News

Convergence in Law. The focus of the EU Digital Financial Package on technology assurance & new regulations on technology providers.

The future of financial services is underpinned by innovative technology. Existing incumbent operators as well as new entrants are eyeing digital technologies and digital transformation to herald a new dawn for financial services.

To this end last week the European Commission has published a draft new Digital Finance Package (the package), to further enable and support the potential for digital finance, in terms of innovation and competition whilst mitigating the potential risks. The package includes, a proposal to regulate the market of crypto assets (MICA), a proposal for a pilot regime on distributed ledger technology (DLT), a proposal for digital resilience, operational and a proposal to clarify or amend certain related EU financial rules services (DORA).

According to the package, the absence of detailed and comprehensive rules on digital operational resilience at EU level has led to the proliferation of national regulatory initiatives (e.g. on digital operational resilience testing) and supervisory approaches (e.g. addressing ICT third-party dependencies). The proposed new EU regulation on digital operational resilience for the financial sector and a draft directive which would amend existing legislation concerning operational risk and risk management requirements in EU financial services aims to cater for this shortcoming.

Operational resilience requirements, outsourcing, ICT, cyber & security risk management etc are not something new for financial services and at a European level we find them in different rules and regulations as well as guidelines issued by the respective supervisory authorities, data protection authorities, including the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA).

With the new package however, we are witnessing something novel in the financial services realm as the regulation plans for the first time, to extend regulation directly to non-financial services players. More specifically, technology providers working with financial services operators.

Let’s start to briefly jog through the different proposed measures and highlight some of the salient proposals on the technology front.

(1) MICA and the applicable annexes aim to be part of a wider EU framework that both enables markets in crypto assets as well as the tokenisation of traditional financial assets and wider use of DLT in financial services. The proposals also focus on obligations for governance arrangements, policies and procedures on functioning of issuers propriety DLT. It also speaks of obligations to have systems and procedures in place that are adequate to safeguard the security, integrity and confidentiality of information, appropriate and proportionate resources and procedures, including resilient and secure ICT systems in accordance as required by DORA. The proposal also hints at a form of forensic node or regulated data base where the market players should have systems as well that record and safeguard relevant data and information collected and produced during the issuers activities. The proposal also introduces an obligation for testing to make sure applicable safety parameters are assured. The proposal also obliges the market players to give information on the underlying technology including DLT protocols and technical standards used, consensus algorithm, where applicable as well as information on the audit outcome of the technology used (if any).

The EBA, in close cooperation with ESMA, is empowered to develop draft regulatory technical standards specifying the minimum content of the governance arrangements on the monitoring tools, the internal control mechanism, the business continuity plans as well as the audits.

(2) Proposal for a regulation on digital operational resilience for the financial sector

Recital 44 of the proposed Regulation captures the main essence behind this proposal:

“In order to achieve robust digital operational resilience, and in line with international standards (e.g. the G7 Fundamental Elements for Threat-Led Penetration Testing, financial entities should regularly test their ICT systems and staff with regard to the effectiveness of their preventive, detection, response and recovery capabilities, to uncover and address potential ICT vulnerabilities. To respond to differences across and within the financial subsectors regarding the financial entities’ cybersecurity preparedness, testing should include a wide variety of tools and actions, ranging from an assessment of basic requirements (e.g. vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing) to more advanced testing (e.g. TLPT for those financial entities mature enough from an ICT perspective to be capable of carrying out such tests). Digital operational resilience testing should thus be more demanding for significant financial entities (such as large credit institutions, stock exchanges, central securities depositories, central counterparties, etc.). At the same time, digital operational resilience testing should also be more relevant for some subsectors playing a core systemic role (e.g. payments, banking, clearing and settlement), and less relevant for other subsectors (e.g. asset managers, credit rating agencies, etc.). Cross-border financial entities exercising their freedom of establishment or provision of services within the Union should comply with a single set of advanced testing requirements (e.g. TLPT) in their home Member State, and that test should include the ICT infrastructures in all jurisdictions where the cross-border group operates within the Union, thus allowing cross-border groups to incur testing costs in one jurisdiction only”

This proposal introduces obligations on digital operational resilience testing, maintaining and documenting an ICT risk management framework, with digital operational resiliency testing and audits on a regular basis by ICT auditors possessing enough knowledge, skills and expertise in ICT risk. It’s interesting to note that the proposal also allows for a proportionate application of digital operational resilience testing requirements depending on the size, business and risk profiles of financial entities. Whilst all entities should perform a testing of ICT tools and systems, only those identified by competent authorities (based on criteria in this regulation and further developed by the European Supervisory Authorities (ESA) should perform advanced testing of ICT tools, systems and processes based on threat led penetration testing. In this instance the proposal also aims to introduce ad hoc requirements for the testers conducting these tests.

