Keywords

3.1 Introduction

While the primary focus of any regulator, and indeed many scholars of regulation, is on the relationship between regulators and those they regulated, it is a long time since either group thought that regulated firms were the only other actors in a regulatory system and therefore that the regulator–regulatee relationship is the only one which matters. In the late 1990s, scholars were talking about the ‘regulatory space’ and of the role of multiple actors in a regulatory system, including self-regulators or hybrid forms of public/private regulation. With the growth of the EU as a regulatory actor, multilevel governance systems came more prominently into focus. The challenges of managing issues which cross jurisdictional boundaries brought the question of international regulatory cooperation to the fore in the early 2000s, enhanced by the global financial crisis. The role of private actors in constituting and collaborating in regulatory regimes has attracted the attention of scholars of sociology, law, international political economy, and international relations who share an interest in the dynamics of transnational regulatory systems and various forms of international regulatory engagement or disengagement (Baldwin et al. 2012 for review).

So we know that regulation involves multiple actors interacting at multiple levels in multiple ways. This paper focuses on the role of intermediaries within a state-based regulatory regime. The first part asks five questions, answering in generic terms: who are they, what do they do, how are they enrolled or otherwise engaged in the regulatory system, what the implications may be for regulators in terms of the dependencies that arise due to the roles being performed by such intermediaries, and in turn for the resilience of the regulatory system. The second part looks at some specific examples from financial services regulation, particularly in the UK.

The discussion which follows is based on a polycentric conception or model of a regulatory system (Black 2001, 2008). In short, regulation, or regulatory governance, is understood here as a series of intentional, sustained, and focused attempts to influence the behaviour of others in order to pursue a collective purpose, using a range of techniques which often, but not always, include a combination of rules or norms and some means for their implementation and enforcement (Black 2001; Koop and Lodge 2017). Regulation can focus on any area of social or natural activity, from how wars are conducted to how buildings are constructed. Regulation may involve a high degree of state involvement, or none at all, or involve both state and non-state actors in various ways, each of whom may use legal and/or non-legal norms. Thus, regulation is a mode of governance not just of government, and the terms ‘regulatory system’ and ‘regulatory governance system’ will be used interchangeably.

Regulation is an activity which can be performed by a range of individuals and organisations. Those participating in that common regulatory project may be sufficiently interrelated to form a system, regime, or network which has some continuity over time, the boundaries of which are delineated by the definition of the project which they are engaged in pursuing. Regulatory systems can range in their polycentricity, i.e., in the degree of dispersal and fragmentation of actors in the system (regulators, regulatees, intermediaries, etc.), in their degree of internal coherence and connectivity, and in the extent to which they are clearly delineated. Importantly, both state-based and non-state-based systems are polycentric to varying degrees—it is not the case that ‘centric = state’, and ‘polycentric = non-state’. Regulatory systems are dynamic, continuously evolving, and through reflexive interactions and feedback loops are constantly being reconstituted, redesigned, and reformulated in the process of their performance. Further, regulatory systems are embedded in different social, cultural, technical, political, legal, economic, and market systems with which they interact, and as such are characterised by complex internal and external interactions and interdependencies both within themselves and with other regulatory systems. They also vary in their relationships with other systems, with which they may compete, coordinate, cohabit, clash, or simply ignore (Eberlein et al. 2014). Finally, in order to function effectively, all regulators, even state-based ones, have actively to create their own legitimacy and trustworthiness.

Importantly for this discussion, those participating in, and thus constituting regulatory systems (as individuals or organisations) are independent agents, each with their own normative or value frameworks. They also have different cognitive frameworks and rely on different sources of knowledge. Importantly, they also have different capacities for action, in other words different levels of financial resources, information, expertise, and organisational capability. Further, their sources of social, political, legal, and economic capital will vary, which can affect their strategic position. Relatedly, they have different degrees of power, and/or authority and legitimacy to act. All of these features can affect their interests, incentives, motivations, views, cultures, and thus behaviours, including how they interact with others, and others with them.

As noted above, the actors who are the usual focus of analysis are regulators and regulated firms, either in themselves or in the dynamics of the relationship between them. But third parties can also play significant roles in the constitution and performance of regulatory systems. So who may they be, what may they be doing, and with what implications? (Noting that the focus here is on ‘market-based’ third parties, not other state-based regulators either in the same or another jurisdiction).

