Policy Pulse offers concise, expert analysis on regulatory trends impacting financial institutions. Stay ahead of the curve with our insights on global policy shifts and their implications.
The global regulatory landscape for financial services and critical infrastructure is undergoing significant transformation. Wayne Scott, Regulatory Compliance Solutions Lead at Escode, provides a comprehensive overview of current trends and initiatives across key regions, including the United States, United Kingdom, Europe, and Australia.
Taking learnings from The Center for Financial Professionals (CeFPro), Wayne explores the regional disparities in the regulatory approach to financial operational resilience.
Reflections from CefPro: Key takeaways and insights
CefPro helps professionals broaden their knowledge on how to manage, mitigate, and navigate risks down their supply chain. During its recent annual Vendor & Third-Party Risk Europe event in London, risk management was on everyone’s mind.
Financial contagion and supply chain risks
The global landscape is constantly shifting, and the challenges posed by supplier instability calls for robust operational resilience. It’s clear that without a proper strategy in place, supplier failure, service deterioration and concentration risk will deeply affect operations for businesses and organisations worldwide.
Given the highly interconnected nature of financial institutions, a failure or disruption in one part of the network can have a domino effect, potentially compromising the entire supply chain and leading to financial contagion. These are risks that cannot be mitigated by cybersecurity measures alone. They need strategic management at the highest organisational levels.
If a business disruption can be exploited within financial services, it is likely that the same weakness exists within their supply chain. This interconnectedness means that a risk originating from one entity can swiftly escalate, impacting multiple stakeholders and amplifying the overall impact.
The widespread nature of similar threats and the urgent need for comprehensive security measures across all service providers calls for a serious look at risk management systems and policies in place.
Diverging paths: comparing global regulatory approaches
Regulations differ across the globe. Different territories hold different approaches towards risk management within their financial systems, leading to a disconnect internationally.
We’re not all on the same page when it comes to managing risk, and discussions at CefPro focussed on the landscapes across Europe, the UK, US, and Australia.
Europe - there’s still some way to go
Europe has made considerable progress in enhancing operational resilience and security through the implementation of the Digital Operational Resilience Act (DORA).
It solves an important problem in the EU financial regulation where financial institutions must also follow rules for the protection, detection, containment, recovery and repair capabilities against information and communication technology related incidents.
Despite these strides, there is a clear understanding among European regulators and financial institutions that significant work remains.
One of the key strengths of the European approach has been the high level of cooperation between regulators, financial institutions, and other stakeholders. This collaborative effort is essential in addressing the complex and interconnected risks that the financial sector faces today.
Stepping across the Atlantic
It’s clear the US has notes to take. Europe has focussed on regulating critical third parties after recognising the importance they play in maintaining the operational resilience of financial institutions. The US is a few steps behind.
However, there are improvements being made. US regulators are increasingly focused on operational resilience within the financial sector. Although they do not have a direct equivalent to DORA, efforts are underway to enhance their current regulatory framework.
This includes initiatives to bolster the resilience of financial institutions against third party operational disruptions to help withstand and recover from significant incidents, mirroring the objectives of DORA in Europe.
Managing risk down under
The Australian Prudential Regulation Authority (APRA) recently released the finalised version of its Prudential Practice Guide CPG 230 on Operational Risk Management. It provides critical insights and guidance for Australian financial services in managing operational risks effectively. However, the guide omits the explicit mention of supplier failure as a risk.
Supplier failure is a significant factor that needs more awareness in Australia. Financial institutions are heavily reliant on third-party suppliers for various services, and any disruption in these supply chains can have severe operational consequences.
Globally, regulatory frameworks increasingly recognise the importance of managing supplier risks. Its omission in Australian regulation emphasises the need for the country to raise its awareness of the impact supplier failure can have.
It’s highly likely that the more diligent risks teams will identify “supplier failure” as a risk through their updated processes, directly naming supplier failure as a must-test scenario. Keeping up with national practices will be vital in steering the Australian FS industry in a more resilient direction.