In the midst of rapid digital transformation in the financial services industry, operational resilience is more critical than ever. The increased reliance on third parties and outsourced IT solutions, combined with the rising threat of cyber threats and other sources of business interruption, has led to new approaches from regulatory bodies across the globe.
In Switzerland, the Swiss Financial Market Supervisory Authority (FINMA) has introduced two regulations specifically aimed at outsourcing and third-party risk management.
The Circular 2018/3 Outsourcing – Banks and Insurers highlights requirements around the selection, instruction, and monitoring of the service provider.
In December 2022, FINMA published Circular 2023/1 Operational Risks and Resilience – Banks. This circular will replace the Swiss Bankers Association’s Recommendations for Business Continuity Management (BCM), which is currently recognised as a minimum standard.
Circular 2023/1 sets out new expectations for how financial institutions manage third-party risk. The regulation will come into force on January 1, 2024, providing institutions with a two-year transition period (till the start of 2026) to demonstrate full compliance.
As January approaches, it is essential that organisations thoroughly review the guidelines and take actionable steps to ensure compliance.
The FINMA Circulars emphasise the importance of contingency planning, identifying and controlling risks associated with outsourcing activities, and the systematic monitoring of critical services. Financial institutions must implement robust internal processes for managing outsourced activities, including the approval process, escalation routes, and onboarding procedures for new outsourced activities.
The circulars also provide guidance on how banks can enhance their capacity to overcome severe, complex, systemic, or prolonged operational issues, with a particular emphasis on information and communication technology, handling critical data, and cybersecurity risk.
In order to minimise the impact of disruptions on the provision of critical functions, an institution will be expected to:
An operationally resilient institution will be deemed as one that has incorporated principles of ‘Resilience by Design’ to make it less exposed.
The guidance lists out many scenarios in which an organisation should be able to maintain critical functions, including:
Although financial institutions are provided with a transition period of up to two years under Circular 2023/1, it is recommended that they act quickly to guarantee appropriate compliance within the deadlines.
To meet these guidelines, financial institutions should review their current third-party software portfolio to assess potential risks associated with any extensive reliance on one service provider. They should categorise critical services and ensure that any applications deemed critical or important have an exit plan. This exit plan should include plans for data recovery in line with specific regional regulations to ensure that sensitive customer data is kept safe.
Financial institutions also need to revisit procurement procedures and develop an onboarding process for any new third-party software providers. This will ensure that any future applications added to their software estate have a demonstrably working stressed exit plan in place from the outset.
Assigning ownership of supplier failure, service deterioration, and concentration risk at the most senior level, will help mitigate risks and ensure that policy and processes are amended in a timely manner.
Financial institutions need to be aware of the regulatory requirements outlined by FINMA and take proactive steps to manage third-party risk and maintain operational resilience. This will help ensure compliance with regulatory requirements and protect against supplier failure, service deterioration, and concentration risk.
Our Spotlight Guide provides everything you need to know to ensure compliance with FINMA Circular 2018/3 Outsourcing – Banks and Insurers and the upcoming Circular 2023/1 Operational Risks and Resilience – Banks.
Wayne Scott, our Regulatory Compliance Solutions lead, comments -
A key area of focus for institutions must be the development of business continuity and incident management plans that outline how they will respond to and recover from an event that disrupts the ongoing provision of critical functions and services.
When it comes to managing and limiting the potential impact of disruptive events, such as the loss of a key supplier or software failure, Escrow agreements are the only proportional, tried, and tested method on the market that can provide a level of assurance that critical functions will be maintained. When the source code behind critical applications and software is held in Escrow, there comes a peace of mind that no matter what disruption is happening in your supply chain, you will always have access to it.
Regulators globally – including in the UK, the PRA recommend software escrow as a key practical solution in mitigating such risk.
