The option to participate in collective assurance activities is welcome, but this article which was originally published in the September 2021 edition of Butterworths Journal of International Banking and Financial Law makes the case for more guidance from sectoral regulators and competition authorities to allow banks and their service providers to truly get comfortable.
With banks’ 2020 very much taken up with the operational response to the pandemic, it comes as no surprise that 2021 sees banking supervisors engaged in some regulatory catch-up, not least with regard to establishing operational resilience policy.
Increasing reliance on third party technology providers, particularly the use of cloud computing has long been recognised as a key industry trend. As such, risk management of outsourcing and other third party technology arrangements is a fundamental part of the broader regulatory and industry push towards both defining regulatory policy and – more critically – achieving operational resilience. One interesting aspect of policy development in relation to the risk management of outsourcing and third party arrangements (TPA) is that regulators, recognising some of the challenges facing firms, are making accommodations in their policies on the assurance or audit mechanisms which can be used by financial services firms. For example, in Supervisory Statement 2/211 released at the end of March 2021, the UK Prudential Regulation Authority (PRA) explicitly recognised that banks might deploy a range of proportionate assurance mechanisms, including using collective assurance activities such as ‘pooled audits’ to assess the control environment of a common service provider. The European Union’s Digital Operational Resilience Act2 (DORA), which is currently under negotiation, contains similar provisions allowing for collective assurance activities.
Having the option to use collective assurance activities is to be welcomed by both firms and service providers. Large financial services firms will have a myriad of TPAs across their business lines and functions. Similarly, a major service provider will be supporting many companies across all sectors. Without recourse to collective assurance activities, service providers face significant disruption from audit and review activities. It is a reasonable conclusion that increasing the number of audits with which a service provider must engage has resource implications. A pooled audit appears to offer a cost and time effective solution to both firms and suppliers. It may also prove to be more comprehensive, conducted by those with a high level of expertise, than a general audit, which will have its limits and be high-level at best. Moreover, with general audits, the auditor is likely to be wary about exposure to claims if things go wrong – so the language of the audit and the clauses on reliance are likely to be very conservatively drafted. This means that a firm will need to negotiate its own rights around, for example, accessing information about a problem at the supplier.
While on the one hand, the availability of collective assurance activity options is very welcome, it is now important for regulators to take a further step and provide specific guidance for firms. When they are considering participating in collective assurance activities, firms and service providers need to have a high degree of clarity on what the financial services regulators’ expectations are of firms and of the assurance processes involved. In particular, these expectations – whether set down in legislation, regulations, guidance, or another format – must be developed in co-operation with relevant competition authorities as firms will require assurance that they are not at risk of breaching competition law. Given the keen focus on risk management of TPAs, one might be forgiven for being concerned as to whether collective assurance activities will be deemed sufficiently robust by the regulators in some scenarios – perhaps most particularly in an enforcement context when there is the benefit of hindsight. It is fair to say that developing such fit-for-purpose guidance which has been appropriately informed by relevant stakeholders will take time and is likely to be an iterative process in any case. However, there are some interim steps which financial services regulators might take that would provide an initial level of guidance for firms and service providers and inform the development of guidance. For example, they might consider formally recognising non-sector specific guidance around auditing and conducting assurance activities for TPAs, which may be sourced from the relevant professional and oversight bodies of the audit profession. As the boundaries of the financial services sector become increasingly blurred, it would be helpful if there was some common ground between the standards applied in the directly regulated sector and those operating on the periphery, perhaps just outside the regulatory perimeter. This could also help to ensure that relevant assurance skill sets are transferrable across sectors, enabling assurance practitioners to develop broad, diverse experience which can be leveraged for benefit across sectors.
Regulators could also consider sharing information about how they will approach assurance activities for their own outsourcings and third party arrangements, particularly where those regulators have decided to model their own arrangements on the rules with which firms are expected to comply.