The UK Governments policy paper: Critical third parties to the finance sector: policy statement presents HM Treasury’s proposal for mitigating risks from Critical Third Parties (CTP) to the financial services sector. The Financial Policy Committee (FPC) advised that additional policy measures were required to ensure financial stability is maintained and the risks associated with partnering with Critical Third-Party suppliers is minimised. The Bank of England understands the need for this regulation and will identify those third parties that are critical to the stability of the financial sector.
Financial service and financial market infrastructure firms are increasingly relying on a limited number of third parties outside of the sector for business-critical key functions and services. As an example of this dependency, over 65% of UK firms use the same four cloud-based computing service providers! The new policy will apply to all third-party suppliers that are deemed critical and hold them directly accountable to the authorities, providing greater transparency and security to financial services firms and the wider industry.
Under the proposed regime, HM treasury, following consultation with the Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA), will be able to designate ‘critical’ status to third-party suppliers based on the data and information provided by financial service firms, which will give the regulators oversight of the services that critical third parties (CTP) provide the industry. The policy paper highlights the risks of outsourcing key functions and services to a single service provider, in particular where there is reliance on a sole vendor for critical business functions, which as a single point of failure, could have a potentially catastrophic systemic impact to the entire financial services eco-system.
The Operational Resilience framework is pertinent, and regulators believe that this needs to be further strengthened to address the risk associated with a firm’s dependence on a single third-party provider. The newly proposed legislation will fill the ‘gap’ in the framework ensuring resilience and transparency is maintained for critical third-party services, thus mitigating the risk of widespread systemic disruption to the financial service sector.
We think that the key considerations for firms can be broadly categorised as follows:
- Getting the best value: Recommendations from The Bank of England are, ‘Work out the numbers from your specific business’s perspective, then do the analysis with your own or independent financial experts’. TORI Global have experience in assessing and managing the true cost of investment of Cloud services
- Don’t rush into contracts & service lock-in: Prepare your technology strategy by assessing your current maturity in key areas: proceed with security, architecture, finance and operational assessments. Consider areas such as the categorisation and treatment of data, security and function of tools, capacity and capability of resources, processes, controls for vendors etc. whilst evaluating the true costs of contracts and services and in establishing internal and external costs
- Beware of cloud sprawl: Manage your Cloud service catalogue: understand your use of Cloud services and the types of activities, data and processing requirements and how they are being served; Development plans for legacy software refactoring, use of MaaS (Mainframe) SaaS (Software) PaaS (Paas) alternatives must be aligned to the business risks and risks related to reliance on Cloud Providers. ‘Many variants of how you can scale using [suppliers’] infrastructure and capabilities — no one size fits all,’ but allowing cloud usage to grow is key to reducing overall operational costs as cloud provides significant opportunities in improving digital transformation
- Know the rules: Address your Cloud Service challenges and risks: Define policy for application landing environments, initiate Target Operating Model programmes or outcome-based activities such as refreshing developer toolsets within the Continuous Integration & Continuous Development (CICD) framework and improve the related governance. e.g., “Do you know the location of the hardware your services will be running on and any legislation that covers that hardware? Where is the company that’ll be doing your processing based? If they are a North American company, for example, even if their data centre is in the UK or elsewhere in Europe, it’s likely your data and processing will be subject to the US Patriot Act.”
- Stay Safe: Understand what you are signing up for and that it’s what you intended to provide for your business “When you go to a third-party provider, you’re placing some of your information security profile in their hands. It might not matter so much if they’re, say, running your fleet of cars via a cloud service, but when you’re looking at moving core services you need to understand the security and compliance implications fully.”
How TORI Can Help
TORI has worked with The Bank of England on their Industry Operational & Cyber Resilience report and have experience of Operational Resilience, managing third-party risk and can assist you with policy guidance:
- We can help financial service firms to continue their preparations in anticipation of new policy and legislation within the use of Critical Third Parties (CTP) i.e., cloud service providers
- We have extensive experience helping firms to assess their Digital Maturity and use of Cloud Services; customer channels, developing approaches for user journeys, and making recommendations for development strategies, TOMs and frameworks to mitigate risk
- We have extensive experience of Cloud technology optimisation and transformation; focusing on the assurance of target environments for security and risk; business stability during increased periods of risk during the transformation journey and assured integrated continuous delivery
- We understand Cloud operating cost management and associated risks, and support our work through the use of tools and established frameworks; we have extensive knowledge in vendor and supplier integration within third-party cost management and the definition of target operating models to ensure financial prudence and stability