About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

UK and European Regulators Seek to Strengthen Cloud Rule Framework

Subscribe to our newsletter

As trading firms seek to leverage the operational benefits presented by cloud hosting and delivery, UK and European regulators are launching initiatives to improve risk management and ensure resilience of financial markets participants’ cloud-based activities.

For many trading firms, cloud offers a compelling solution to a growing number of use cases. The Association for Financial Markets in Europe (AFME) published a paper in November 2019 outlining 14 recommendations to help realise the full potential of public cloud computing across the capital markets industry.

But regulators are concerned about the cloud because of the high volume of cyber-attacks on financial markets technology. According to a report from the European Parliament, finance is estimated to be at three times more at risk of cyber-attacks than any other sector. Cloud providers, with high concentrations of financial services clients, could make tempting targets. The Financial Stability Board (FSB) weighed in with a paper on the risks of the cloud in December 2019.

Harmonization in the EU

The EU’s effort, ‘Digital Operational Resilience Framework for financial services: Making the EU financial sector more secure’, is seeking to create a more joined-up approach to cybersecurity across the region within the financial services industry. Impacting cloud outsourcing arrangements will be a new framework that will enhance rules around information and communications technology (ICT) and security risk management, work to harmonize and deepen incident reporting requirements across sectors, develop a digital operational resilience testing framework, demand better oversight of certain critical ICT third-party providers that “regulated financial institutions rely on”, and require more effective information sharing about security threats.

The 62-question survey that accompanies it asks firms about their cloud strategies, including the kind of Cloud approach the firm has, how Cloud usage fits within risk management, and ‘Did your Board and senior management establish a competence center for cloud in your organization.’

Pursuing resilience in the UK

UK regulators produced two papers in December that will impact cloud arrangements. The first is from the UK Financial Conduct Authority (FCA), Building operational resilience: impact tolerances for important business services and feedback to DP 18/04. The new paper follows on from a discussion paper published in July 2018. The paper specifically identifies the provision of cloud services to regulated firms as a form of outsourcing, and so firms will have to apply all of the operational resilience requirements for outsourcing relationships to these relationships. The paper, when implemented, would require firms to identify important business services, determine impact tolerances for potential disruption, undertake mapping and scenario testing, and provide a communications plan, a governance structure, and self-assessments.

The second is from the UK’s Prudential Regulation Authority (PRA) and was published in December. The consultation paper – Outsourcing and third-party risk management – identifies a wide range of requirements that will impact cloud outsourcing relationships. The paper also specifically calls out cloud arrangements – for example, “in the specific case of material cloud outsourcing arrangements, the PRA will expect firms to assess the resilience requirements of the outsourced service and data and determine which of the available cloud resiliency options is most appropriate. These may include multiple availability zones, regions or services providers.”

More regulatory focus on the cloud is coming. The paper notes that the Financial Policy Committee has “agreed to commence close monitoring of risks from the provision of Cloud services to the financial sector as part of its annual Risks Beyond Banking (RBB) review.” Too, the BofE says it will work with firms to “manage the risks associated with cloud outsourcing, including concentration risk and the lack of substitutability; and to understand any tipping points for systemic risks from wider adoption.” The BofE says it will also work with the Basel Committee on Banking Supervision to develop and adopt international standards on the Cloud.

Industry experts are saying that trading firms seeking to make more use of the cloud should make sure they are having the right conversations with the technology, risk management, and compliance teams around these potential new requirements. These requirements are part of a developing global trend in the way financial services regulators are approaching the cloud, and so it makes sense to build these expectations into any new project from the start – rather than having to retro-fit them in down the road.

Subscribe to our newsletter

Related content

WEBINAR

Recorded Webinar: Unlock the Future of European Equities & Trading Technology: 2024 and Beyond!

In a world where the financial landscape is perpetually evolving, 2023 has brought widespread discussions around liquidity, regulatory shifts in the EU and UK, and advancements like the consolidated tape in Europe. For the year ahead in 2024, the European market is poised for transformative changes that will influence the future of trading technology and...

BLOG

Genesis Global Unveils AI-Driven Data Services for Enhanced Bond Market Analysis

Genesis Global, the low-code application development framework provider, has introduced new AI-driven data services for the bond market within its platform, aiming to streamline how asset managers locate and trade primary bond issues. “Firms often face complexities in tracking new issues due to the varied channels syndicating banks use for disseminating deal terms and information,”...

EVENT

Data Management Summit New York City

Now in its 14th year the Data Management Summit NYC brings together the North American data management community to explore how data strategy is evolving to drive business outcomes and speed to market in changing times.

GUIDE

Regulation and Risk as Data Management Drivers

A-Team Group recently held a webinar on the topic of Regulation and Risk as Data Management Drivers. Fill in the form to get immediate access to the accompanying Special Report. Alongside death and taxes, perhaps the only other certainty in life is that regulation of the financial markets will increase in future years. How do...