In case you haven't been reading the recent notes from the Bank of England's Financial Policy Committee, a very important nugget is included in their October papers... very important for technology providers to financial institutions, that is.
The Committee notes that critical suppliers such as cloud service providers can bring benefits, but can also bring concentration risk, and these firms are outside the direct regulatory grip of the PRA and FCA. It looks like that grip is going to extend, to include resilience standards and testing. There will be consultation first in 2022, but the direction of travel looks clear - providers of critical infrastructure to regulated firms are going to come more directly under the jurisdiction of the financial regulators.
The increasing reliance by the financial system on critical third parties (CTPs), including cloud service providers, can bring benefits to the financial sector, including improved operational resilience. However, the increasing criticality of the services that CTPs provide, alongside concentration in a small number of providers, pose a threat to financial stability in the absence of greater direct regulatory oversight.
Regulated firms will continue to have primary responsibility for managing risks stemming from their outsourcing and third-party dependencies. However, additional policy measures, some requiring legislative change, are likely to be needed to mitigate the financial stability risks stemming from concentration in the provision of some third-party services. These policy measures should include: an appropriate framework to designate certain third-party service providers as critical; resilience standards; and resilience testing.