Our industry’s dependence on technology, the infusion of new entrants into the financial marketplace, and the interconnectedness of our markets makes cyber a potential source of systemic risk with the ability to create shocks across jurisdictional and national boundaries. To protect the system, firms must emphasise resilience planning to garner alignment between risk management, which is what a firm will do if bad things happen, and resilience, which is what a firm will do when bad things happen. While risk management is a cornerstone of the financial sector and is essential to ensuring the integrity of the marketplace and consumer protection, resilience extends beyond risk management. Resilience must be integrated into every facet of business operations, product and service development, technology and application development, and organisational governance.1 When considering the need for resilience, market participants, operators and supervisors are facing a shared challenge and our public and private sector interests are aligned. We need that alignment to galvanise our work and tackle the challenges in the age of resilience and digitalisation. As we enter this new era and evaluate our risk and resilience processes, we should continue to ask ourselves:
Does this new era of resilience require a new approach in risk management processes and, if so, what will it take to make that change?
This opens the door for change and the possibility for new and innovative solutions. So then, what are the challenges?
Supervisory responses to the shifting threat landscape
Nation States, cyber criminals, and other nefarious actors have demonstrated sophisticated knowledge of financial market activities and use this knowledge to develop new ways to exploit the financial services sector (Sector). To protect the Sector, supervisors have produced a large number of regulatory requirements 2 which differ in breadth and prescriptiveness. At times, these differing requirements could also lead to regulatory arbitrage causing firms to shift operations to less demanding jurisdictions.
To help reduce the risk of regulatory arbitrage, the Financial Services Sector Coordinating Council created a Financial Services Cybersecurity Profile (Profile), which seeks to align regulatory requirements across jurisdictions to the NIST Cybersecurity Framework. The Profile allows market participants and operators to answer statements and confirm compliance to multiple regulatory requirements, freeing up critical resources that can be deployed to protect technology resources. Expanding the Profile will also allow supervisors to identify control areas where firms have equal or disparate controls in place.
Fintech and bigtech infusion
The fintech explosion provides many industry benefits, but it’s not clear to what degree these advances will require new approaches for risk management or resilience processes.
Clearly, fintech enables the industry to extend financial services to excluded or underserved individuals, enhance customer experiences, increase efficiency which leads to lower transactional costs, and provide more diverse financing to micro and small businesses. In addition, fintech firms have lowered the barrier of entry for participation in the financial markets by unbundling financial products and making them more affordable and accessible, particularly in less-developed countries.
In much of the same way that fintech firms are creating new intermediary channels to the financial markets, bigtech is increasingly focused on providing intermediary services to the financial markets. Combined with enormous market capitalisation, global customer base, brand recognition and new technology usage, bigtech has the potential to redefine financial intermediation through the integration of financial services onto their platforms.
However, bigtech and fintech may present the same risks - currently supervised in the traditional banking system - in new forms through digitalisation. And where this is observed, these new activities should be regulated and supervised under the existing supervisory framework. This approach preserves the safety and soundness of the Sector and creates a level playing field for all firms. Though some firms may sit outside the current regulatory perimeter, as digitalisation evolves, it will be important to eliminate regulatory loopholes.
In addition to these risks, the Sector must continue to monitor potential and future risk exposures that may present themselves as the number of fintech firms contract, which may create concentration risks for certain market segments.
Proliferation of Third-Party Providers
In addition to the unique third-party risks created by fintech and bigtech, resilience planning around the overall management of third parties by the Sector must continue to evolve. Firms increasingly use third-party providers to outsource operational functions to save money and/or to develop new products or services. Typically, firms use vendor management programs to identify and manage potential risks, and over the last two decades, supervisory rules and guidance documents prescribed controls covering the vendor management lifecycle.3 To understand the vendor’s control environment, firms use enhanced contractual arrangements, and evaluate answers to detailed questionnaires. While these controls are adequate for risk management, they may not be complete in the age of resilience. Firms need to provide services in times of extreme stress, which could be caused by the incapacitation of services from the supply chain. As a result, firms need assurances that these providers will be able to deliver services even in times of stress. This requirement for resilience continues to take shape, and relevant stakeholders should review the current vendor risk management approach to ensure that it aligns to these new expectations and to develop innovative resilience measures.
We must monitor and understand the risks that may arise from this evolving marketplace to identify old risks in new forms and new risks that may emerge. We must work together to develop solutions to promote an even playing field, balance market risk with innovation, and preserve market integrity.
By ensuring the resilience of the digitised financial services industry, we provide the safety required to promote growth and cultivate trust that markets will continue to operate or recover quickly from events.
1 See the Discussion Paper titled Building the UK financial sector’s operational resilience, which started the industry dialogue on this topic, and can be found at https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/discussion-paper/2018/dp118.pdf.
2 See the October 2017 FSB Stocktake of Publicly Released Cybersecurity Regulations, Guidance and Supervisory Practices, which can be found at https://www.fsb.org/wp-content/uploads/P131017-2.pdf.
3 The Third Party Risk Management lifecycle was outlined in the US Office of the Comptroller of the Currency (OCC) Third Party Relationships: Risk Management Guidance.
First published to the DTCC website.