Hogan Lovells 2024 Election Impact and Congressional Outlook Report
In recent years, operational resilience has come under the spotlight of financial regulators globally, leading to a proliferation of new regulation. The sheer number of publications on this topic can be confusing for businesses navigating the regulatory landscape.
This article is Part 2 of our series of articles on operational resilience. The series aims to summarise current international and national regulatory developments, and to highlight in particular the importance of operational resilience in outsourcing and the use of ICT.
This series is split in three parts:
At EU level, operational resilience requirements within the financial sector are currently embedded in a variety of legislation and guidelines, including the Capital Requirements Directive (CRD), the Markets in Financial Instruments Directive (MiFID II), Solvency II and the Payment Services Directive 2 (PSD2). In addition, there are guidelines on various aspects of operational resilience issued by supervisory authorities including the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA).
The EU regulatory landscape is going to change significantly with the expected arrival of the Digital Operational Resilience Act (DORA), which will apply to virtually all financial services firms across the EU, from credit institutions to fund managers and, crucially, to major ICT service providers.
The existing regulatory framework on operational resilience has broadly been preserved in the UK as part of retained EU legislation in the form of statutory instruments under the European Union (Withdrawal) Act 2018. Future EU legislation will not apply in the UK, however the UK financial market does not operate in a vacuum and UK law makers and regulators will undoubtedly have to take into account the EU’s regulatory developments.
The UK-EU Trade and Cooperation Agreement provides little detail in relation to financial services regulation. The UK and EU have agreed in a Joint Declaration on Financial Services Regulatory Cooperation to enter a Memorandum of Understanding on equivalence determinations relating to financial services regulations by March 2021.
The following industry-specific instruments comprise the European operation resilience framework along with general rules set out in CRD, MiFID II and Solvency II:
In February 2019, the EBA published its guidelines on outsourcing arrangements, which came into force on 30 September 2019.
These Guidelines introduce a regulatory framework in relation to outsourcing which applies to a wide range of EU financial institutions including banks, credit institutions and investment firms subject to CRD, payment institutions and e-money institutions. The guidelines include a comprehensive set of requirements on institutions’ outsourcing arrangements (in particular, in relation to "critical or important functions") such as:
In their December 2019 Consultation Papers, the UK's financial regulators made clear that they intend to align the UK regulatory approach with the EBA Outsourcing Guidelines in the future (see Part 1 of this series for more detail on these Consultation Papers).
In November 2019, the EBA published its guidelines on ICT and security risk management, which became applicable from 30 June 2020. These Guidelines apply to banks, payment services firms and investment firms and set out requirements to business continuity management in respect of ICT and security risks. Under the Guidelines, financial institutions are required to establish a sound business continuity management process, have effective response and recovery plans including testing, and ensure they have crisis communication measures in place.
While the PRA and FCA took the EBA ICT Guidelines into account when drafting their December 2019 Consultation Papers, both regulators stated that they will confirm their approach to the Guidelines and provide further clarification on the links between the PRA and FCA operational resilience policies and the EBA ICT Guidelines in their final report in 2021 (see Part 1 of this series for more detail on these Consultation Papers).
The EIOPA Cloud Guidelines were published by EIOPA in February 2020 and will apply from 1 January 2021. The Guidelines are addressed to insurance and reinsurance undertakings and apply to all outsourcing arrangements with cloud providers. Helpfully to financial institutions operating both banking and insurance businesses, the EIOPA Cloud Guidelines are closely aligned with the EBA Guidelines on Outsourcing Arrangements. This makes it easier for the relevant institutions to implement an outsourcing strategy that complies with both set of guidelines.
The application of the EIOPA Cloud Guidelines to UK insurers is complex:
For insurers with operations in both the EU and the UK, an organisation-wide approach is likely to be preferred which will inevitably mean bringing practices and policies into compliance with the EIOPA Cloud Guidelines.
The ESMA Cloud Guidelines were published on 18 December 2020 and will apply from 31 July 2021. These Guidelines are relevant to a number of entities within ESMA’s purview including investment firms, UCTIS, central counterparties, trade repositories, central securities depositories and administrators of benchmarks. The Guidelines are intended to be broadly consistent with the EBA Outsourcing Guidelines and EIOPA Cloud Guidelines as described above. In developing these guidelines, ESMA has also been mindful of the European Commission’s proposal for a regulation in relation to digital operational resilience (please see below) but as the regulation is still a proposal at this stage, ESMA notes that it will closely monitor the development of the proposal and provide revised or additional guidance if needed.
As with the EIOPA Cloud Guidelines, the ESMA Cloud Guidelines will not be directly applicable to firms within the UK as the Brexit transition period has now ended. However, we expect the FCA will take into consideration the ESMA Cloud Guidelines when reviewing and updating its own guidance in relation to operational resilience and outsourcing arrangements.
In the same vein as the UK regulators, the EU has a number of proposals on operational resilience in the pipeline. As financial services firms increasingly rely on technologies in every aspect of their business, the EU regulators and lawmakers are looking to further enhance the existing rules, in particular on information technology risks.
On 24 September 2020, the European Commission published a draft regulation referred to as the Digital Operational Resilience Act. DORA introduces a framework on digital operational resilience within the EU financial sector that is intended to apply to virtually all types of financial services firms.
DORA proposes a single set of overriding mandatory rules in order to set a high common standard across the EU financial system and includes a wide range of requirements in relation to:
Notably, the draft regulation brings major ICT service providers directly within the scope of supervision of the European supervisory authorities. Our full analysis of DORA can be found here.
While the UK will not be under an obligation to comply with the resulting legislation, we anticipate that the UK regulators will keep DORA under review. Many UK financial firms will need to operate both within the UK and the EU, and will therefore need to satisfy both regulatory regimes.
In July 2017, the EBA adopted the Guidelines on major incident reporting under PSD2 ("Guidelines on Incident Reporting"). These are addressed to payment service providers ("PSPs") and competent authorities under PSD2, and include requirements in relation to classification and reporting of major operational or security incidents.
In line with the PSD2’s requirement to review the Guidelines on Incident Reporting regularly, the EBA is now proposing to:
The Incident Reporting CP makes clear that reporting requirements will apply to major incidents affecting functions outsourced by payment service providers to third parties.
Notably, the EBA acknowledges that DORA contains a proposal for incident reporting based on the PSD2 which goes beyond payments-related incidents. The EBA expects the revised Guidelines on Incident Reporting to come into effect in Q4 of 2021, whereas it will likely be years before DORA comes into effect.
It is not yet obvious if the FCA will adopt the same approach in relation to payment service providers in the UK. However, the FCA has already explained that UK financial institutions in scope are expected to comply with the current EBA Outsourcing Guidelines and has expressed its general intention to align with international regulation. It therefore appears likely that the FCA will look to harmonise their approach in this area.
The EU regulatory landscape is expected to change significantly in the coming years. When formally adopted, the Digital Operational Resilience Act (DORA) will harmonise and address gaps among the existing array of regulations on operational resilience and ICT risk management in the financial sector.
Authored by John Salmon, Louise Crawford, Victoria Truffaut and Christina Wu