What is new and significant in the regulatory world as we close out 2021 and enter into a more complex environment in 2022?
Open banking implementation
By the end of 2021, the Competition and Markets Authority (CMA) final open banking implementation roadmap will end. The expectation is that Open Banking compliance will continue across the industry. However, adoption of the standard, whether it is account information access via third parties or direct form account payments, is still slow. Banking and financial services providers need to consider developing use cases more fully to better utilise the capability available to consumers and businesses.
Operational resilience policy
In 2018 a joint discussion paper was issued by the FCA, PRA and the Bank of England highlighting the need to uphold the operational resilience of organisations. In the discussion paper the topic of business continuity is reinforced as an essential component to sure up operational resilience. The rationale behind this joint publication was to introduce new thinking in how firms thought about sector disruption, challenges from cyber security events, and other challenges to business operations. The regulatory view is that firms and organisations need to improve forecasts and predictive techniques to establish how failures in infrastructure impact customers, third parties, market infrastructure and suppliers. In particular, how failures across those third parties impact customers, firms and market infrastructure. However, the policy has not yet been finalised due to the pandemic, which is now expected in early 2022. Nevertheless, operational resilience will increasingly feature on the regulatory radar, with more financial services providers now aiming to operate a more peripatetic workforce. Hence more board-level focus needs to be repivoted to this topic with more frameworks needed for safeguarding.
Federal Financial Institutions Examination Council (FFIEC): Risk Management for Cloud Computing Services
On the 30th of April 2020, the FFIEC issued a statement aiming to look at the use of cloud-based services and security management policies across the financial services sector. When it comes to understanding the impact of any security breach involving cloud services, there is a need to reinforce the need for adequate security controls, in addition to shared management responsibility across cloud providers and financial institutions. Therefore, despite no new regulatory stipulations coming into effect, measures around adequate controls in this area are reiterated, with an understanding that such authority and responsibilities cannot be devolved to cloud providers in isolation. Accordingly, the statement does not contain new regulatory expectations but highlights risk management practices that help safeguard financial institutions, protecting sensitive customer data. However, it highlights that management should not assume adequate security and resilience controls exist simply because the technology systems operate in a cloud computing environment. It is excepted that acceptable, appropriate and secure cloud-based practices across the banking and financial services market will become central to policy focus over time.