First of two parts
IN BRIEF:
• Technology dependence in the financial sector is increasing the number of potential failure points due to connections with unregulated third parties.
• Financial institutions must proactively enhance their operational resilience and risk management practices.
• Firms should leverage innovative technologies to improve their ESG reporting processes and enhance their oversight and understanding of risks within less transparent markets, networks and ecosystems.
The financial sector’s dependence on technology is increasing the number of potential failure points due to connections with unregulated third parties. These vulnerabilities can be exploited by malicious actors, or as demonstrated by a significant IT outage in July 2024, can arise even from non-malicious causes.
This article explores more detailed insights about building resilience against vulnerabilities and external threats based on the 2025 EY Global Financial Services Regulatory Outlook. It is the last article in a series that discusses the salient concerns of the banking and financial industry in 2025 and into the future.
OPERATIONAL RESILIENCE
Recent incidents, such as ongoing conflicts, natural disasters, and a global IT failure, have heightened regulator attention on firms’ capacity to withstand significant operational disruptions. With various jurisdictions implementing new standards aimed at enhancing firm’s operational risk management, financial institutions must understand their end-to-end service delivery process and identify how it could be interrupted.
Regulators are particularly concerned about additional risks posed by the financial sector’s increasing dependence on third-party technology providers, including vendor and cyber risks. Their scrutiny has intensified since the disruption in July 2024. Although the effects were swiftly managed, this event sparked renewed interest in forthcoming regulations aimed at addressing risks that arise outside the regulated environment.
For example, the Basel Committee previously issued a consultative document proposing principles for the sound management of third-party risk, a set of unified standards that advocate for a more stringent approach to address banks’ increasing reliance on third-party service providers amidst the ongoing digital transformation of banks and rapid growth in financial technology. The proposal seeks to establish a common baseline for banks and supervisors for the risk management of third-party arrangements while simultaneously allowing the required flexibility to consider evolving practices and regulatory frameworks across jurisdictions.
In Europe, both UK and EU regulators are expanding their oversight to encompass the provision of essential services to the financial sector, aiming to lessen the potential impact of disruptions or failures by third-party service providers on financial stability and implementing measures to enhance cyber resilience. Financial institutions governed by the Digital Operational Resilience Act (DORA) must ensure they can prevent, withstand, and recover from significant information and communication technologies or ICT-related disruptions.
DORA’s objective is to reduce the risks associated with digital transformation through uniform rules on operational resilience. It aims to mitigate risks posed by growing vulnerabilities due to the increasing interconnectivity of the financial sector, address the shift in risk profile because of the increase in financial services digital adoption, and address the third-party reliance underpinning the stability of the financial sector. It casts a wide net, covering traditional institutions such as credit and payment firms and insurers, electronic money institutions, and crypto-asset providers and issuers. Financial information managers, data information service providers, credit rating agencies and critical ICT third-party providers — specifically digital and data service providers, software, data analytics services, and data centers — are also in scope under DORA. Further, new cyber regulations took effect in the EU in October 2024 in the form of the Network and Information Security (NIS2) Directive, a unified legal framework to promote cybersecurity in 18 critical sectors.
In the UK, the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) have finalized their rules and supervisory expectations for the critical third-party regime (CTP). This regime, which will apply to third parties designated as CTPs by the Treasury, will manage financial stability risks stemming from a limited number of technology providers that serve multiple financial institutions. The Treasury is the British government’s economic and finance ministry responsible for managing public spending, setting economic policy, and ensuring the sustainability of British finances.
According to the 2024 EY Global Risk Management Survey, risk management organizations continue to prioritize operational resilience, with Chief Risk Officers (CROs) expecting it to be the second most significant issue behind only cybersecurity. As much as 53% of CRO respondents from the Asia-Pacific region consider operational resilience to be a notable bigger concern. Board and management focus is now driving the prioritization of operational resilience in all areas of the business — data, third party, cyber, critical business services framework/business continuity, technology/disaster recovery, testing, measurement and monitoring, crisis and incident management, and workforce. The exception is governance and oversight, which is primarily driven by regulatory and supervisory focus.
The Bangko Sentral ng Pilipinas (BSP) also issued Circular No. 1203 Guidelines on Operational Resilience, which aim to promote and strengthen the ability of BSP-supervised financial institutions to manage and mitigate the impact of disruptions, particularly on their critical operations. The guidelines require covered institutions to integrate operational resilience with existing governance and related risk management processes and already consider similar principles from the Basel Committee.
Financial institutions should revisit business continuity arrangements to prepare for intensifying supervisory scrutiny, ensuring that organizations are ready to demonstrate their resilience in the face of disruptions. Regulators expect the incorporation of technology disruption scenarios in stress testing exercises. By anticipating these scenarios, organizations can better understand their vulnerabilities and strengthen their response strategies. Firms should conduct a thorough assessment of risks within their end-to-end service delivery processes, identifying potential exposures from third-party providers.
The second part of this article will discuss the growing emphasis on nature-related risks and the need for firms to understand these implications for their business strategies, while also addressing the rise of non-bank financial institutions (NBFIs) and the associated regulatory challenges.
This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinions expressed above are those of the author and do not necessarily represent the views of SGV & Co.
Christian G. Lauron is the financial services organization (FSO) leader of SGV & Co.