Since the 2008 financial crisis, the global financial services sector has been weathering a regulatory blizzard. Aimed primarily at improving the industry’s stability and security, the tortuous abbreviations in use are mind numbing: MiFID II, PRIIP KID, ICAAP, AIFMD, GDPR and UCITS among them.
We’re now over 10 years down the line and a McKinsey benchmarking survey (Bevan, Kaminski, Kristensen, Poppensieker and Pravdic, 2019) notes that financial institutions have heavily invested in compliance over the period, and that related costs have increased to unsustainable levels. It concludes, “As regulatory pressures intensify, competition increases, and costs are squeezed, banks need to make their compliance risk management more efficient and effective.”
The IT function will be able to make a considerable contribution to that aspiration, not only in helping adopt a “dynamic technology-enabled approach to risk management” (one of McKinsey’s five recommended actions) but also by putting its own house in order.
A Deloitte’s report (Financial Markets Regulatory Outlook, 2019) observes “… technology-related outages in financial services firms jumped by 138% in the last year alone.” Several of those were, of course, very public failures, which made front-page news. Later, the report adds that the clear direction of travel places pressure on financial sector firms to (among other things) improve their ability to recover from disruptions when they do occur.
The report also makes mention of many financial services firms who outsource to cloud service providers. It says that early regulatory work will see financial services firms expected to take responsibility for the security of the data they put in the cloud – and any outsourced processes critical to the functioning of key services – even though the respective cloud service providers may claim their own security and resilience provisions.
Tellingly, a few paragraphs later, Deloitte believes, “While some international standards do exist, new rules addressing operational and cyber resilience will derive from a more bottom-up process.” No pressure there, then.
Enter the Bank of England
Track the topic back to last year and you arrive at a discussion paper (DP) titled “Building the UK financial sector’s operational resilience”. Jointly published in July 2018 by the Bank of England, the Prudential Regulation Authority, and the Financial Conduct Authority it concisely lays out the key issues.
Among the DP’s opening paragraphs comes, “The operational resilience of firms and FMIs [financial market infrastructures] is a priority for the supervisory authorities and is viewed as no less important than financial resilience.” However, there’s sensible prioritisation. The DP suggests boards should first focus on those business services, which have “the potential to: threaten the firm’s or FMI’s ongoing viability; cause harm to consumers and market participants; or undermine financial stability.”
The DP makes an important distinction in stating it’s the business services themselves that must be resilient, rather than the individual systems and processes that make them up. It further stipulates that firms and FMIs should design and manage those business services on the assumption that disruptions will occur to their underlying systems and processes.
That doesn’t in any way imply firms or FMIs can afford to take unwarranted risks with the resilience of the underlying systems and processes they employ. Rather, it recognises business continuity must account for exogenous shocks like terrorism, extreme weather events, and co-ordinated, cross-border cyberattacks. As far as component systems are concerned, the message from the DP seems to be that break/fix mindsets will no longer be tolerated in UK financial services.
Concentration and sub-outsourcing risks
Returning to the crucial outsourcing topic, the DP expresses concern over the “concentration risks” of too many financial institutions choosing the same cloud service outsourcing provider with its pretty obvious too-many-eggs-in-the-same-basket implication. A parallel consultation paper issued by the European Banking Authority refers to the attendant risk presented when “… the service provider sub-outsources important functions to other service providers …” confounding institutions’ ability to oversee long and complex sub-outsourcing supply chains, often with international dependencies.
For both above exposures, strict risk-based analysis and due diligence procedures will likely be asked for. Not a moment too soon, by the sound of it.
Against that background, no matter how thoroughly thought through and well executed firms’ or FMIs’ business continuity provisions might be, remember that a 100 per cent redundant solution comes with a 100 per cent cost penalty. It looks inevitable that firms and FMIs will need to segregate system and process tiers according to their criticality to the business services they support. For the most critical, that could sound the death knell for indiscriminate outsourcing in the interests of marginal cost savings (if, indeed, that ever happens).
Talk it through with Telehouse
The upshot is that regulators, in the UK and elsewhere, will demand business services are designed with total resilience in mind; unbreakable business continuity will be a guiding principle. Fortunately, at Telehouse, we have a profound duty of care when it comes to business continuity. That’s why our systems are built around a separate regulatory compliance alphabet soup including ISO/IEC 27001, ISO 22301, ISO 50001, ISO 9001, ISO 14001 and BS OHSAS 18001 (as well as PCI-DSS and GDPR, of course).
The physical security surrounding our state-of-the-art data centres is equal to the best in the world and much, much better than most (prudence warns against giving precise details). That’s why prospective global customers spend days doing due diligence on our data centres, and invariably come away impressed and convinced. Although London may be the best known, Telehouse has worldwide facilities built to exactly the same exacting standards. And, please note, we don’t outsource customer-critical services to anyone.
As the implications of the UK and EU operational resilience papers work their way through the regulatory maze, co-location in an utterly-resilient, securely-connected partner facility may emerge as the best alternative to outsourcing for the most critical systems and processes. And certainly much surer, more cost effective and more sustainable than reconstructing the old-fashioned mega-data centres where they used to live.
We believe firms and FMIs that are or will be caught up in the oncoming financial services operational resilience discussions should talk to us sooner rather than later. Together, we believe we’ll be able to co-create innovative answers to the most searching infrastructure-related regulatory questions raised in the UK, the EU and, in fact, anywhere around the globe.
To talk to a Telehouse expert, call 0207 512 0550 or email [email protected]