Intranational efforts to streamline global standards will continue. In April 2023, the FSB is scheduled to publish a revised report to the G20 slated to include expectations for financial authorities' oversight of financial institutions' reliance on critical service providers, including "Big Tech" and fintech firms.
Businesses providing payments technology will be faced with the significant legal burden of dealing with the requirements under DORA and the new UK regime (once in force) for contracting with payment service providers. DORA's introduction of a new incident reporting mechanism, including a requirement for "major" incidents to be reported to competent authorities within strict time frames, will require significant investment in processes.
In the US, we expect the banking agencies to finalise proposed guidance on "third-party risk management", originally proposed in 2021, which will set supervisory expectations for risks raised by third-party relationships as well as heightened standards for providers of "critical services". Among other items, the guidance expects covered institutions to conduct due diligence and provide ongoing oversight of a third party's information security programme and information systems, as well as assessing the third party's ability to continue delivering services during a disruption event.
We will see additional global regulators launching comprehensive regulatory regimes to ensure that financial institutions have appropriate internal governance and control frameworks around ICT use, including the use of third-party technology providers. We are also likely to see an increase in enforcement action by regulators relating to operational disruptions - TSB Bank plc was recently fined £48.65 million by UK financial regulators for operational risk management and governance failures relating to its IT upgrade programme. In parallel, the same technology disruption events are likely to give rise to civil claims and litigation – whether for breach of contract, negligence or data breaches.
For more, read our recent briefings DORA: What the new European framework for digital operational resilience means for your business and the UK Financial Services and Markets Bill: new rules for 'critical third parties'.