You can use the search function to find a range of UK Finance material, from consultation responses to thought leadership to blogs, or to find content on a range of topics from Capital Markets & Wholesale to Payments & Innovation.
Today, third parties provide more critical services to the financial services industry than ever before. At the same time, there is increased regulatory scrutiny to ensure that financial institutions are performing effective due diligence on the overall security and privacy risks of their third-party vendors.
As regulatory and business environments become more complex, perhaps it is time for a fresh look at how third-party risk is managed. Today's challenges provide a strong incentive for financial institutions to transform their approach to managing risk to make it more efficient and effective. Embracing current technologies, particularly the cloud, and coming together as an industry to adopt a standardised global assessment methodology can help financial institutions achieve this transformation.
Regulators Require Appropriate Risk Assessments and Due Diligence, But Favour Modernised Approaches at Scale
Regulators require financial institutions to conduct appropriate risk assessments, due diligence, and manage risk of third-party outsourcers, including cloud providers. The level of oversight and due diligence may vary depending upon the systemic importance of the institution, as well as the particular use cases at issue, and whether it is critical to the underlying institution's operations. Furthermore, regulators do not mandate any one way to conduct such due diligence and have adapted and modernised approaches to consider scalable ways to conduct due diligence with the advent of cloud computing.
Two examples of how standardised and scalable approaches are recognised by regulators, including guidance issued by the U.S. Office of the Comptroller of the Currency (OCC) and the European Banking Authority (EBA) are as below.
OCC Supports a Standardised Approach
In a March 6, 2020 Bulletin, the OCC expressly recognises that if financial institutions ?are using the same service providers to secure or obtain like products or services, banks may collaborate to meet certain expectations, such as performing the due diligence?. Furthermore, such tools and resources may provide for 'standardised approaches to perform due diligence and ongoing monitoring of third-party service providers by having participating third parties complete common security, privacy, and business resiliency control assessment questionnaires.?
EBA Modernises Approach to Risk Assessments
The EBA Guidelines, which took effect on September 30 2019, similarly require an assessment and due diligence of outsourcing. Importantly, the EBA guidance seeks to harmonise approaches among regulatory bodies within Europe. The EBA guidance codifies modern approaches to conduct risk assessments and audits, including ?pooled audits organized with other clients of the same service provider, and performed by them and these clients or by a third party appointed by them, to use audit resources more efficiently and to decrease organisational burden on both the clients and the service provider?.
These scalable approaches recognise that standardised mechanisms to conduct risk assessments are appropriate, without in any way diminishing the obligations or level of due diligence and oversight required of financial institutions when assessing cloud services. This is distinct from custom outsourcing models, which do not lend themselves to this approach. Consequently, cloud not only offers efficiency in terms of delivery of the platform of services, but also in managing risk, if done through models like those offered by TruSight. We will go on to explain more about risk management in our next blog post for UK Finance.
Jonathan Pressman, President, TruSight
Dave Dadoun, Managing Director, Global Regulatory Compliance, Worldwide Financial Services, Microsoft
26.04.24
22.04.24
24.04.24
By downloading this document, you understand and agree that any sharing, distribution or republishing of the content, without prior written authorisation from the author or content managers at UK Finance, shall be constituted as a breach of the UK Finance website terms of use.