The leading knowledge platform for the financial technology industry
The leading knowledge platform for the financial technology industry

A-Team Insight Blogs

UK and European Regulators Seek to Strengthen Cloud Rule Framework

As trading firms seek to leverage the operational benefits presented by cloud hosting and delivery, UK and European regulators are launching initiatives to improve risk management and ensure resilience of financial markets participants’ cloud-based activities.

For many trading firms, cloud offers a compelling solution to a growing number of use cases. The Association for Financial Markets in Europe (AFME) published a paper in November 2019 outlining 14 recommendations to help realise the full potential of public cloud computing across the capital markets industry.

But regulators are concerned about the cloud because of the high volume of cyber-attacks on financial markets technology. According to a report from the European Parliament, finance is estimated to be at three times more at risk of cyber-attacks than any other sector. Cloud providers, with high concentrations of financial services clients, could make tempting targets. The Financial Stability Board (FSB) weighed in with a paper on the risks of the cloud in December 2019.

Harmonization in the EU

The EU’s effort, ‘Digital Operational Resilience Framework for financial services: Making the EU financial sector more secure’, is seeking to create a more joined-up approach to cybersecurity across the region within the financial services industry. Impacting cloud outsourcing arrangements will be a new framework that will enhance rules around information and communications technology (ICT) and security risk management, work to harmonize and deepen incident reporting requirements across sectors, develop a digital operational resilience testing framework, demand better oversight of certain critical ICT third-party providers that “regulated financial institutions rely on”, and require more effective information sharing about security threats.

The 62-question survey that accompanies it asks firms about their cloud strategies, including the kind of Cloud approach the firm has, how Cloud usage fits within risk management, and ‘Did your Board and senior management establish a competence center for cloud in your organization.’

Pursuing resilience in the UK

UK regulators produced two papers in December that will impact cloud arrangements. The first is from the UK Financial Conduct Authority (FCA), Building operational resilience: impact tolerances for important business services and feedback to DP 18/04. The new paper follows on from a discussion paper published in July 2018. The paper specifically identifies the provision of cloud services to regulated firms as a form of outsourcing, and so firms will have to apply all of the operational resilience requirements for outsourcing relationships to these relationships. The paper, when implemented, would require firms to identify important business services, determine impact tolerances for potential disruption, undertake mapping and scenario testing, and provide a communications plan, a governance structure, and self-assessments.

The second is from the UK’s Prudential Regulation Authority (PRA) and was published in December. The consultation paper – Outsourcing and third-party risk management – identifies a wide range of requirements that will impact cloud outsourcing relationships. The paper also specifically calls out cloud arrangements – for example, “in the specific case of material cloud outsourcing arrangements, the PRA will expect firms to assess the resilience requirements of the outsourced service and data and determine which of the available cloud resiliency options is most appropriate. These may include multiple availability zones, regions or services providers.”

More regulatory focus on the cloud is coming. The paper notes that the Financial Policy Committee has “agreed to commence close monitoring of risks from the provision of Cloud services to the financial sector as part of its annual Risks Beyond Banking (RBB) review.” Too, the BofE says it will work with firms to “manage the risks associated with cloud outsourcing, including concentration risk and the lack of substitutability; and to understand any tipping points for systemic risks from wider adoption.” The BofE says it will also work with the Basel Committee on Banking Supervision to develop and adopt international standards on the Cloud.

Industry experts are saying that trading firms seeking to make more use of the cloud should make sure they are having the right conversations with the technology, risk management, and compliance teams around these potential new requirements. These requirements are part of a developing global trend in the way financial services regulators are approaching the cloud, and so it makes sense to build these expectations into any new project from the start – rather than having to retro-fit them in down the road.

Related content

WEBINAR

Recorded Webinar: Trade surveillance: Deploying monitoring and surveillance capabilities for today’s new normal

Let’s face it: The old ways aren’t coming back. A plethora of challenges brought on by the covid-19 pandemic, coupled with unrelenting market volatility and uncertainty, have pushed financial service firms to look for rigorous monitoring and surveillance solutions to meet the demands of the emerging trading landscape. Working from home (WFH) has increased the...

BLOG

FCA Cracks Down on OMS Reporting Errors: Regulated Firms Pay the Price

By Matt Smith, CEO, SteelEye. Certain Order Management Systems (OMSs) have recently come under scrutiny from the FCA because of quality issues around MiFIR reporting. Firms that heavily rely on their OMS for daily regulatory reporting have been found to consistently over or under report their transactions. The responsibility for accurate reporting rests solely with...

EVENT

TradingTech Summit Virtual

TradingTech Summit (TTS) Virtual will look at how trading technology operations can capitalise on recent disruption and leverage technology to find efficiencies in the new normal environment. The crisis has highlighted that the future is digital and cloud based, and the ability to innovate faster and at scale has become critical. As we move into recovery and ‘business as usual’, what changes and technology innovations should the industry adopt to simplify operations and to support speed, agility and flexibility in trading operations.

GUIDE

The Trading Regulations Handbook

Need to know all the essentials about the regulations impacting trading infrastructure? Welcome to the first edition of our A-Team Trading Regulations Handbook which provides all the essentials about regulations impacting trading operations, data and technology. A-Team’s Trading Regulations Handbook is a great way to see at-a-glance: All the regulations that are impacting trading technology...