Regulators and supervisors divide over third-party concentration risk

Financial regulators and supervisors are struggling to establish an approach to concentration risk among third-party suppliers, as the use cases for outsourcing in financial services grow. According to James Kemp, managing director, Association for Financial Markets in Europe (AFME), there is uncertainty over how to regulate concentration risk in a way that does not stifle …

by | March 3, 2020 | bobsguide

Financial regulators and supervisors are struggling to establish an approach to concentration risk among third-party suppliers, as the use cases for outsourcing in financial services grow.

According to James Kemp, managing director, Association for Financial Markets in Europe (AFME), there is uncertainty over how to regulate concentration risk in a way that does not stifle innovation or eradicate smaller third-party suppliers.

“From a regulatory perspective, we would like to see that regulation is proportionate so that you don’t create these very large centralised players because the barriers to entry are so high. If you want to be able to use fast and more nimble suppliers there should be an ability to use them, but with very proportionate levels of regulatory cover. And as they do grow, we expect same risk, same regulation, so a sort of level playing field to ensure that everyone is in the same boat,” said Kemp during a panel at the Fintech EU 2020 conference in Brussels today.

“But I think we do need to harness innovation. We’ve heard so much today about the opportunities that are out there, but how many of them actually scale? And if they do scale, do they become oligopoly-like in the middle and what do we do then?

“How do you get that balance right and do it on a global scale? Because the other thing that you don’t want to do is have sort of national champions – that doesn’t work either.”

Kemp said he is on the cusp on whether or not additional regulation should be required over third-party suppliers in order to mitigate concentration risk.

“Is there a tipping point where if 10 people are using it, it’s not concentration risk, but if 20 people are using it, then we need to start applying potentially the principles of financial market infrastructure? I don’t know. I don’t think we’re there yet but fine, put the registers together and see what that concentration risk looks like,” he said.

According to Kemp, the post-crisis boom in bank spending has led to an increase in centralised activities via clearing houses, trade repositories and data exchanges, leading to a reliance on third-party suppliers.

Ksenia Duxfield-Karyakina, public policy and government relations manager, Google Cloud EMEA, said more work needs to be done to assess concentration risk. Part of the issue, she said, is the fragmentation that has arisen from the EU’s mixed regulatory context.

“What we see in terms of the existing framework is there is a lot of fragmentation in terms of how the [European Banking Authority] (EBA) guidelines and potentially [European Securities and Markets Authority] (ESMA) guidelines would be implemented at the national level, and you also see all the fragmentation in terms of supervisory practices. Even within the same market you’ll see very different approaches of supervisors to how they view and approve cloud projects within financial institutions.

“And some projects might take six months, 18 months to get approved by the regulators, which also complicates things and slows down adoption to an extent. I think from our perspective having some sort of common approach to assessing risk that would be agreed upon between the industry and the regulatory community would be very helpful,” she said.

Slavka Eley, head of banking markets, innovation and products at the EBA agreed, stating that current regulation is limited and an EU wide framework would offer guidance for applying the same criteria for critical services.

The cyber security risk associated with concentrated services such as cloud offerings was also discussed on the panel.

“With all of the changes in the regulation and the cost base going up for banking, all of those areas are being investigated to see whether or not there are ways of building the next generation of systems in a better way. That may well take you to an outsourced model because if you are then operating on the cloud, then perhaps you have got [business continuity plans] (BCPs) in multiple places already; you’ve got all your data in the cloud, you haven’t got it on sight. But that comes with all the cyber security issues as well,” said Kemp.

But according to Sabrina Feng, chief technology risk officer at London Stock Exchange Group (LSEG), cyber security is not the chief concern of concentrated third party services.

“The cyber topic I’m actually less concerned about. When services are concentrated, we need to look at the capability and capacity as well, and a lot of the providers are actually having really good cyber defence. Operating at scale, you’re able to innovate and invest and put in the most advanced technology and defences unit,” she said, stating that reaching operational resiliency should be the main concern.

Categories:

Resources

Revenue Management: How Banks Can Create Streamlined Processes and Provide Value

Other | Banking Revenue Management: How Banks Can Create Streamlined Processes and Provide Value

SunTec Business Solutions

Revenue Management: How Banks Can Create Streamlined Processes and Provide Value

Revenue management is a crucial process for banks. From customer onboarding to deal evaluation and designing new deals, there are… Continue Reading

View resource
Digital Banking Engagement Hubs

White Paper | Banking Digital Banking Engagement Hubs

Infosys Limited

Digital Banking Engagement Hubs

In our 30-criterion evaluation of digital banking engagement hub providers, we identified the nine most significant ones — Backbase, CREALOGIX,… Continue Reading

View resource
CompatibL Cloud Q&A

Brochure / Fact Sheet | Banking CompatibL Cloud Q&A

CompatibL Technologies LLC

CompatibL Cloud Q&A

Alexander Sokol, CompatibL’s Executive Chairman and Head of Quant Research, took part in a Q&A session on cloud computing in… Continue Reading

View resource
The FBI Got Hacked | The Cyber Show, Ep 10 by ThreatAdvice

Video | Banking The FBI Got Hacked | The Cyber Show, Ep 10 by ThreatAdvice

NXTsoft

The FBI Got Hacked | The Cyber Show, Ep 10 by ThreatAdvice

Anyone can fall victim to cyberattacks, and the FBI is no exception. Earlier this month, their email servers were hacked… Continue Reading

View resource