Rachel Tyler, DTCC Executive Director of Business Resiliency, joined a panel of industry experts to discuss the impacts of third-party providers on operational resilience, changes to business continuity planning and the need for international regulatory and jurisdictional alignment at the Evolve 21 Conference.
Attendees of the virtual conference included senior technology leaders from the areas of resilience, operational risk and cyber resilience, among others.
DTCC Connection sat down with Tyler to discuss key takeaways from the panel discussion.
DC: Third-party providers are an integral part of the financial services landscape. At the same time, the pandemic has presented new challenges for firms to increase their levels of operational resilience. What challenges do firms face when they use third-party providers?
RT: Third-party vendors are a critical part of the financial services value chain, providing services and features that individual companies may not be best positioned to implement themselves. While this relationship might be effective for many reasons, introducing these providers into the chain means their resiliency posture must be accounted for, in order to gain comfort that the entire service is resilient.
This reality presents its own unique set of challenges. First, there may be a limited number of suppliers in the space. In other words, in certain instances, competition is low, raising concentration risk. The financial industry has had extensive dialogue with respect to limiting these concentration levels while at the same time not revealing which firms use specific suppliers.
Adding an additional challenge is the existence of what is commonly referred to as Nth providers—contractors and sub-contractors that the third-party vendors utilize. Nth providers further complicate matters as finding out information about these firms is complex and adds additional risk. While firms can use contracts to manage the Nth parties, they may not be able to negotiate based on the size of the institution, value of the contract and the concentration of the providers. In many cases, these Nth providers are not directly regulated. As a result, having insight into their testing and backup capabilities is often challenging.
Third-party vendors are a critical part of the financial services value chain, providing services and features that individual companies may not be best positioned to implement themselves.
DC: Are there any differences in third-party relationships when those services are provided by a related firm?
RT: DTCC and other organizations use intra-group providers, which provide a higher level of safeguarding than when using a third-party vendor because intra-group providers are aware of the expectations required on the entities for which they provide service and they are typically more in tune with the services offered. Intra-group outsourcing does not pose the same level of risk as outsourcing to an unaffiliated provider, often allowing regulated entities to efficiently deploy resources on an enterprise-wide basis in a manner that safeguards the safety and soundness of the entity. This could be done through service level agreements and inclusion into the risk and resilience governance structures, which review and set the group’s risk tolerance. Rigid requirements applicable to intra-group arrangements that are not proportionate to the relevant risks posed by these arrangements may serve to place regulated entities at a competitive disadvantage versus unregulated competitors.
DC: How will the focus on operational resiliency change the way in which business continuity testing is performed?
RT: Generally, business continuity planning and its associated testing ensure that businesses can operate in the case of a disruption and cover the need for geographic dispersion. In other words, are the people and technology in the right places to ensure that the services provided to clients are available when they are needed?
Performing a business impact analysis and testing exercises are key tenements of any business continuity program. Firms usually test their capabilities through disaster recovery exercises and a rotation of staff responsibilities. This type of testing will continue and may even increase in frequency based on recent regulatory guidance.
However, as focus transitions to operational resiliency at a service level, firms may need to evolve their testing programs —and rather than focus on a single point of failure, evaluating multiple points of impact across the service and stress them together. This could be completed by performing tests whereby certain pieces of technology or processes fail simultaneously as well as numerous dependencies are impacted. Instead, looking at important business services in a more granular way would help identify areas of opportunity.
Also, additional focus will be needed for further prioritization. If a service is disrupted, which services need to be resumed first? Are the firm’s recovery plans enacted in such a way that allows for a more granular recovery? Looking at these points, testing with third parties on which firms depend becomes more critical.
DC: How should firms approach changes to technological availability as part of resilience planning?
RT: How firms approach changes to technological availability is a key area of investigation. For example, testing of the multi-data center model—under traditional disaster recovery programs, firms need to make sure that they can failover from one data center to another to continue to provide services. These failover tests may also be required through regulation: in the U.S., this includes “Sound Practices to Strengthen Operational Resilience” or SEC Regulation SCI. However, when firms switch to a model where either applications or complete infrastructure components operationally rotate data centers as a standard course of business, the concept of performing a failover or loss of region test has little value. Technically, the systems and associated technology stacks are executing this task to some frequency already by design. Firms and regulators alike will need to evaluate how service continuity testing will need to be adjusted as a result of these changes in both technical design and execution.
DC: Why is international alignment needed in order to implement successful operational resilience programs?”
RT: In order to implement effective operational resiliency programs, it is critical that firms understand regulatory expectations, and the definitions used by within policies and guidelines provide the foundation for the effective application of any standards. For entities with an international reach, a globally consistent taxonomy set is critical for market participants and regulators alike, helping to shape constant expectations between and among the public and private sectors as well as mitigate the potential for market fragmentation and regulatory arbitrage.
A common framework is also essential to support systemic risk monitoring among the differing regulators globally. Allowing for this common understanding also has the potential to reduce burdens for market participants to respond to multiple requests for the same information.
On the cyber front, harmonization and other efforts to reduce additional burden will allow firms to focus on protecting their customers in a crisis, while also restoring and ensuring the confidentiality, availability and integrity of the systems supporting their services in a timely manner without introducing more risk into the marketplace.