July has been a busy month for the UK and EU regulators, with the PRA publishing several consultation papers on Solvency II, the SMCR rules being finalised for insurers and all FCA registered firms and the EU’s fifth Anti-Money Laundering Directive entering into force on 9th July. We highlight here the regulatory news that is of the most relevance to our network of RegTech Professionals.
Reflecting the interconnectedness of the financial system, this jointly issued discussion paper by the PRA and FCA contains their latest thinking on operational resilience, described as the ‘ability of firms, financial market infrastructures (FMIs) and the sector as a whole to prevent, respond to, recover and learn from operational disruptions’. Whilst at first sight, this paper looks as if it is primarily concerned with business continuity and disaster recovery arrangements, it actually heralds a new approach to operational resilience which is more aligned to outcomes-focused regulation. The outcome in this instance is to minimise disruption and to mitigate the risks of that disruption to regulatory objectives such as consumer protection, financial stability and the efficient functioning of markets.
Three key elements of the regulators’ thinking in this approach stand out. The first is that firm and FMIs could be expected to work on the assumption that operational disruptions will occur and therefore understand the impact of a range of disruption scenarios on their business services. The second is that decisions around operational resilience – contingency planning, business continuity and even technology investment decisions – should be based on prioritised business services rather than business-critical systems and processes. Finally, the discussion paper suggests that firms develop a set of impact tolerances to inform risk appetite setting and form the basis of operational stress-testing scenarios.
Whilst there are existing provisions under a range of different legislation and regulatory rules, this indicates that regulators in the UK are gearing up for a more comprehensive and prescriptive framework to protect not just the financial and economic resilience of the financial system but also its ability to continue to operate in the face of vulnerabilities such as cyber incidents, concentration risk and technological advancements.
Digital Regulatory Reporting
Building on the successful regulatory reporting TechSprint in November 2018, the FCA has published the terms of reference for the next stage, which is a six month pilot project to build on the proof of concept that was developed during the TechSprint and discover whether this might be scaleable as a solution for machine executable regulatory reporting. The aim is to build a prototype or minimum viable product across two use cases. Three separate workstreams will focus on data modelling and removal of regulatory ambiguity, the delivery mechanism for codified regulations and policy, legal and governance challenges respectively.
The following are the participating organizations in the pilot:
- Credit Suisse
- Lloyds Banking Group
- University College Cork
- University College London
The FCA will publish the findings of the pilot, and any technical output will be made available as open source code.
FCA Updates Cloud Guidance
For regulated firms considering RegTech solutions that are hosted in the Cloud, a lack of clear regulatory guidance about using Cloud technology has been a slight bone of contention. With the publication of the finalised guidance this month on this topic, the way ahead has become clearer, though firms that are dual regulated by the FCA and the PRA should always ensure both regulators are happy with the approach they adopt. According to the FCA, if a third-party is delivering services on behalf of a regulated firm it is considered outsourcing, and this includes cloud computing. Thus, rules about outsourcing also apply to Cloud based solutions, such as those in the Senior Management Arrangements, Systems and Controls sourcebook (SYSC).
The guidance offers a long list of items to consider in relation to topics such as risk management, oversight of the service provider, GDPR, business continuity and the relationship between service providers. Hopefully, this additional level of clarity will reduce barriers to the adoption of cloud-based solutions but that may be at the risk of even longer procurement life-cycles, as another layer of due-diligence and information security assurance is added to the process.