In recent years, there has been a global flurry of guidance introduced to shape how the financial services industry can protect against digital threats many of which name technology escrow as a proportional solution for consideration One such example is the Bank of England’s (BoE) review of Financial Market Infrastructure (FMI) outsourcing and third-party risk management, first launched in 2019, affecting payment systems, central securities depositories, and central counterparties.
The BoE has now published new regulations that look to carry on the work started in SS2/21. It aims to mitigate the "non-cyber" related risks associated in the use of technology: Supplier failure, service deterioration and concentration risk. Essentially, the move is aimed at improving digital and operational resilience across the financial industry, and has introduced a series of measures that affected organisations will need to comply with, within a twelve-month deadline.
What does the new regulatory framework on FMI outsourcing and third-party risk management set out?
The framework sets out requirements for organisations to take measures to protect their processes and data. These are intended to facilitate greater resilience and adoption of the cloud and other new technologies. The decision complements its requirements in relation to third-party risk management in other parts of the financial services industry and marks a global trend towards the greater regulation of the sector’s outsourcing practices.
The supervisory statements seek to ensure that firms have robust risk management frameworks in place for managing their relationships with third-party providers. It will have a significant industry-wide impact as FMIs are encouraged to review their third-party software portfolio. Firms will need to identify business critical services, and test software for potential risks using risk assessment tools or through an independent specialist.
Why are the new supervisory statements significant?
Critically, the new regulatory framework recognises the role third-party service providers play in the financial system by providing core services such as payment processing, clearing and settlement. Given the complexity of these services and the level of interconnectivity in the financial system, a failure in any single component would have significant impact throughout the entire ecosystem. For organisations in the financial sector, the BoE’s recommendations highlight the need to prioritise business resilience and ensure that organisations and service providers have plans in place for managing third-party relationships.
The supervisory statements stipulate that firms will need to maintain an up-to-date register of outsourcing relationships, distinguishing between those that are high risk and those that are not. Areas of the organisation that are business critical must be protected. NCC Group Software Resilience has engaged with the review throughout, supporting BoE to determine avenues of action businesses can take to protect themselves in the event of a disruption, by creating demonstrably successful stressed exit plans.
Why are escrow agreements key to resilience?
BoE identified escrow agreements for active consideration as part of an organisation’s stressed exit planning. This plan allows for the smooth transition to an alternative provider for the continuity of business services. Such agreements allow third parties to hold software code or data on behalf of the organisations involved, and these agreements have become increasingly important as businesses rely on software and technology on their operations.
Demonstrably successful stressed exit plans are required to ensure true business continuity. Without this, organisations will face regulatory repercussions. Software and technology escrow solutions offer legal and technical assurance to allow firms to adopt, innovate and manage third-party technologies with confidence. Naming escrow as a viable solution within regulations is a strong step forward in building industry-wide digital resilience – one which NCC Group Software Resilience has been championing for years.
What should organisations do now?
As encouraged by the guidance, FMIs must take an increasingly proactive and holistic approach to digital resilience. Organisations affected by the BoE’s regulations must also act quickly to meet the tight twelve-month deadline.
Formulating stressed exit plans will now be an essential step FMIs must take to adhere to the guidance. This will involve reviewing contracts with third-party providers, testing all software, and developing a digital strategy that includes a risk management framework for third-party relationships. As part of this, escrow agreements will become increasingly essential for organisations in the industry, ensuring they have access to critical software and data in the event of business disruption – which is often beyond control or prediction in our increasingly interconnected world.
