Global authorities and regulators are increasingly assessing the risks posed by these critical third parties (CTPs) (including Cloud Service Providers (CSPs) and the potential impact on financial stability. At the core of authorities’ concerns is the possibility that a concentration of services in a small number of TPPs may mean that a failure or disruption, whether technical, commercial, or legal, at one or more of those providers could impact the provision of financial services so severely that it leads to a financial stability event. While the major CSPs are the main use case for this concern, authorities are also considering other IT TPPs, which, while less prominent, could represent a single point of failure. This GFMA paper outlines our set of proposed principles on how to best address these risks and is looking to proactively engage with regulators and standard setters on this important topic.
Regulators are increasingly concerned about the potential for destructive data events, such as a ransomware attack on a financial institution. Data vaulting is coming to be seen as a potential solution that will improve firms’ cyber incident response and recovery capabilities. However, data vaulting has technical limitations which may hinder their ability to provide firms the capabilities needed to meet regulatory expectations for restoration. ASIFMA is proposing principles that regulators should consider before prescribing data vaults. We suggest that authorities should focus on expected outcomes following a destructive data loss event and avoid prescribing solutions for data recovery which may limit financial institutions’ ability to make use of various solutions.
ASIFMA has put together an Extensive Cross-border Relationship Due Diligence Questionnaire. It includes questions from the Wolfsberg questionnaire as well as additional questions for members to comply with the new SFC XBCR requirements in the amended SFC AML/CFT Guidelines.
ASIFMA has complied a Baseline Cross-border Relationship Due Diligence Questionnaire. This baseline Cross-border Relationship Due Diligence Questionnaire is useful as industry guidance for members to comply with the new XBCR requirements in the amended SFC AML/CFT Guidelines and it has been shared with the SFC for reference.