Bank of England Comments on Critical Third Parties and Operational Resilience
Published by Ben Saunders - OpRes Founder
Roughly a 1-Minute Read
Last Friday, the Bank of England (BofE) published its latest Financial Policy Summary. The paper covers all manner of topics stretching from the Libior transition, the post-Covid economic recovery, and the level of debt vulnerabilities across global markets to name but a few.
In respect of Operational Resilience, there were specific comments regarding the increasing reliance of the financial system on critical third parties (CTPs), including cloud service providers (CSPs). The paper noted that by working with these types of suppliers firms can unlock various business benefits, “including improved operational resilience”. However, the increasing criticality of the services that CTPs provide, alongside a well-documented concentration of trusted providers, does according to the BofE, “pose a threat to financial stability in the absence of greater direct regulatory oversight”.
The paper goes on to explain that regulated firms must continue to have primary responsibility for managing risks stemming from their outsourcing and third-party dependencies. However, if you read between the lines, it won’t be long until additional policies, measures and legislation will be administered on firms and most likely the CTP’s and CSP’s themselves. Evidently, the intention of any such regulatory requirement would be introduced “in order to mitigate the financial stability risks stemming from concentration in the provision of some third-party services”.
Invariably, the paper goes on to state that firms should establish an appropriate framework to designate certain third-party service providers as critical. As well as demonstrating rigorous resilience standards and resilience testing which can be evidenced for reporting purposes. We discussed in previous blogs how OpRes can demonstrate the evidence of resilience testing reports. As well as highlighting how firms can identify and report on the Critical suppliers that underpin their important business services. Furthermore, as well as demonstrating concentration risks associated with each CSP, OpRes can also visualise what number and volume of components each important business service is consuming across the likes of AWS, GCP and Azure.
In closing the paper discussed plans for releasing a discussion paper on the subject of CTP’s in 2022. In short, firms must stay tuned to this space! As well as the growing number of FinTechs and established CTP’s that are already providing critical technology functions the financial services sector.