The regulation as intimated earlier, seeks to promote convergence on supervisory approaches to the ICT-third-party risk in the financial sector by subjecting critical ICT third-party service providers for the first time to direct oversight. The ESA designated as lead overseer for each such critical ICT third-party service provider will have new powers to ensure that technology services providers fulfilling a critical role to the functioning of the financial sector are adequately monitored on a Pan-European scale.

The lead overseer under the proposed regulation, will enjoy wide powers, including to compel information to be shared by ICT providers, to conduct investigations including on-site inspections, and to make recommendations to providers on a broad range of issues, including potentially to call on providers to “refrain from entering into a further subcontracting arrangement” in certain circumstances. Providers that fail to comply with the lead overseer could face fines totalling hundreds of millions of euros in some cases: daily penalty payments are provided for under the proposed new regulation at the rate of “1% of the average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year” and those penalties could be levied repeatedly to account for each day of non-compliance for up to a total period of six months.

(3) Proposal for a regulation on a pilot regime for market infrastructures based on distributed ledger technology. This proposal lays down requirements on multilateral trading facilities and securities settlement systems using DLT market infrastructures.

This proposal has four general and related objectives. The first objective is one of legal certainty, the second objective is to support innovation, the third objective is to instill consumer and investor protection and market integrity, the fourth is to ensure financial stability.

Even here, the proposal puts strong emphasis on the fact that a DLT market infrastructure should have specific and robust IT and cyber arrangements related to the use of DLT, ensuring the continued reliability, continuity and security of the services provided, including the reliability of smart contracts that are potentially used. DLT market infrastructures should also ensure the integrity, security, confidentiality, availability and accessibility of data stored on the DLT. The proposal also speaks about the possibility to enforce IT audits to ensure that the overall IT and cyber arrangements are fit for purpose.

(4) The Proposal for a Directive on a temporary exemption for multilateral trading facilities and to amend several Directives of the European Parliament and of the Council

It’s interesting to note that yet again, under this proposal aside from the emphasis to have in  place effective systems, procedures and arrangements, including requiring members or participants to carry out appropriate testing of algorithms and providing environments to facilitate such testing in accordance with the requirements laid down under DORA, the proposal also obliges member states to make sure that these are fully tested to ensure such conditions are met and are subject to effective business continuity arrangements to ensure continuity of its services if there is any failure of its trading systems.

Concluding remarks

The package offers some insightful as well as innovative outcomes. It is interesting to note the reinforced shift/converged focus now on monitoring and regulating the technology as well as the innovative proposal to regulate directly providers of the technology distinctly from the financial services operators. The emphasis on the technology side as well as the regulation of these providers, including SaaS providers and cloud providers has been on the table for some time now. Users as well as the industry needs to make sure that the technology underpinning and enabling the services they consume is safe and reliable. To this end these measures could potentially accelerate the digitalisation of financial services and fintech, infusing the required element of trust on the technology layer.

My main initial concerns/ open questions for the time being are whether:

  1. Financial Services Authorities are equipped to monitor and regulate technology providers.
  2. Should this function be reserved to other Authorities who are more knowledgeable or already active in the technology field?
  3. Is this enough? Should there be more direct mention and obligation on a harmonised approach for technology assurance, auditing and certification, particularly in critical instances?
  4. Authorities will make sure that these measures are implemented proportionately on the technology providers so they do not stifle innovation and  there is no unfair regulatory burden for technology providers who provide similar services in other regulated industries but have never experienced regulation directly.
  5. There a risk of regulatory overlap when regulating the providers.

Ian Gauci is the Managing partner at GTG Advocates, Afilexion Alliance & Caledo Group. He lectures on Legal Futures and Technology at the University of Malta.

This publication is provided for your convenience and does not constitute legal advice.

This publication is protected by copyright © 2020 GTG Advocates.