About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

UK and European Regulators Seek to Strengthen Cloud Rule Framework

Subscribe to our newsletter

As trading firms seek to leverage the operational benefits presented by cloud hosting and delivery, UK and European regulators are launching initiatives to improve risk management and ensure resilience of financial markets participants’ cloud-based activities.

For many trading firms, cloud offers a compelling solution to a growing number of use cases. The Association for Financial Markets in Europe (AFME) published a paper in November 2019 outlining 14 recommendations to help realise the full potential of public cloud computing across the capital markets industry.

But regulators are concerned about the cloud because of the high volume of cyber-attacks on financial markets technology. According to a report from the European Parliament, finance is estimated to be at three times more at risk of cyber-attacks than any other sector. Cloud providers, with high concentrations of financial services clients, could make tempting targets. The Financial Stability Board (FSB) weighed in with a paper on the risks of the cloud in December 2019.

Harmonization in the EU

The EU’s effort, ‘Digital Operational Resilience Framework for financial services: Making the EU financial sector more secure’, is seeking to create a more joined-up approach to cybersecurity across the region within the financial services industry. Impacting cloud outsourcing arrangements will be a new framework that will enhance rules around information and communications technology (ICT) and security risk management, work to harmonize and deepen incident reporting requirements across sectors, develop a digital operational resilience testing framework, demand better oversight of certain critical ICT third-party providers that “regulated financial institutions rely on”, and require more effective information sharing about security threats.

The 62-question survey that accompanies it asks firms about their cloud strategies, including the kind of Cloud approach the firm has, how Cloud usage fits within risk management, and ‘Did your Board and senior management establish a competence center for cloud in your organization.’

Pursuing resilience in the UK

UK regulators produced two papers in December that will impact cloud arrangements. The first is from the UK Financial Conduct Authority (FCA), Building operational resilience: impact tolerances for important business services and feedback to DP 18/04. The new paper follows on from a discussion paper published in July 2018. The paper specifically identifies the provision of cloud services to regulated firms as a form of outsourcing, and so firms will have to apply all of the operational resilience requirements for outsourcing relationships to these relationships. The paper, when implemented, would require firms to identify important business services, determine impact tolerances for potential disruption, undertake mapping and scenario testing, and provide a communications plan, a governance structure, and self-assessments.

The second is from the UK’s Prudential Regulation Authority (PRA) and was published in December. The consultation paper – Outsourcing and third-party risk management – identifies a wide range of requirements that will impact cloud outsourcing relationships. The paper also specifically calls out cloud arrangements – for example, “in the specific case of material cloud outsourcing arrangements, the PRA will expect firms to assess the resilience requirements of the outsourced service and data and determine which of the available cloud resiliency options is most appropriate. These may include multiple availability zones, regions or services providers.”

More regulatory focus on the cloud is coming. The paper notes that the Financial Policy Committee has “agreed to commence close monitoring of risks from the provision of Cloud services to the financial sector as part of its annual Risks Beyond Banking (RBB) review.” Too, the BofE says it will work with firms to “manage the risks associated with cloud outsourcing, including concentration risk and the lack of substitutability; and to understand any tipping points for systemic risks from wider adoption.” The BofE says it will also work with the Basel Committee on Banking Supervision to develop and adopt international standards on the Cloud.

Industry experts are saying that trading firms seeking to make more use of the cloud should make sure they are having the right conversations with the technology, risk management, and compliance teams around these potential new requirements. These requirements are part of a developing global trend in the way financial services regulators are approaching the cloud, and so it makes sense to build these expectations into any new project from the start – rather than having to retro-fit them in down the road.

Subscribe to our newsletter

Related content

WEBINAR

Recorded Webinar: Re-architecting the trading platform for interoperability, resilience and profitability

Trading platforms have come a long way since the days of exchanging paper certificates and shouting across trading floors, pits and desks in the early 2000s, but there is progress still to be made as firms strive to reduce risk, increase profitability, and make their mark in digital assets trading. This webinar will review the...

BLOG

SIX Adds Crypto Reference Rates and Real-Time Indices

SIX has released SIX Reference Rate Crypto and SIX Real-Time Crypto indices that will serve as benchmarks for AsiaNext’s crypto derivatives trading platform as well as for institutional investors globally. The indices cover major crypto assets Bitcoin (BTC) and Ethereum (ETH), giving a comprehensive snapshot of the market and its performance. AsiaNext, founded by SIX...

EVENT

TradingTech Briefing New York

Our TradingTech Briefing in New York is aimed at senior-level decision makers in trading technology, electronic execution, trading architecture and offers a day packed with insight from practitioners and from innovative suppliers happy to share their experiences in dealing with the enterprise challenges facing our marketplace.

GUIDE

Corporate Actions 2009 Edition

Rather than detracting attention away from corporate actions automation projects, the financial crisis appears to have accentuated the importance of the vital nature of this data. Financial institutions are more aware than ever before of the impact that inaccurate corporate actions data has on their bottom lines as a result of the increased focus on...