The mega-regulator expands the perimeter – Newspaper Kommersant No. 228 (7429) of 12/08/2022

In the recently published report for public consultations “Risk Management of Outsourcing in the Financial Market”, the Central Bank revealed a whole layer of areas that are directly or indirectly related to the work of financial organizations, but are not the responsibility of the regulator. “A significant part of the issues related to outsourcing risk management is outside the regulation perimeter,” writes the Bank of Russia.

First of all, the mega-regulator intends to pay attention to the direction of IT and information security. It must be admitted that the Central Bank has certain prerequisites for such a step. Firstly, the geopolitical situation is such that it is necessary to carefully look to companies from which country (friendly or not) banks transfer the ability to control the flow of information about their finances and the finances of their clients. Secondly, in recent years, many financial organizations that have not even fallen under sanctions have begun to transfer IT tasks for outsourcing. Including in order to establish a parallel import of equipment and software, which has become more difficult to obtain through official banking channels.

Often, information technology work is outsourced to either affiliates or even subsidiaries, which, according to the report, include more than half of the providers of such services. Another common pattern, accounting for more than a quarter of outsourced projects, is either a single or a very limited number of providers. At the same time, as shown by the departure of a number of large foreign players in this market from Russia, there are risks, and they are quite real.

According to the report, the organizations supervised by the Central Bank will retain (as they currently do) responsibility for the proper performance of outsourced functions and control over the provision of services by suppliers. However, now the Bank of Russia plans to determine which services cannot be outsourced. For the same services that fall into the category of permitted, providers will establish a legal status and a number of requirements that they must comply with.

Market participants who have read the report suggest that as a result of such an approach to the IT services market for financial institutions, it may be redistributed in favor of those who receive the necessary status and meet the criteria of the Central Bank. And when the regulator gets to grips with information technology, the financiers are no longer joking, it will apparently come to cleaning, car maintenance and other most amazing services.

The Bank of Russia is already called a mega-regulator, which in the direct meaning of the first part of the word means “a billion regulators”. More, according to the International System of Units, there can only be a “gigaregulator”.