[author: Henry Umney]
As we approach year-end, many minds move towards what might happen next year, as the world (hopefully) finally begins to move out of the shadow of the challenges of the last two years.
The primary UK financial services regulators – the Prudential Regulatory Authority (PRA), the Financial Conduct Authority (FCA), and the Bank of England – have spent the recent weeks and months doing the same and have recently published their joint regulatory initiatives grid for 2022.
In the past, there has been criticism that each of the UK’s financial regulators have plowed their own furrow, announcing their plans and their intentions, with little reference to what the other regulators were planning. This situation pushed the onus of understanding and synthesizing the various announcements onto risk and compliance teams at financial institutions, who had the headache of working out all the priorities.
Feedback from institutions in recent years has encouraged the regulators to take a more coordinated approach to enhancing regulations and creating new ones. Given the near-constant stream of announcements in response to changes in the markets, the economy and technology? This coordinated approach continues to be a welcome development for regulators and regulated alike.
Major issues, initiatives and implications
There were a host of issues in the most recent announcement, covering a range of contemporary issues, including green investments, ESG initiatives, replacing LIBOR, and much else.
One issue that continues to gain momentum centers on Operational Resilience. This has been a common theme for the last three years, with the first compliance dates for those institutions directly impacted coming in March 2022. Operational Resilience falls into two parts: SS1/21 which focuses on an institution’s internal processes and SS2/21, which focuses on third-party relationships and outsourcing. The UK’s lead on this important topic has been followed across the world, including, significantly, the US.
Nonetheless, the regulators are not resting on their laurels. They are looking to build on the foundations of Operational Resilience built up over the last three years as they extend its principles, recognizing the changes that financial services have witnessed in the last ten years.
One initiative is the potential introduction of a dedicated portal, managed by the regulators, which captures the scale, scope, and detail of the third-party relationships that are core to the business processes of many institutions. The outcome of a consultation document, scheduled for H1 2022, will complement the information captured in a routine compliance review conducted by a regulator. This consultation document will elicit feedback about how this approach might work, but it is clear that regulators will want visibility of the supply chain of financial institutions.
Clearly, one implication of this development is that regulated institutions will need to have exceptionally good Third-Party Risk Management (TPRM) systems and processes in place to ensure they remain at least a step or two ahead of their regulator when supply chain issues emerge.
The specific guidance offered by the OCC – which will likely echo the guidance of the FDIC and Federal Reserve – will focus on ensuring that banks have proper oversight of their significant third-party relationships, including their partnerships. Banks will need to demonstrate which relationships are critical to a bank’s operations and identify where there are concentration risks that fall outside a bank’s risk tolerances.
Banks also need to assess the cyber risk profile of their third-party supply chain and ensure that their critical suppliers have measures in place that protect themselves and their customers, the banks.
How to mitigate the risks? With TPRM solutions
Another initiative highlighted in the 2022 grid is a consultation paper covering how best to manage a third-party incident register so that regulators can secure enhanced visibility of third-party issues and their impact on institutions and the sector.
While still at the consultative stage, this clearly highlights the desire of regulators to involve themselves in the detail of how institutions rely on third-party relationships, and the impact of issues when they occur. They also want an early warning system to understand whether one issue could impact others, creating a systemic risk. The issue of concentration risk also likely lies behind this interest too.
There is also going to be a discussion paper, published jointly by all the UK regulators, to discuss how best to regulate Critical Third Parties (CTPs) who provide services to regulated firms. It will be interesting to see what areas it covers, but it is reasonable to assume that technology providers, data providers and potentially even application providers will be subject to the same level of scrutiny as the institutions themselves, at least in part.
This all serves to highlight the feedback we have been receiving from our conversations with our customers that TPRM is growing in importance in many areas, as companies continue to focus on their core activities and outsource much else. This development, together with hybrid working, increases operational flexibility, but the risk of greater operational risk. We anticipate that the demand for robust solutions that help to identify and address these operational risks will continue to grow in 2022 and 2023.