Alert 05.20.22
UK Announces Post-Brexit Data Reform Bill
Does this signal the beginning of the end of the GDPR in the UK or simply a reframing of approach?
Alert
Alert
By Lee Rubin, Mark Booth
06.30.22
The dependency of many firms on a limited number of critical third parties for key services within the financial services sector has increased in recent years. As of 2020, over 65% of UK financial services and financial market infrastructure firms used the same four cloud providers for cloud-infrastructure services. The failure or disruption of one of these critical third parties could have a systemic impact across the financial sector. Against this backdrop of reliance, the UK Government has confirmed that it will legislate to bring third-party providers into the regulatory perimeter.
The current regulatory regime consists of an operational resilience framework which primarily covers data security, business continuity and exit planning. Regulated firms are required to ensure that their contractual arrangements allow them to comply with this framework, but the regime does not apply to the third-party providers in their own right and so does not address the systemic risk that disruption could cause for a third party providing key services to multiple firms.
According to a policy statement issued by the UK Government, under a new regime, HM Treasury (in consultation with other regulatory bodies) will have the power to designate third parties as “critical.” Once designated, financial regulators will be able to exercise a range of powers directly against such third parties, including:
Draft legislation will be published implementing the new regime, and a Discussion Paper will then follow, setting out in detail how the powers will be exercised in practice and seeking views from industry participants. Once the new legislation is passed, a Consultation Paper is anticipated which will build on feedback from the Discussion Paper and contain the proposed rules. Once finalized, HM Treasury will begin the process to designate the first critical third parties under the new regime.
The EU’s DORA
The new UK announcement comes shortly after the European Parliament and the Council of the European Union reached a provisional agreement on the EU Digital Operational Resilience Act (DORA). Like the new UK proposal, DORA seeks to bring critical third parties, such as cloud-service providers, within the regulatory perimeter. While the two regimes have a broadly common purpose, there are some key differences in the approach being taken. For example, the new UK regime seeks to take a broader approach, in contrast to the detailed risk management requirements contained in DORA. International financial service firms and cloud-service providers will need to review both regimes to ensure their proposed compliance plan meets all requirements.
While more details will become available once the proposed legislation and the Discussion Paper are published (although no date is given for when these can be expected), it does look like a step towards partial standardization across the providers of critical services to the financial services sector. This will be welcome news to regulated firms who have been calling out for consistency, especially in the context of cloud-service providers. The proposal may also ease the burden of contractual negotiation with the critical service providers. If you have any questions on the implications of the new framework, please reach out to your normal Pillsbury contact.