The Current Global Regulatory Landscape
In January 2023, the European Union ushered in the Digital Operational Resilience Act (DORA), introducing additional requirements for financial institutions and their critical suppliers. Across the Atlantic, the Office of the Controller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and Federal Reserve Board (FRB) issued a joint statement with revised guidance, highlighting the importance of software escrow solutions to manage outsourcing and third-party risks.
Australia’s Prudential Regulation Authority (APRA) joined the regulatory wave, publishing Prudential Standard CPS 230, set to go live on July 1, 2025. These regulations extend their reach to fourth party suppliers, emphasising the need for enterprises to identify and maintain a list of material service providers. This aligns with the global trend where businesses must submit this information to regulators, demonstrating measures to manage associated risks.
The Bank for International Settlements (BIS) emphasised the significance of software escrow in creating secure and resilient Central Bank Digital Currency (CBDC) structures through Project Polaris. Meanwhile, the Reserve Bank of India (RBI) introduced a draft Master Directions that requires the acquisition or escrow placement of critical application source codes by April 2024.
Global Coordination on Third-Party Risk Management
The Financial Stability Board (FSB), a global organization coordinating financial regulators, updated its guidance on third-party risk management (TPRM) in December. The new guidelines expand the scope to nth party suppliers, necessitating businesses to formulate Business Continuity Plans (BCPs) addressing identified risks. In the UK, the Prudential Regulation Authority (PRA) SS2/21 regulations underscore the importance of reviewing third-party dependencies and considering software escrow.
South Africa Joins the Resilience Movement
In regulatory matters, South Africa follows the lead of developed nations. The Prudential Authority and Financial Services Conduct Authority published Joint Communication 4 of 2023, outlining principles for IT governance and risk management which financial institutions and insurance providers: “must comply with, in line with sound practices and processes in managing IT risk”. This Joint Standard, effective from November 15, 2024, requires firms to implement measures mitigating the risks of service delivery failure within 1 year to comply.
Looking Ahead: How to Navigate Uncharted Waters
As we navigate through 2024, regulatory bodies worldwide are anticipated to introduce additional requirements to safeguard businesses against unforeseen disruptions.
Organisations must prioritise operational resilience and proactively mitigate third-party risk. Staying abreast of regulatory changes, assessing third-party supplier risk, and implementing robust business continuity plans, including software escrow agreements, are crucial steps for businesses to prepare for disruptions, protect critical operations, and navigate future challenges with confidence and resilience.
Positioned as a tried and tested solution, software escrow offers a straightforward and cost-effective approach to comply with evolving regulatory requirements, mitigating the risks associated with supplier failure, service deterioration, and concentration risk.
In a world where businesses increasingly rely on technology, software escrow agreements emerge as the cornerstone of a resilient foundation, ensuring critical operations can mitigate disruptions effectively.