Operational Resilience and Outsourcing: Are You Ready for the Trifecta of Regulations Coming Your Way?

Avatar for Emma Williams
By Emma Williams Solutions Consultant • Client Success
July 13th 2023 | 4 minute read

Are you operationally resilient? And can you demonstrate it?

Ensuring institutions have sufficient operational resilience to safeguard the stability of the financial system has become a key concern for regulators in Europe. Outsourcing and vendor management is a particular focus.

For the continent’s fund administrators and IT service providers, the increased regulatory scrutiny will have both compliance and commercial ramifications – offering a competitive edge to the strongest vendors.

Cross-Industry Guidance on Outsourcing

The Central Bank of Ireland published its final Cross-Industry Guidance on Outsourcing (following Consultation Paper 138 on the topic) on 17 December 2021. In it, the Bank set out its expectations for how regulated financial service providers (RFSPs) should manage outsourcing risk.

“The Central Bank is strongly focused on outsourcing due to its increasing prevalence across the financial services sector and its potential, if not effectively managed, to threaten the operational resilience of financial service providers regulated by the Central Bank (‘regulated firms’) and the Irish financial system,” the Guidance stated. “Robust and effective outsourcing risk management within regulated firms supports the financial and operational resilience of these firms and consequently facilitates financial stability aims.”

The Guidance requires that regulated firms have effective governance, risk management and business continuity processes in place around their outsourcing arrangements (which includes information and communications technology (ICT) providers) to “mitigate potential risks of financial instability and consumer detriment.”

Firms’ outsourcing strategies must be documented and aligned to their business strategy, business model, risk appetite and risk management framework. Boards and senior management are ultimately responsible and accountable for “effective oversight and management of outsourcing risk within their business.”

Operational Resilience Guidance

In the same month, the Irish Central Bank also released its Cross-Industry Guidance on Operational Resilience (its follow-up to CP140). The aim is to mitigate risks that could cause prudential or consumer harm, or impact overall financial stability, to ensure the financial system can “better withstand future shocks and crises and to limit the impact of such events.” Potential events can range from technology failures and cyberattacks to natural disasters and pandemics.

Flexibility is key. “Resilience is not about what happens to a firm, but rather, how a firm is able to withstand and respond to an incident when it does occur,” the Central Bank noted.

The Guidance focuses on how to prepare for, respond to, recover and learn from an operational disruption, with the Bank’s operational resilience expectations built around three pillars:

  1. Identify and Prepare – tasks include identifying critical/important business services; how the services are delivered and any third-party dependencies associated with them; developing impact tolerance metrics; and testing resilience strategies to ensure each firm can remain within those impact tolerances.
  2. Respond and Adapt – ensuring business continuity management, incident management and internal/external crisis communication plans are fully integrated into a firm’s overarching Operational Resilience Framework.
  3. Recover and Learn – firms should learn from past experiences and strive for continuous improvement by conducting a lessons-learned exercise after a disruption to improve their ability to adapt and respond to future events.

The Bank expects regulated firms to be actively addressing operational resilience vulnerabilities and be able to evidence their actions/plans within two years of the guidance being issued (i.e. by December 2023) at the latest.

Digital Operational Resilience Act (DORA)

Strict operational resilience stipulations are also being introduced at European Union level.

The cross-sector Digital Operational Resilience Act (DORA), which will come into effect on 17 January 2025, affects all regulated financial firms, including banks, traditional and alternative investment firms, insurers, crypto-asset service providers, cloud service providers and ICT third-party vendors. And because it’s a regulation, it is directly applicable in all EU member states.

DORA aims to combat technology and cyber risk by demanding all firms can withstand, respond to and recover from operational disruptions and threats caused by cyber security and ICT issues.

The requirements centre on five areas: ICT risk management to protect ICT assets and prevent incidents; reporting on ICT-related incidents; digital operational resilience testing (with the introduction of threat-led penetration testing for larger firms); oversight of Critical Third-Party Providers (CTPPs) and management of third-party risk when outsourcing; and information and intelligence sharing.

