Direct financial regulatory control over platform technology providers: does it have a future?

Out-Law News | 03 Apr 2014 | 7:53 am | 3 min. read

John Salmon’s Financial Services blog

Financial services sector head John Salmon and the Pinsent Masons financial services sector team bring you insight and analysis on what really matters in the world of financial services.     

It has been suggested recently that platform technology providers could come under direct regulatory scrutiny.

As the UK platforms market depends only on a small group of technology providers, it is argued, circumstances exist which present a significant systemic risk to UK investments. One way of addressing this risk would be to have platform technology providers subject to prudential requirements similar to those imposed on authorised firms.

The idea highlights two important issues. First, to what extent are outsourced technology arrangements that underpin the provision of financial services already subject to regulatory control? And second, is there justification for imposing a more direct line of control?

Under the current financial regulatory framework, much of which is derived from the Markets in Financial Instruments Directive (MiFID) rules imposed at EU level, the financial regulators generally expect to be kept informed about all significant outsourcing arrangements that take place across the financial services sector.

In most cases, the regulators expect to be notified whenever a firm enters into or significantly changes a significant outsourcing arrangement and whenever something happens during the lifecycle of that arrangement of which they would 'reasonably expect' to be informed. The purpose behind the notification requirements is not to require authorisation of outsourcing activities, but "...to ensure that the competent authority has the opportunity to intervene in appropriate cases".  

While the notification requirements apply to some organisations as binding rules but others only as non-binding guidance, the expectations they create apply across the board – to banks, investment firms, insurers and others. No specific type of finance institution is singled out for special treatment.

Is it therefore reasonable to suggest that platform technology providers alone should come under direct regulatory scrutiny? In my view, it is not.

The number of total assets administered by platforms is ever increasing, but the systemic risk which platform technology providers present to the financial system remains relatively low when compared with similar risks other outsourcing arrangements create. To require platform technology providers to abide by prudential and behavioural rules would be disproportionate if similar obligations were not also imposed on technology providers that supply other finance institutions, for example, retail banks.

It is by no means extraordinary however, for a regulator to contemplate imposing direct controls on organisations acting in a service provider capacity. Law makers in other areas are already encouraging regulators to take this approach.

One example is the approach taken by the European Commission and now Parliament in respect of data protection law reform. The Data Protection Regulation proposed by the European Commission in 2012 and passed by the European Parliament in March (although still to be debated further and agreed to by the Council of Ministers), imposes greater accountability requirements on technology providers that process personal data.

The Regulation requires both 'controllers' of personal data, which is in may cases the outsourcer, and 'processors' of personal data, which is in many cases the outsourcing provider, to be subject to direct regulatory control and sanctions. This is a significant shift from the current position, under which only 'controllers' are accountable to regulators.

The difference though is that the data protection proposals only go so far as sanctioning behaviour. They do not attempt to introduce prudential controls on providers of technology solutions.

Another example is a similar approach taken by the European Commission in relation to protecting 'critical infrastructure' against cyber risk. In its initial draft Network and Information Security Directive, the Commission proposed that some technology providers, such as 'e-commerce platforms' and 'cloud computing service providers', should bear direct responsibility for cyber security incident management failures.

The European Parliament has not accepted the Commission's initial approach, indicating that member state laws dealing with 'hardware and software product liability' are a more appropriate means of regulating loss or damage caused by the failures of technology providers. Again though, we see that neither the Commission nor the Parliament is willing to go so far as to impose prudential requirements.  

Both platform technology providers and platform operators should be concerned about the impact direct regulatory control of technology providers could have on their businesses. While stricter control may support the regulators' overarching objectives, it could also impact on the viability of current platform services and future innovation. A pre-emptive discussion with the regulator on the subject may help avoid unnecessary complications down the line.