Rowan Platt, Head of Compliance & Regulatory Affairs, explains why it’s imperative banks work with third parties to enhance digital resilience maturity in light of new regulations.
A number of key regulations come into force over the next 12 months in the UK, Europe and Australia*, impacting regulated banking entities. Operational resilience is to become more important than ever before as regulators ensure financial entities can withstand and respond to disruptions such as cyber-attacks and operational or technical outages.
As a third-party provider of core technology that delivers important banking services to retail customers, 10x has an important role to play in assisting our banking clients to comply with these regulations.
While the regulations have distinctions in their respective countries, there are consistent fundamental obligations globally. We think the consistencies across regulations demonstrate a growing global trend that regulators are taking operational resilience more seriously – moving from a “nice to have” to an enforceable requirement with real consequences.
The central theme across these regulations is that financial entities will need to demonstrate their resilience in providing critical operations or important business services for their customers. They will need to ensure that they can remain within their impact tolerance in severe but plausible disruption scenarios.
To do this, financial entities need to identify the resources and technology required to deliver their important business services. This includes any relationships with material third parties, such as core technology providers. They will also be expected to more effectively manage the risks associated with these third-party service providers, by obtaining an end-to-end view of operational risk in their supply chain.
Perhaps most importantly, regulators will also expect a more sophisticated approach to resilience testing, which goes beyond traditional business continuity or disaster recovery plans. Testing plans should be designed to evidence the bank can remain within impact tolerance. Over time, they will also need to incorporate testing of additional scenarios to identify the point at which tolerance levels are breached and identify new vulnerabilities to be remediated.
In many cases, firms will need to mature their resilience testing. They will need to move from largely desk-based exercises to a wider range of testing, producing more meaningful data and insights on vulnerabilities.
Given how integral core technology providers are in ensuring the resilience of a bank’s important business services and functions, it is imperative for financial entities to involve their third-party providers. Providers need to be involved in aligning on tolerance levels for disruptions and the process for responding to them.
Third parties can carry out the testing of their own resilience on their own platform, but financial entities will be responsible for ensuring that any third-party providers remain within their respective impact tolerance levels. Therefore, it’s crucial that the methodology and tested scenarios used by third parties align with their own requirements.
While it will always be for the financial entity to set the tolerance levels (in accordance with their own risk appetite), it will be for the third-party provider to define the testing process and to ensure this remains within the relevant impact tolerances.
The 10x response to disruption always aims to strike an acceptable balance between risk, cost, and operational performance. We have considerable experience of working with clients to test for a range of disruption scenarios. This includes both cyber incidents and outages of our primary cloud provider. Tests ensure we can remain within time-bound and data loss tolerance levels. For example, the maximum tolerable length of time that the 10x platform can be down after an outage occurs.