Since DORA applies to firms operating in the EU, entities in the UK and beyond that engage in activities within EU jurisdictions will find themselves in scope. A UK version of DORA – aimed at supporting resilient outsourcing to technology providers by the financial services sector – is also in the offing.

Partnering With Regulatory-Ready Providers

While the compliance responsibility for these rules ultimately falls on the regulated firms, outsourcing providers that can demonstrate they are ready to meet the regulators’ requirements – by being SOC 1 ready, for example – will be in a much stronger competitive position to win and retain that business. Demonstrable resilience, and a partnership approach to alleviate client concerns, will be fundamental selection criteria in this new world order.

ABOUT DEEP POOL
Deep Pool is the #1 investor servicing and compliance solutions supplier, providing cutting-edge software and consulting services to the world’s leading fund administrators and asset managers. Our flexible solution suite, developed by an experienced team of accountants, business analysts and software engineers, supports offshore and onshore hedge funds, partnerships, private equity vehicles, retail funds and regulated financial firms. Deep Pool is a global organisation with offices in Dublin, Ireland, the United States, the Cayman Islands and Slovakia. For more information, visit: www.deep-pool.com.

 

Emma Williams
Emma has twenty year’s experience in the financial services industry with a focus in the regulatory space. Prior to joining Deep Pool she worked as Head of Depositary for Mitsubishi Investor Services and Banking (Luxembourg) S.A., Dublin Branch for 6 years.
Blog
5 Key Tests for Picking the Right Fund Administration System
Technology has become central to fund administrators’ service propositions and a key source of competitive advantage. As investment managers hive off non-core functions in an effort to boost their own competitiveness, partnering with outsourcing providers that can deliver the requisite speed, quality and reliability of service only gets more important. Stringent due diligence examinations to […]
READ MORE
Blog
AI Takes Cyberattacks, and Security, to the Next Level
Artificial intelligence is the Janus of cybersecurity: a dual-faced bringer of war and peace, of beginnings and endings, the opening and shutting of doors, with the power to both help and harm. PwC’s latest CEO survey captured the dilemma. While it found chief executives are increasingly looking to the transformative benefits of generative AI, almost […]
READ MORE
Blog
Cybersecurity Perils of M&A
In this continuing series on cybersecurity with Arnaud Wiehe, author of The Book on Cybersecurity and Emerging Tech, Emerging Threats, we explore the underappreciated cybersecurity risks that can arise any time firms engage in M&A activities. It’s a familiar story for any homebuyer. After intense scouting you find your ideal house. It’s the right size. […]
READ MORE
Blog
Cybersecurity Best Practices: How to be More Proactive in the Fight Against Cyberattack
In cybersecurity, as with medicine, prevention is better than cure. The news headlines are filled with tales of email hacks, phishing scams and ransomware attacks that leave firms scrambling for patches or ways to contain the damage. The fast-moving threat landscape often leaves financial organizations playing catch-up, in a whack-a-mole contest with sophisticated and well-resourced […]
READ MORE
Blog
What Does the EU Artificial Intelligence (AI) Act Mean for Financial Services?
The European Parliament last week approved the world’s first binding law to regulate the use of artificial intelligence (AI), in a move with wide implications for the financial services industry. AI technologies are powering a fast-expanding range of financial market functions, spanning everything from anti-money laundering and cybersecurity activities to customer interactions, tailoring wealth and […]
READ MORE

