The Bank of England's Prudential Regulation Authority (PRA) is looking into getting more access to data and systems used to assess financial services firms' operational flexibility in response to outages and possible cyber-attacks.
techUK will address these rules and their wider impact at a webinar with industry experts on 23 March. Find out more here.
New rules coming into force this year
This move from regulators follows the publication of new rules last year which were established to increase operational resilience and improve practice in outsourcing, which is important for consumers, firms and financial markets.
Operational disruptions and the unavailability of important business services can have a wide and critical impact on the economy, businesses and consumers alike. These disruptions can ultimately threaten the viability of firms or cause instability in the financial markets.
The PRA has issued outsourcing requirements which relate to operational resilience, cloud, data, data locations, data security, data classification and business continuity, together with a range of other matters relevant to technology providers.
Timeline and transition
To allow firms to adapt and adjust to the new rules, including testing, the PRA have set a transition period and decided on a phased approach:
- by 31 March 2022, firms need to have identified their important business services, set impact tolerances for the maximum tolerable disruption to these and carried out mapping and testing to a level of sophistication necessary to identify important business services, set impact tolerances and identify any vulnerabilities in their operational resilience
- by 31 March 2025, firms will need to have performed mapping and testing so that they are able to remain within impact tolerances for each important business service, and made the necessary investments to enable them to operate consistently within their impact tolerances.
Bank of England discusses new rules
A Bank of England Financial Policy Committee meeting last September discussed the "increasing reliance by the financial system on critical third parties, including cloud service providers.
"The increasing criticality of the services that critical third parties provide, alongside concentration in a small number of providers, pose a threat to financial stability in the absence of greater direct regulatory oversight," the minutes said.
Regulated firms will continue to have primary responsibility for managing risks stemming from their outsourcing and third-party dependencies. However, additional policy measures, some requiring legislative change, are likely to be needed to mitigate the financial stability risks stemming from concentration in the provision of some third-party services.
Join techUK on 23 March to hear from industry experts who will discuss how cloud providers can best navigate the new regimes and how financial institutions are implementing cloud computing programmes.