About a-team Marketing Services

A-Team Insight Blogs

UK and European Regulators Seek to Strengthen Cloud Rule Framework

Subscribe to our newsletter

As trading firms seek to leverage the operational benefits presented by cloud hosting and delivery, UK and European regulators are launching initiatives to improve risk management and ensure resilience of financial markets participants’ cloud-based activities.

For many trading firms, cloud offers a compelling solution to a growing number of use cases. The Association for Financial Markets in Europe (AFME) published a paper in November 2019 outlining 14 recommendations to help realise the full potential of public cloud computing across the capital markets industry.

But regulators are concerned about the cloud because of the high volume of cyber-attacks on financial markets technology. According to a report from the European Parliament, finance is estimated to be at three times more at risk of cyber-attacks than any other sector. Cloud providers, with high concentrations of financial services clients, could make tempting targets. The Financial Stability Board (FSB) weighed in with a paper on the risks of the cloud in December 2019.

Harmonization in the EU

The EU’s effort, ‘Digital Operational Resilience Framework for financial services: Making the EU financial sector more secure’, is seeking to create a more joined-up approach to cybersecurity across the region within the financial services industry. Impacting cloud outsourcing arrangements will be a new framework that will enhance rules around information and communications technology (ICT) and security risk management, work to harmonize and deepen incident reporting requirements across sectors, develop a digital operational resilience testing framework, demand better oversight of certain critical ICT third-party providers that “regulated financial institutions rely on”, and require more effective information sharing about security threats.

The 62-question survey that accompanies it asks firms about their cloud strategies, including the kind of Cloud approach the firm has, how Cloud usage fits within risk management, and ‘Did your Board and senior management establish a competence center for cloud in your organization.’

Pursuing resilience in the UK

UK regulators produced two papers in December that will impact cloud arrangements. The first is from the UK Financial Conduct Authority (FCA), Building operational resilience: impact tolerances for important business services and feedback to DP 18/04. The new paper follows on from a discussion paper published in July 2018. The paper specifically identifies the provision of cloud services to regulated firms as a form of outsourcing, and so firms will have to apply all of the operational resilience requirements for outsourcing relationships to these relationships. The paper, when implemented, would require firms to identify important business services, determine impact tolerances for potential disruption, undertake mapping and scenario testing, and provide a communications plan, a governance structure, and self-assessments.

The second is from the UK’s Prudential Regulation Authority (PRA) and was published in December. The consultation paper – Outsourcing and third-party risk management – identifies a wide range of requirements that will impact cloud outsourcing relationships. The paper also specifically calls out cloud arrangements – for example, “in the specific case of material cloud outsourcing arrangements, the PRA will expect firms to assess the resilience requirements of the outsourced service and data and determine which of the available cloud resiliency options is most appropriate. These may include multiple availability zones, regions or services providers.”

More regulatory focus on the cloud is coming. The paper notes that the Financial Policy Committee has “agreed to commence close monitoring of risks from the provision of Cloud services to the financial sector as part of its annual Risks Beyond Banking (RBB) review.” Too, the BofE says it will work with firms to “manage the risks associated with cloud outsourcing, including concentration risk and the lack of substitutability; and to understand any tipping points for systemic risks from wider adoption.” The BofE says it will also work with the Basel Committee on Banking Supervision to develop and adopt international standards on the Cloud.

Industry experts are saying that trading firms seeking to make more use of the cloud should make sure they are having the right conversations with the technology, risk management, and compliance teams around these potential new requirements. These requirements are part of a developing global trend in the way financial services regulators are approaching the cloud, and so it makes sense to build these expectations into any new project from the start – rather than having to retro-fit them in down the road.

Subscribe to our newsletter

Related content

WEBINAR

Recorded Webinar: Modernising Data Infrastructures: Challenges and opportunities of managing complex financial data and analytics in hybrid and multi-cloud environments

As they forge ahead with their digital transformation programs, financial institutions are finding that the internal platforms they use to manage complex data sets for trading, investment, risk, and compliance are no longer fit for purpose. The ongoing shift toward cloud hosting is forcing practitioners to manage the transition from deeply entrenched legacy platforms to...

BLOG

Pico Acquires Redline to Boost Market Data, Connectivity Offerings

Trading technology, data and analytics provider Pico has agreed to acquire trading and market data software specialist Redline Trading Solutions, for an undisclosed sum. The deal will bring together Pico’s global ultra-low latency infrastructure and network, underpinned by Corvil Analytics, with Redline’s high-performance software solutions for market data, execution and order routing. The combined offering...

EVENT

TradingTech Summit London

Now in its 11th year the TradingTech Summit London brings together the European trading technology capital markets industry, to explore how trading firms are innovating in today’s cloud and digital based environment to create flexible, scalable trading platforms to support speed to market and business agility.

GUIDE

Applications of Reference Data to the Middle Office

Increasing volumes and the complexity of reference data in the post-crisis environment have left the middle office struggling to meet the requirements of the current market order. Middle office functions must therefore be robust enough to be able to deal with the spectre of globalisation, an increase in the use of esoteric security types and...