In recent years, operational resilience has come under the spotlight of financial regulators globally, leading to a proliferation of new regulation. The sheer number of publications on this topic can be confusing for businesses navigating the regulatory landscape.

This article is Part 2 of our series of articles on operational resilience. The series aims to summarise current international and national regulatory developments, and to highlight in particular the importance of operational resilience in outsourcing and the use of ICT.

This series is split in three parts:

  1. Part 1 includes an overview of the most recent operational resilience regulatory developments in the UK.
  1. Part 2 addresses the regulatory framework on operational resilience in the EU, including a table summarising the key UK and EU rules and guidelines relating to operational resilience. We also explain the impact of Brexit on the regulations that apply to UK firms and how evolving European regulations are expected to affect UK firms.
  2. Part 3 outlines global regulatory developments in relation to operational resilience which are likely to be relevant to firms in the UK, and a summary of the main takeaways for all three parts.

Introduction

At EU level, operational resilience requirements within the financial sector are currently embedded in a variety of legislation and guidelines, including the Capital Requirements Directive (CRD), the Markets in Financial Instruments Directive (MiFID II), Solvency II and the Payment Services Directive 2 (PSD2). In addition, there are guidelines on various aspects of operational resilience issued by supervisory authorities including the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA).

The EU regulatory landscape is going to change significantly with the expected arrival of the Digital Operational Resilience Act (DORA), which will apply to virtually all financial services firms across the EU, from credit institutions to fund managers and, crucially, to major ICT service providers.

Impact of Brexit

The existing regulatory framework on operational resilience has broadly been preserved in the UK as part of retained EU legislation in the form of statutory instruments under the European Union (Withdrawal) Act 2018. Future EU legislation will not apply in the UK, however the UK financial market does not operate in a vacuum and UK law makers and regulators will undoubtedly have to take into account the EU’s regulatory developments.

The UK-EU Trade and Cooperation Agreement provides little detail in relation to financial services regulation. The UK and EU have agreed in a Joint Declaration on Financial Services Regulatory Cooperation to enter a Memorandum of Understanding on equivalence determinations relating to financial services regulations by March 2021.

Current framework

The following industry-specific instruments comprise the European operation resilience framework along with general rules set out in CRD, MiFID II and Solvency II:

EBA Guidelines on Outsourcing Arrangements ("EBA Outsourcing Guidelines") 

In February 2019, the EBA published its guidelines on outsourcing arrangements, which came into force on 30 September 2019.

These Guidelines introduce a regulatory framework in relation to outsourcing which applies to a wide range of EU financial institutions including banks, credit institutions and investment firms subject to CRD, payment institutions and e-money institutions. The guidelines include a comprehensive set of requirements on institutions’ outsourcing arrangements (in particular, in relation to "critical or important functions") such as:

  • governance requirements for entering and overseeing outsourcing arrangements;
  • requirements for pre-outsourcing analysis which must include appropriate due diligence, a materiality assessment and a risk assessment;
  • a requirement to maintain a register of outsourcing arrangements;
  • a requirement to maintain a written outsourcing policy;
  • contractual requirements for critical or important outsourcing arrangements; and
  • notification requirements when entering or amending critical or important outsourcing arrangements.

In their December 2019 Consultation Papers, the UK's financial regulators made clear that they intend to align the UK regulatory approach with the EBA Outsourcing Guidelines in the future (see Part 1 of this series for more detail on these Consultation Papers).

EBA Guidelines on ICT and security risk management ("EBA ICT Guidelines")

In November 2019, the EBA published its guidelines on ICT and security risk management, which became applicable from 30 June 2020. These Guidelines apply to banks, payment services firms and investment firms and set out requirements to business continuity management in respect of ICT and security risks. Under the Guidelines, financial institutions are required to establish a sound business continuity management process, have effective response and recovery plans including testing, and ensure they have crisis communication measures in place.

While the PRA and FCA took the EBA ICT Guidelines into account when drafting their December 2019 Consultation Papers, both regulators stated that they will confirm their approach to the Guidelines and provide further clarification on the links between the PRA and FCA operational resilience policies and the EBA ICT Guidelines in their final report in 2021 (see Part 1 of this series for more detail on these Consultation Papers).

EIOPA Guidelines on outsourcing to cloud service providers ("EIOPA Cloud Guidelines")

The EIOPA Cloud Guidelines were published by EIOPA in February 2020 and will apply from 1 January 2021. The Guidelines are addressed to insurance and reinsurance undertakings and apply to all outsourcing arrangements with cloud providers. Helpfully to financial institutions operating both banking and insurance businesses, the EIOPA Cloud Guidelines are closely aligned with the EBA Guidelines on Outsourcing Arrangements. This makes it easier for the relevant institutions to implement an outsourcing strategy that complies with both set of guidelines.

