Banks to feel the heat as watchdogs step up digital resilience oversight

New York City, one of the world's main banking hubs
New York City, one of the world's main financial services centers

The financial services space should expect increased and more intense scrutiny of firms digital resilience this year.

In fact, regulators and watchdogs in Europe, the UK, the U.S. and elsewhere are likely to focus on contagion risks from dependencies on critical third parties, including technology providers, especially as AI adoption accelerates. 

Contagion risks from non-bank financial institutions will also remain a focus. At least, that is according to a forecast by professional services giant Ernst & Young.

In a new report that was shared with QA Financial, Christopher Woolard, a partner in the financial services consulting section of EY, writes that banks and financial services firms face a fragmenting global landscape in 2025, which will come with intensifying scrutiny of firms’ plans for managing disruptive events.

Christopher Woolard

“Geopolitical changes are leading to a fragmented regulatory landscape, increasing costs and complexity for international firms,” he wrote.

Woolard stressed that more and more regulators are concerned about firms’ resilience, third-party IT dependencies, and exposure to risks from non-bank financial institutions.

“Firms will face pressure to ensure good consumer outcomes, remediate weaknesses quickly, and demonstrate strong governance and risk management,” the London-based industry insider shared.

“The ground beneath the feet of banks and financial services firms is always shifting. However, the past year has seen a convergence of risk factors that together make the outlook for 2025 particularly uncertain,” he anticipated.

Scrutiny

Woolard, who is also EY’s regulatory lead and the firm’s UK FS consulting markets leader. sees that for many regulators and watchdogs around the world resilience will remain a priority this year.

In particular, the industry should expect increased scrutiny of third-party and non-bank risk exposures.

Among the external threats facing financial firms, he thinks regulators will focus on two areas in 2025.

Firstly, third-party and non-financial risk.

“The CrowdStrike outage in 2024, a major cybersecurity incident involving one of the leading providers of endpoint security solutions, brought the operational risks that firms face because of their technology dependencies into much sharper focus,” Woolard explained.

“This is especially the case where many firms depend on the same small group of providers,” he added.

There will also be increasing focus on non-bank financial institutions, which now account for almost half the assets in the global financial system.

“Regulators are concerned that concentrations of risk in these firms, some of which offer ‘bank-like’ products and services, could spill over into the regulated sector and destabilise systemically important institutions,” Woolard noted.

External threats

Woolard and his team see that regulators are more and more concerned about the financial sector’s resilience against vulnerabilities and external threats, often linked to their relationships with customers or suppliers.

“The financial sector’s technology dependency is creating more potential points of failure via firms’ relationships with unregulated third parties,” they stated in their report. 

“These weaknesses can be exploited by bad actors or, as a major IT outage in July 2024 showed, can materialise for non-sinister reasons,” they added. 

In addition, the share of financial services offered by firms that are partially or entirely unregulated continues to grow.

Regulators are concerned about the potential stability risks non-bank financial institutions pose to systemically important institutions, Woolard pointed out.

“Their response is usually to require regulated firms to address the risks introduced through their relationships with third parties, rather than seeking to regulate third parties directly.”


“The financial sector’s technology dependency is creating more potential points of failure via firms’ relationships with unregulated third parties.”

– Christopher Woolard

Heightened geopolitical tensions are resulting in more sanctions and asset freezes as governments move to block their adversaries’ access to the financial system, he stressed. 

Several jurisdictions are updating their financial frameworks, leading to higher standards and regulatory expectations and drawing in new categories of firms, such as cryptoasset service providers. 

Moreover, recent events, including ongoing conflicts, natural disasters and a global IT failure, have reinforced regulators’ focus on firms’ ability to withstand major operational disruptions, Woolard continued.

As a result, several jurisdictions have introduced new standards designed to strengthen firms’ management of operational risk.

“Firms need to understand their end-to-end process for delivering  services and how that could be disrupted … regulators are especially focused on the additional risks introduced through the financial sector’s growing reliance  on third-party technology companies, such as vendor and  cyber risk,” Woolard wrote.

Their focus has sharpened since the CrowdStrike saga in July 2024. 

“Although the impact was overcome relatively  quickly, this incident renewed interest in upcoming  regulation designed to address risks that originate outside  the regulated ecosystem,” he added.

UK and Europe

In Europe, regulators in both the UK and EU are extending  their oversight to the supply of critical services to the  financial sector to mitigate the impact that disruption  or failure of a third-party service provider could have on financial stability and adopting measures to boost cyber resilience. 

Financial institutions subject to the new Digital  Operational Resilience Act (DORA), which will come into force tomorrow, are aimed to prevent, withstand and recover from major ICT-related  disruptions. 

As well as establishing standards for financial institutions to follow, DORA provides a framework for overseeing critical ICT third-party providers, Woolard pointed out. New cyber  resilience rules came into effect in October 2024.

In the UK, the Bank of England, the Prudential Regulation  Authority (PRA) and the Financial Conduct Authority (FCA)  are due to finalise their rules and supervisory  expectations for the critical third-party regime (CTP), as reported by QA Financial recently.

“The  regime, which will apply to third parties that are designated as  CTPs by HM Treasury, is designed to manage financial stability  risks caused by a small number of technology providers that  serve multiple financial institutions,” Woolard explained.

Malicious actors

Finally, Woolard pointed out in his report that authorities worldwide are refining their regimes to protect the financial system against abuse by malicious actors. 

In response to greater geopolitical tensions and technological advancement, they are addressing gaps  and targeting higher-risk actors and activities, particularly the use of cryptoassets and alternative payment providers to evade sanctions.

For example, the Australian government has introduced a bill to update and expand its AML and CTF regime to additional high risk services including digital currencies and virtual asset providers. 

Meanwhile, the EU has recently introduced an enhanced  AML regime including establishing a new authority with direct supervisory responsibility for the riskiest financial institutions. 

“This change is expected to significantly increase scrutiny of firms operating across the EU,” Woolard noted.

He thinks it is vital that banks and other financial services firms increase their investments  in data analytics and aggregation capabilities  to support identification and monitoring of material exposures and concentrations.


NEXT MONTH


DON’T MISS


QA FINANCIAL FORUM LONDON: RECAP

In September, QA Financial held the London conference of the QA Financial Forum, a global series of conference and networking meetings for software risk managers.

The agenda was designed to meet the needs of software testers working for banks and other financial firms working in regulated, complex markets.

Please check our special post-conference flipbook by clicking here.


READ MORE


Become a QA Financial subscriber – for FREE

* Receive our weekly newsletter * Priority invitations to our Forum events

REGISTER HERE TODAY