On 24 September 2020, the European Commission (‘the Commission’) published a legislative proposal to address digital operational resilience for the financial sector.
This proposal introduces for the first time an oversight framework to cover critical third-party providers of information and communications technology (ICT) services, including providers of cloud computing services, software and data analytics services, as well as a ban on using critical ICT third-party service providers established outside the EEA.
The role of big tech and digital service providers in the financial sector
The role of big tech and other new digital players in the financial services sector has been closely monitored by regulators and supervisors in recent years.
The emergence of payment networks and other digital platforms in the financial services space makes it unclear which business models will prevail in the modern economy, how the operators of those prevailing business models will be supervised, and how these operators will impact traditional banks’ current business models.
From a policy perspective, issues to tackle include the fragmentation or unbundling of banking and other financial services in an environment where market entrants pick and choose the core components of financial services, and the potentially self-reinforcing dynamic of big data, which may create natural monopolies in certain areas of financial services.
However, digital and data service providers have also entered the financial services sector as suppliers to banks, with the potential to create considerable change in the way banks operate. Relevant areas are, for instance, cloud computing, data analytics and artificial intelligence. This development should allow banks to operate more efficiently.
At the same time, a greater reliance on unregulated third-party ICT providers raises concerns around the operational resilience of banks and the financial system more broadly.
Against this background, various financial services regulators and supervisors in Europe have engaged in in-depth industry dialogue. At this stage, the outcome is the Commission proposal to introduce an oversight framework that applies directly to critical ICT third-party service providers.
Overview of the legislative proposal on digital operational resilience
The proposal forms part of the Commission’s digital finance package and aims to reduce ICT risk in the financial sector as well as overcoming regulatory fragmentation in this field among member states and sub-sectors. For an overview on the digital finance package read our introductory blog.
This sector-specific regime will coexist with other cross-sector regulation on cyber security, and the financial sector would remain associated to the horizontal framework on cyber security established by the Directive on Security of Networks and Information Systems (NIS).
The comprehensive framework would enhance the ICT risk management requirements applicable to financial entities in the EU, streamline ICT-related incident reporting requirements and reduce single market fragmentation, for instance, in respect of digital operational resilience testing and the cross-border acceptance of test results.
A core element of the legislative proposal is a set of rules addressing the sound management of third-party ICT risk by financial entities, including requirements on key contractual provisions in (outsourcing) arrangements with ICT third-party service providers, and through the establishment of an oversight framework applicable to critical ICT third-party service providers.
Oversight framework applicable to critical ICT third-party service providers
The new oversight framework shall apply to all third-party entities providing digital and data services – including cloud-computing services, software, data analytics services and data centres – that are designated as critical by the Joint Committee of the European Supervisory Authorities (ESAs). One of the ESAs will be appointed as lead overseer for each critical ICT third-party service provider to perform the oversight.
The criteria for determining whether the ICT is ‘critical’ focus on circumstances indicating a criticality or importance of the services performed by an ICT third-party service provider for the functioning of the European financial system. The criteria include, for instance, the systemic character or importance of the financial entities that rely on the service provider.
Third-country ICT service providers
ICT third-party service providers established in a third country whose operational failure would have a systemic impact on the provision of financial services must not be used by financial entities in the EU.
This de facto requirement of legal incorporation in the EU for third-country entities deemed providers of critical ICT due to their potential systemic impact is a far-reaching intervention. It remains to be seen whether the proposed prohibition will lead to the legal incorporation of separate entities within the EU of the third-country service providers concerned or whether financial entities in the EU will face a more limited service offering as a result.
Powers of the lead overseer and other means of enforcement
Each year, the lead overseer must adopt for each critical ICT third-party service provider an oversight plan. This comprises a set of monitoring activities with a view to strengthen the digital operational resilience of the financial entities relying on that service provider.
For the performance of its monitoring activities, the lead overseer will have various investigation powers, including the right to request information, carry out general investigations (eg document reviews, interviews) and perform on-site inspections.
Where a service provider does not comply with the investigation powers, the lead overseer may impose a periodic penalty payment to compel the service provider to adhere to the request.
Following an investigation, the lead overseer will make recommendations to the service provider. It will also communicate those recommendations to the competent authorities that supervise the financial entities receiving the provider’s services. The lead overseer will not have any powers to enforce the implementation of its recommendations, reflecting the generally limited powers of intervention of the ESAs on the basis of the Meroni doctrine under European law.
However, this lack of enforcement powers will be compensated for by extensive powers of the competent authority supervising the financial entities receiving the services. The competent authority may require financial entities to suspend or terminate the services it receives, if the risks identified in the recommendations by the lead overseer are not sufficiently addressed by the service provider. This may be a powerful tool to enforce compliance with the recommendations. But it may also prove difficult for financial entities to substitute the services it is required to suspend or terminate.
Outlook and potential initiatives at national level
The legislative proposal aims to prevent regulatory fragmentation among member states in the area of ICT risk in the financial sector. However, in relation to digital service providers, it remains to be seen whether all member states view the oversight framework as sufficient.
Member states may perceive the limited direct enforcement powers of the ESAs and the fact that only a subset of service providers will be deemed ‘critical’ as potential shortcomings. To compensate, they might adopt more stringent national rules in view of the rapidly increasing importance of technology in the financial services offering. Where technology not only supports the operations of financial entities but also becomes integral part of the financial services offering, member states and national supervisory authorities might want to rely on direct supervisory and enforcement powers regarding third-party and group internal digital service providers.
We expect the debate on the regulation and supervision of the financial services sector in light of changing business models will continue and go beyond the digital finance package presented by the Commission. Recently, in the context of the German Presidency, the EU economic affairs and finance ministers discussed the need to rethink financial markets in the digital age, addressing issues such as the shift from a banking-centric financial system to a platform-centric one.
Accordingly, the oversight framework of critical ICT third-party service providers may be only a first step towards tighter EU financial services supervision of digital business offerings in the financial services sector in addition to the existing cross-sector regulation in the areas of competition, data protection, and network and information security.
