16 October 2020
Digital finance – 2 of 3 Insights
New proposals from the European Commission would make third-party ICT service providers deemed "critical" to the EU financial system subject to direct regulatory oversight for the first time, with significant fines for non-compliance.
This briefing explores the Proposal for a Regulation on Digital Operational Resilience and the potential impact on service providers that might be designated under the regime.
For information on how the Proposal would impact financial services firms, please see our separate briefing here.
At present, EU financial services regulators do not tend to have direct oversight powers in relation to unregulated ICT service providers. Instead, any regulatory intervention needs to take place indirectly through the regulated firm using their services. There are some exceptions to this, such as the PRA's direct information-gathering powers for information relevant to the stability of the UK financial system, and certain firms are required to obtain contractual audit rights for their regulators. However, in general, ICT service providers are currently subject to indirect regulatory oversight only.
This looks set to change under the proposals. Instead, providers designated as "critical ICT third-party service providers" ("CITPSPs") would be subject to direct oversight at the EU level for the first time.
Financial services firms increasingly rely on advanced ICT services provided by specialist providers. The Commission has raised concerns over the lack of an oversight mechanism to monitor potential risks stemming from these providers, including potential concentration risks and contagion risks that could impact the wider financial services sector.
Only service providers designated as "critical" by the European Supervisory Authorities ("ESAs") would be subject to the oversight regime. The ESAs would make this designation based on a set of qualitative and quantitative criteria, including:
Service providers not designated as CITPSPs would have the option to voluntarily "opt in" (although how many will choose to do so is unclear). One potential benefit might be the centralization of oversight at the EU level rather than across multiple EU Member States; for CITPSPs, national regulators would be discouraged from taking measures outside of those at the EU level and would need to coordinate accordingly. This is intended to avoid duplications and overlaps.
One of either the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), or European Securities and Markets Association (ESMA) would be designated as the "Lead Overseer" for each CITPSP, depending on the relative use of the CITPSP across the market.
A central 'Oversight Forum' (a sub-committee of the ESAs) would support the oversight work, including promoting consistent monitoring of ICT risks at Union level.
It is difficult to tell how involved oversight might be at this stage. The main elements and powers put forward under the proposal would involve:
Much of the detail of how this will operate will be set out in delegated acts and regulatory technical standards, yet to be published.
Two primary enforcement mechanisms have been proposed at this stage:
If these enforcement measures are retained in the final text, in practice, it could be difficult for CITPSPs to object to providing the requested information / on-site access or to implementing the Lead Overseer's recommendations.
At this stage, this is a draft proposal and is likely to change as it goes through the EU's legislative process. Several areas are also due to be set out in further delegated legislation, yet to be published.
In the meantime, service providers might want to consider the designation criteria under Article 28 of the Proposal and how they apply to their business.
We will be monitoring developments in this area in order to support service providers that are concerned they might be designated under the regime.
by Multiple authors