José Manuel Campa [pictured], chair of the European Banking Authority, discussed the increased dependence of EU financial firms on third-party ICT providers in a recent speech – and set out a roadmap for how regulators will mitigate the resulting increase in risk to digital resilience.
He outlined how the European Supervisory Authorities (ESAs) (the EU financial regulators composed of the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA)) will identify and monitor third-party ICT providers which are critical to the EU financial system.
The ESAs will begin by collecting data on the use of third-party ICT providers from EU financial institutions, before determining which of these providers should be considered critically important. This exercise will be done annually and the list of critical third-party ICT providers will be updated accordingly.
Each critical provider will be monitored by the ESAs, who will assess the controls put in place by the providers to mitigate the risks to EU financial firms. Recommendations will be made to address any issues identified.
Campa also described penalties for those third-party ICT providers who don’t make sufficient efforts to mitigate the risks: “Action may also be taken via the supervised financial entities that receive services from that provider, requesting reports on the way in which the service is provided, or ultimately the identification of alternative providers.”
He also set these regulatory efforts in context by outlining the recent digital shift that has occurred in EU financial firms, with about half of EU banks reporting a majority of their customers using digital channels for daily banking activities, with more than 70% of EU banks incorporating AI in some capacity.
The EU’s financial entities have developed strong dependencies on third-party ICT providers, with 65% of EU banks forming partnerships with Big Tech firms. Campa suggested that this heavy reliance on a limited number of third-party ICT providers poses concentration risks in the event of a service disruption or failure.
[Image Source: European Banking Authority]