The application of the EIOPA Cloud Guidelines to UK insurers is complex:

  • the PRA has confirmed that its draft Supervisory Statement on outsourcing and third party risk management takes into account the EIOPA Cloud
  • the FCA announced on 8 July 2020 that the EIOPA Cloud Guidelines will not be applicable to regulated activities within the UK’s jurisdiction, but will continue to apply the FCA's FG16/5 “Guidance for firms outsourcing to the cloud and other third-party IT services in the UK”. The FCA said that it would “keep this guidance under review and, where appropriate, consult to update this to ensure it remains consistent with relevant international standards”.

For insurers with operations in both the EU and the UK, an organisation-wide approach is likely to be preferred which will inevitably mean bringing practices and policies into compliance with the EIOPA Cloud Guidelines.

ESMA Guidelines on outsourcing to cloud service providers ("ESMA Cloud Guidelines")

The ESMA Cloud Guidelines were published on 18 December 2020 and will apply from 31 July 2021. These Guidelines are relevant to a number of entities within ESMA’s purview including investment firms, UCTIS, central counterparties, trade repositories, central securities depositories and administrators of benchmarks. The Guidelines are intended to be broadly consistent with the EBA Outsourcing Guidelines and EIOPA Cloud Guidelines as described above. In developing these guidelines, ESMA has also been mindful of the European Commission’s proposal for a regulation in relation to digital operational resilience (please see below) but as the regulation is still a proposal at this stage, ESMA notes that it will closely monitor the development of the proposal and provide revised or additional guidance if needed.

As with the EIOPA Cloud Guidelines, the ESMA Cloud Guidelines will not be directly applicable to firms within the UK as the Brexit transition period has now ended. However, we expect the FCA will take into consideration the ESMA Cloud Guidelines when reviewing and updating its own guidance in relation to operational resilience and outsourcing arrangements.

Proposed regulatory developments

In the same vein as the UK regulators, the EU has a number of proposals on operational resilience in the pipeline. As financial services firms increasingly rely on technologies in every aspect of their business, the EU regulators and lawmakers are looking to further enhance the existing rules, in particular on information technology risks.

Digital Operational Resilience Act

On 24 September 2020, the European Commission published a draft regulation referred to as the Digital Operational Resilience Act. DORA introduces a framework on digital operational resilience within the EU financial sector that is intended to apply to virtually all types of financial services firms.

DORA proposes a single set of overriding mandatory rules in order to set a high common standard across the EU financial system and includes a wide range of requirements in relation to:

  • management of ICT third party risk;
  • business continuity;
  • access and audit rights; and
  • sub-contracting.

Notably, the draft regulation brings major ICT service providers directly within the scope of supervision of the European supervisory authorities. Our full analysis of DORA can be found here.

While the UK will not be under an obligation to comply with the resulting legislation, we anticipate that the UK regulators will keep DORA under review. Many UK financial firms will need to operate both within the UK and the EU, and will therefore need to satisfy both regulatory regimes.

EBA Consultation Paper on the revision of the Guidelines on major incident reporting under the Payment Services Directive (14 October 2020) ("Incident Reporting CP")

In July 2017, the EBA adopted the Guidelines on major incident reporting under PSD2 ("Guidelines on Incident Reporting"). These are addressed to payment service providers ("PSPs") and competent authorities under PSD2, and include requirements in relation to classification and reporting of major operational or security incidents.

In line with the PSD2’s requirement to review the Guidelines on Incident Reporting regularly, the EBA is now proposing to:

  • simplify the current incident reporting process by reducing the number of intermediate reports to one report and the content of the incident reports by reducing the fields in the reporting template;
  • increase the threshold for when notification must be made from €5m to €15m; and
  • ease the requirements for when notifications must be made by extending the deadline for PSPs to submit the final report.

The Incident Reporting CP makes clear that reporting requirements will apply to major incidents affecting functions outsourced by payment service providers to third parties.

Notably, the EBA acknowledges that DORA contains a proposal for incident reporting based on the PSD2 which goes beyond payments-related incidents. The EBA expects the revised Guidelines on Incident Reporting to come into effect in Q4 of 2021, whereas it will likely be years before DORA comes into effect.

It is not yet obvious if the FCA will adopt the same approach in relation to payment service providers in the UK. However, the FCA has already explained that UK financial institutions in scope are expected to comply with the current EBA Outsourcing Guidelines and has expressed its general intention to align with international regulation. It therefore appears likely that the FCA will look to harmonise their approach in this area.

Key Takeaways 

The EU regulatory landscape is expected to change significantly in the coming years. When formally adopted, the Digital Operational Resilience Act (DORA) will harmonise and address gaps among the existing array of regulations on operational resilience and ICT risk management in the financial sector.

  1. Brexit has complicated the financial services regulatory landscape. Existing regulations have largely been preserved in the UK by way of domestic statutory instruments, but future EU legislation and industry-specific guidelines will not automatically apply in the UK.
  2. Although some industry-specific instruments such as the EIOPA Cloud Guidelines and the ESMA Cloud Guidelines are not directly applicable in the UK, firms with operations in both the EU and the UK are likely to prefer an organisation-wide approach which means bringing practices and policies into compliance with the above guidelines.
  3. The table appended to this article contains a 'snapshot' of relevant regulations and guidelines applicable in the UK and the EU.