Bank of England ramps up focus on operational resilience

Out-Law News | 27 Apr 2022 | 2:31 pm | 2 min. read

Proposed new rules drafted by the Bank of England reemphasise the recent shift in expectations over operational resilience in financial services and regulators’ desire for continuity of important business services across the sector – regardless of the way they are delivered, experts have said.

Yvonne Dunn and Luke Scanlon of Pinsent Masons were commenting after the Bank of England published plans to bolster rules around outsourcing and third-party risk management in financial markets infrastructure (FMI). Three consultation papers contain separate proposed new rules for central counterparties (CCPs), central securities depositaries (CSDs), and recognised payment system operators (RPSOs) and specified service providers (SSPs).

Scanlon said: “The proposals build on the policy statements on operational resilience for different types of FMI that it published last year, at a time when the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) also set different rules on operational resilience to reflect their different regulatory remits. The operational resilience regimes fully come into force in 2025, although there are also milestone deadlines along the way. This latest suite of proposals explores some of the same concepts from those papers in the specific context of outsourcing arrangements and FMIs’ engagement of other third parties.”

“A recurring theme is regulators’ focus on the resilience and continuity of ‘important business services’ – whether that is online banking services for banks, trading platforms for asset managers, or, as an example in the context of FMI, the operation of whole payment systems. It is clear that the Bank of England, like the PRA and FCA for the entities under their regulation, expects FMIs to identify their important business services, the risks posed to those services, the level of disruption they can withstand and plan for how they will mitigate problems under various tested scenarios – regardless of whether they deliver those services in-house or rely on the technology or services of others,” he said.

One of the specific areas of focus of the Bank of England’s new consultation papers is concentration risk – that is, dependence by financial firms on just one or a few third parties for the smooth and continuous delivery of the core services they offer.

In its new papers, the Bank of England has specifically referred to concentration risk that could arise from FMIs being ‘locked in’ to contracts with vendors or where firms that use their infrastructure rely on the same third parties when outsourcing their FMI connectivity to the cloud.

Scanlon said: “The Bank of England’s focus on cloud concentration risk may be new for FMIs, but its messaging broadly mirrors what the PRA already articulated to the firms under its regulatory jurisdiction in its supervisory statement on operational resilience last year.”

Dunn said: “We are seeing continued growth in the adoption of cloud-based technology by financial services institutions. This makes sense, given that cloud solutions can deliver cost savings, flexibility and security, and can also support the pace of innovation that institutions need to set. Against this backdrop it is not surprising that the Bank of England is stepping up its scrutiny in this area. The cloud services market is focused on a relatively small number of key players, and while that continues concentration risk is going to be an important area of focus for financial institutions and their regulators.

The Bank of England’s proposals on outsourcing and third-party risk management for FMIs are open to consultation until 14 July 2022.

Rewiring financial services
Digital transformation is accelerating in the financial services sector, particularly in the wake of the global pandemic. We investigate the legal and regulatory landscape in financial services technology and highlight the opportunities for change.
Rewiring financial services