The systemic risk designation dance

Your friendly neighbourhood regulators are having a bit of a moment, post-pandemic. The current fixation on bolstering the industry’s operational resilience has led them down a path and to the realisation that there are a lot of services out there that if taken out, could have a big impact on the markets. Market infrastructures have long been designated as “systemically important”—well, as long as the category has existed, that is—but what of the slew of other third-party services that are heavily used by everyone from hedge funds to investment banks?

The European Securities and Markets Authority (ESMA) has just published its latest report in conjunction with its fellow European-level regulators to update the regulatory and supervisory framework for what it calls the “digital age”. The report spends a lot of time reviewing how current and upcoming regulations have been designed with reducing systemic risk in mind.

The Digital Operational Resilience Act (also known as DORA the operational risk explorer) is one such piece of incoming regulation that is focused on improving the resilience of the industry by increasing transparency around cybersecurity and introducing new requirements to that end. ESMA and co note in the report, however, that their recent digital finance outreach has highlighted a lot of other areas that are poorly covered by the current regulatory setup.

One such area is third party, centralised post-trade services within the realm of derivatives. In the report, ESMA indicates that it feels services including (but, importantly, not limited to) “affirmation, confirmation, compression, margin optimisation, margin call management etc.” have grown in influence and scope to such an extent that they may pose a systemic risk. The report highlights TriOptima as a key example of a provider that is a “dominant provider within a segment,” namely its compression services.

The main criteria ESMA is considering for designation under this bracket appears to be firms that aren’t currently regulated for “risk reduction services” and aren’t currently captured by standard outsourcing rule requirements. Now, risk reduction services is a very broad area and the list of post-trade services isn’t as yet definitive, but this could capture a lot of different vendor managed services, especially if the scope expands beyond derivatives markets.

Vendor consolidation has been rife over the last few decades and there are numerous areas that feature only a small group of providers, with one dominant over the others. For certain, the services being offered by Osttra will be under review, likewise those of other megavendors operating in the space. But will ESMA extend its view even further? What about those “utilities” that have been set up since the last financial crisis?

How will being designated as systemically important impact these vendors’ day-to-day operations? More oversight is a given, but will they need to go multicloud? Will they need to increase their investment in business continuity further? Will they have to review and alter their client and service level agreements? There are a lot of questions to be answered, but expect this to be a big topic in 2022.