Plans to harmonise the regulation of operational and third party risk across European financial services, and to bring major technology providers formally within the scope of financial services regulation for the first time, have been set out by the European Commission

The proposed new EU regulation on digital operational resilience for the financial sector was published alongside a draft directive which would amend existing legislation concerning operational risk and risk management requirements in EU financial services.

The two legislative proposals make up part of a broader digital finance package published by the Commission. The package includes legislative proposals concerning the regulation of cryptoassets and a related draft regulation aimed at supporting a pilot regime for market infrastructures based on distributed ledger technology – often referred to as blockchain. The package also includes an overarching digital finance strategy, which among other things trails Commission plans to "harmonise rules on customer onboarding" in digital financial services, as well as a new retail payments strategy that hints at potential future reform of the EU's second Payment Services Directive (PSD2).

Scanlon Luke

Luke Scanlon

Head of Fintech Propositions

It is very promising to see an attempt to override the inconsistent, overlapping and confusing amount of different rules which apply to regulated entities in relation to operational resilience and outsourcing

Operational resilience requirements in EU financial services are currently reflected in a variety of legislation and guidelines. This includes separate guidelines issued by supervisory authorities the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), which between them set out requirements around outsourcing, the use of cloud providers specifically, and on ICT and security risk management.

The Commission's new proposals would apply a single set of overarching rules for financial entities around ICT risk management – including requirements around business continuity and disaster recovery; the reporting of major ICT-related incidents; digital operational testing – including stringent new obligations around penetration testing; and around management of third-party ICT risk.

In addition, requirements concerning the contractual arrangements concluded between ICT third-party service providers and financial entities would be harmonised, addressing issues such as audit rights, oversight of sub-outsourcing, data requirements, termination and exit strategies.

Financial services and technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law, said: "This is a major development which needs to be assessed very carefully as it will have a significant impact for the ways in which financial services are provided across the EU. At one level it is very promising to see an attempt to override the inconsistent, overlapping and confusing amount of different rules which apply to regulated entities in relation to operational resilience and outsourcing. Particularly for large financial groups, consistency across different sub-sectors – insurance, banking and securities markets – is to be welcomed."

Scanlon said the other significant aspect of the Commission's proposals on digital operational resilience concern its plans to directly regulate major technology providers to financial entities for the first time.

Under the Commission's proposals, the EBA, EIOPA and ESMA would together be responsible for designating "the ICT third-party service providers that are critical for financial entities", with those providers designated falling subject to oversight and regulation by one of the three authorities.

The 'lead overseer' will be responsible for checking whether the designated providers have in place "comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which it may pose to financial entities", with a multitude of factors – from providers' physical security measures and governance arrangements, to their mechanisms for data portability and testing of ICT systems – relevant to that assessment.

The authorities would enjoy wide powers under their remit, including to compel information to be shared by providers, to conduct investigations including on-site inspections, and to make recommendations to providers on a broad range of issues – including potentially to call on providers to "refrain from entering into a further subcontracting arrangement" in certain circumstances.

The regulated providers would be under a legislative duty to "cooperate in good faith" with the lead overseer and to assist it in the fulfilment of its tasks.

Providers that fail to comply with the lead overseer could face fines totalling hundreds of millions of euros in some cases: daily penalty payments are provided for under the proposed new regulation at the rate of "1% of the average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year" and those penalties could be levied repeatedly to account for each day of non-compliance for up to a total period of six months.

Scanlon said: "The regulation of critical technology providers, including cloud providers, has been an ongoing discussion for a number of years now and something that many could see coming. While this is likely to create a significant regulatory burden for technology providers, it promises to establish more trust in the use of the solutions and services these providers offer. The hope is that this will help financial institutions accelerate their digital transformation programmes so that they can meet the growing needs of customers to live digitally.