SIMILAR RESOURCES

Blog
5 Key Tests for Picking the Right Fund Administration System
Technology has become central to fund administrators’ service propositions and a key source of competitive advantage. As investment managers hive off non-core functions in an effort to boost their own competitiveness, partnering with outsourcing providers that can deliver the requisite speed, quality and reliability of service only gets more important. Stringent due diligence examinations to […]
READ MORE
Blog
AI Takes Cyberattacks, and Security, to the Next Level
Artificial intelligence is the Janus of cybersecurity: a dual-faced bringer of war and peace, of beginnings and endings, the opening and shutting of doors, with the power to both help and harm. PwC’s latest CEO survey captured the dilemma. While it found chief executives are increasingly looking to the transformative benefits of generative AI, almost […]
READ MORE
Blog
Cybersecurity Perils of M&A
In this continuing series on cybersecurity with Arnaud Wiehe, author of The Book on Cybersecurity and Emerging Tech, Emerging Threats, we explore the underappreciated cybersecurity risks that can arise any time firms engage in M&A activities. It’s a familiar story for any homebuyer. After intense scouting you find your ideal house. It’s the right size. […]
READ MORE
Blog
Cybersecurity Best Practices: How to be More Proactive in the Fight Against Cyberattack
In cybersecurity, as with medicine, prevention is better than cure. The news headlines are filled with tales of email hacks, phishing scams and ransomware attacks that leave firms scrambling for patches or ways to contain the damage. The fast-moving threat landscape often leaves financial organizations playing catch-up, in a whack-a-mole contest with sophisticated and well-resourced […]
READ MORE
Blog
What Does the EU Artificial Intelligence (AI) Act Mean for Financial Services?
The European Parliament last week approved the world’s first binding law to regulate the use of artificial intelligence (AI), in a move with wide implications for the financial services industry. AI technologies are powering a fast-expanding range of financial market functions, spanning everything from anti-money laundering and cybersecurity activities to customer interactions, tailoring wealth and […]
READ MORE
Blog
Cybersecurity Best Practices from the Man Who Wrote the Book
If cybercriminals can hack the corporate email accounts of Microsoft’s senior leadership team, what could they do to your cybersecurity defences? Cybersecurity was once again the top concern for European banking Chief Risk Officers surveyed by EY and the Institute of International Finance, with 82% ranking cybersecurity risk as the biggest threat to their business […]
READ MORE
Blog
ESG: The Next Growth Area in Fund Administration
The US Securities and Exchange Commission’s decision to pare back its long-awaited climate-risk disclosure rules suggest the blowback against the environmental, social and governance (ESG) movement is gathering strength. The reality is ESG reporting demands are only growing. For many investment managers, the obvious answer is to turn to their fund administrator for help … […]
READ MORE
Blog
Do We Need AI, and Does AI Need Us?
In conversation with The Dark Money Files’ Graham Barrow Are we interceding with artificial intelligence too often and too quickly? asks The Dark Money Files director and anti-money laundering expert Graham Barrow. A week after chip giant Nvidia reported blowout earnings on frenzied customer AI hardware spending and forecast excellent conditions for continued growth, questions […]
READ MORE
Blog
AI in Investment Management: 3 Areas Ripe for Change
How much of a role will artificial intelligence realistically play in the investment management industry? As we discussed in a previous blog, implementing more traditional automation initiatives, to get the foundations right before adding AI complexity and data demands on top, should be firms’ initial priority. But then what? While the potential is seemingly limitless, […]
READ MORE
Blog
Forget AI, Prioritise The Low-Hanging Automation Fruit
If ever there was a case of shiny object syndrome today, then artificial intelligence is it. The release of ChatGPT in November 2022 and subsequent “AI boom” has sparked fevered speculation of where AI can be applied and what it could do for the financial services industry. The latest PwC CEO Survey captures the mood. […]
READ MORE
Blog
UK Banks Feel Pain of Iran Sanctions Evasion Lapses
The Financial Times headline is damaging enough by itself: “Iran used Lloyds and Santander accounts to evade sanctions”. This is exactly the sort of high-profile publicity nightmare financial institutions are desperate to avoid. The reputational risk from such revelations – especially when they’re disseminated by a globally-renowned publication like the Financial Times – can have […]
READ MORE
Blog
ESG at a Crossroads: What Next For 2024 and Beyond?
Environmental, social and governance (ESG) aligned funds were, until recently, a one-way bet for the investment industry. The future looks less assured. ESG has turned into a highly sensitised issue, LSEG Global Head of Research Robert Jenkins noted in a recent article. “The term ESG has become near toxic and arguably weaponized in the U.S.” […]
READ MORE
VIEW ALL RESOURCES
REQUEST A DEMO
© 2021 DEEP POOL Financial Solutions Limited | All Rights Reserved | Privacy Policy
RHD