News
News
12.09.24
The Latest Guidance on Collaborative Scenario Testing of Third Parties
The guidance can be found here.
Our financial system is dependent on the resilience of third parties who support our financial institutions in delivering important business services. The complexity and interconnectedness of this ecosystem of suppliers and providers has increased over time, with growing concern that disruption of these third parties may impact the broader financial sector and give rise to systemic risk.
Building resilience across the ecosystem benefits everyone: supplier, financial institutions and ultimately their customers. Achieving that objective requires a willingness to work together as a community to drive continuous improvement, along with greater transparency over the security and resilience of third parties and the expectations of financial institutions in that regard. The Operational Resilience Collaboration Group (ORCG) under CMORG intends to move forward collectively and consistently to address these issues.
We noted that the Bank of England has consulted on the establishment of a third party regulatory regime to drive resilience improvements amongst the third parties who are most critical to our financial system.
This paper by the ORCG, and supported by the Third Party Resilience Group (TPRG), addresses the wider range (and substantial number) of significant third parties on whom the sector depends. While these firms may not meet the threshold for designation by HM Treasury, their failure may nevertheless result in disruption to the important business services of financial institutions and ultimately harm to end customers.
A wide range of firms fall into this category including managed service providers, financial platforms, market data providers, ratings agencies and many other services on which our complex financial ecosystem depends. Recent incidents have shown just how disruptive the failure of such third parties can be and the broad consequences for the financial sector and the wider economy.
This paper proposes a way forward which allows financial institutions to be confident of the resilience measures taken by third parties including the extent to which they have tested their own business continuity, disaster recovery and incident management processes against severe but plausible disruption scenarios. It suggests a minimum levels of information disclosure by third parties to their client financial institutions, as well as seeking to align the financial community’s requests for information from third parties. Of course, these principles can also apply to “n-th parties”, the suppliers to the suppliers, who are also part of the ecosystem.
Doing so avoids multiple and duplicative requests for information from financial institutions, as well as wasted effort by the third parties themselves. It also provides greater certainty for third parties on the likely asks from financial institutions as they seek to demonstrate and evidence their own resilience to their board, clients and regulators.
The paper also explores opportunities for collaborative scenario testing of services provided by third parties to the wider community where a “test once, use many” approach can both provide confidence to financial institutions, but also reduce the burden of dozens or more customers all approaching the third party requesting their involvement in tests. While not appropriate for all services, collaborative testing can provide a good way forward for transactional services, as well where many banks, insurers and other institutions all depend on similar services being provided.
As a community we will now be looking to take forward these recommendations over the coming months to help build a more resilient financial ecosystem to support us all.
By the co-chairs of the ORCG Collaborative Scenario Testing Working Group:
Richard Pounder, Senior Director, Visa Europe
David Ferbrache OBE, Resilience Specialist, Lloyds Banking Group