The UK financial sector’s reliance on technology and big name firms is being addressed by the Bank of England, Financial Conduct Authority (FCA), and the Prudential Regulation Authority (PRA).
They all proposed rules to regulate the heavy reliance of financial firms on external technology companies for their critical business operations.
The UK regulators said big name tech firms “supply an array of services to firms and FMIs (financial market infrastructure entities), providing benefits, including greater operational resilience and innovation. However, if they are disrupted or fail, there are potential risks to UK financial stability.”
Regulatory proposals
All three agencies say that managing these risks fully is beyond the ability of any individual firm or FMI, and requires an appropriate level of direct regulatory oversight.
These proposals are designed therefore to complement but not clash with the responsibilities of individual firms and FMIs relating to operational resilience and third-party risk management.
“Financial market infrastructure firms are becoming increasingly dependent on third-party technology providers for services that could impact UK financial stability if they were to fail or be disrupted,” said Sarah Breeden, Deputy Governor for Financial Stability.
“The proposals in this consultation paper (CP) build on last year’s discussion paper to enable the Bank of England, in co-ordination with the PRA and the FCA, to manage these systemic risks, while enabling UK FMIs also to benefit from using such providers,” said Breeden.
“Well managed outsourcing can bring efficiencies, accelerate innovation and boost operational resilience,” added Nikhil Rathi, chief executive of the FCA. “With a concentration of third parties serving multiple clients in financial services, there is, however, a risk of major impact if they are disrupted or fail.”
“We believe these proposals will improve the resilience of the critical third-party services that financial firms and their customers depend on, support market integrity and enhance UK competitiveness and growth,” said Rathi.
The minimum resilience standards require a third party tech firm to identify all services it provides to a financial firm, assess risks to its services and implement appropriate controls, undertake regular testing and have a mechanism for handling failures.
In addition, the proposals include:
- A set of fundamental rules that would apply to all the services CTPs (critical third parties) provide to UK firms and FMIs, and act as a general statement of their obligations under the proposed regime;
- A set of more granular operational risk and resilience requirements, to apply only to CTPs’ material services to firms and FMIs, such as requirements on technology and cyber resilience, as well as on supply chain risk, change and incident management;
- Requirements for CTPs to provide certain information and assurance to the regulators, including submitting an annual self-assessment, and conducting regular testing of their ability to provide material services in severe but plausible disruption (‘scenario testing’);
- Requirements for CTPs to notify the regulators, the firms and FMIs they provide services to, of specific disruptions which may adversely impact the services provided.
CTPs such as AWS, Microsoft, Google etc, will not be authorised or overseen by the regulators, but the third-party services they provide will be overseen against these proposals, once finalised.
Feedback on the proposals will be gathered until 15 March 2024, and the regulators will publish their final requirements and expectations in the second half of next year.
AI risk assessment
Meanwhile the Associated Press has reported that the Bank of England, in its half-yearly Financial Stability Review, said it will make an assessment next year about the risks posed by artificial intelligence and machine learning.
“We obviously have to go into AI with our eyes open,” bank Governor Andrew Bailey was quoted by AP as saying at a press briefing.
“It is something that I think we have to embrace, it is very important and has potentially profound implications for economic growth, productivity and how economies are shaped going forward.”
“The moral of the story is if you’re a firm using AI, you have to understand the tool you are using, that is the critical thing,” Bailey reportedly said.
Bailey also reportedly admitted he is “palpably not” an expert on AI, and said the new technologies have “tremendous potential” and are not simply “a bag of risks.”