3.2 Third Parties in Regulatory Systems: Some Examples

The third parties in focus are those who are in practice performing some kind of regulatory function within a regulatory system, whether or not they have been allocated that function formally or not. Briefly, and crudely, those functions can include any of: setting goals and agendas, formulating or interpreting norms (including norms for models or measurement, design, and other forms of techniques), monitoring activities, and providing information on them and/or gaining compliance with respect to those norms (Black 2003; Abbot et al. 2017).

There are at least five groups of third parties who may be performing at least one of those roles within a regulatory system though whether by design or otherwise is a matter we will turn to below.

  • Auditors, assurers, accreditors, certifiers

    • These are actors who provide assurance of the existence (or otherwise) of a state of affairs, e.g., the financial state of a company, or the compliance with standards of other standard setters, including those operating transnationally (e.g., ISO standards), or the standards/rules/norms of the regulatory system itself. In financial regulation, auditors and other assurers play a particularly significant role both in the performance of their general functions, but also as we will see below, in providing assurance on particular matters at the request of regulators.

  • ‘Knowledge and compliance intermediaries’

    • Knowledge and compliance intermediaries are those who advise regulated organisations or individuals on the interpretation, implementation, and compliance with regulatory requirements, such as advisors, consultants, lawyers, and so forth. They may be advising on the interpretation of rules or the design and implementation of organisational processes to ensure compliance. More recently, they may be providing technologies for compliance—the ‘reg tech’ market is one which is growing rapidly in financial services, with both regulators and firms looking to technology to facilitate compliance through means such as smart rules, smart contracting, the automation of routine reporting, and enhanced data analytics, or in other ways.

  • Gatekeepers

    • Gatekeepers possess a key resource a firm needs to access or operate in a regulated market, such as registration, accreditation, insurance, audit. Their position is usually one created by the regulatory system (e.g., requirements to have audited accounts, or to have an ISO certification) or may be created by the market (e.g., supply chains insisting on certification or accreditation).

  • Measurers and modellers

    • Measurers and modellers can be incredibly important providers of indices, models, risk assessments, and so forth which are relied on by regulators. They play a significant role in financial regulation, due to its reliance on calculative techniques as regulatory tools. Most notorious is the role played by credit rating agencies in the global financial crisis of 2008–2009. Rating agencies provide an assessment of credit risk of financial instruments, in this case securitised loans. Credit ratings are highly influential in pricing decisions within the market, but they are also ‘hard-wired’ into the financial regulatory system in a number of ways. Most particularly, in capital provisions (the amount of funds a financial institution has to set aside to cover potential losses on an asset). In many cases, regulatory capital rules require an uplift in capital if the rating of an asset goes down, and vice versa. Prior to the crisis, credit rating agencies and the calculative models they used were not regulated. The crisis revealed the dependency that financial regulatory systems around the world had on credit rating agencies, leading to their greater regulation and requirements that they publish the core elements of their models.

    • As AI and machine learning become more prevalent in financial markets, and indeed more widely in other high-hazard sectors, the transparency requirement imposed on the calculative models of ratings agencies, and indeed the regulation of calculative models more generally in financial regulation, is an interesting area to explore for examples of how AI algorithms might be regulated.

  • Market-based standard setters, e.g., insurers (again), supply chain/production networks

    • There may be other actors present in a market which set standards which regulated firms either have to adopt for business reasons or choose to adopt. Insurance is a standard example in risk and safety management: insurers will require various risk mitigations to be in place as a condition of insurance, or at least will incentivise risk mitigation through its pricing of insurance cover. As general insurance contracts tend to be written on an annual basis, this can be a dynamic mode of regulation in areas of emerging technology or rapidly changing risks, notably cyber-risk, and natural catastrophe insurance related to climate change. However, it’s worth noting that who is a third party in one regime may be a regulated firm in another—so for financial regulators, insurers are both third parties (in, e.g., providing cyber insurance to banks) but also directly regulated by them. So on the one hand a financial regulator may want banks to be well covered for cyber-risk, but on the other will be closely watching the terms of the cover which insurers are writing to ensure that they are sufficiently well capitalised to withstand system-wide claims.

3.3 How Many Third Parties Be Enrolled in Regulatory Systems?

Third parties may be enrolled by design, or as a consequence of market practices. Further, their enrolment may be ‘one off’ or unique to a particular firm, or it may be pervasive.

Third parties may be actively enrolled by regulators to perform specific functions on a ‘task and finish’ basis. In UK financial services regulation, the legislation provides the ability for regulators to require firms to appoint a third party to perform an investigation or provide assurance; the terms of the task are set by the regulator, but the firm has to pay the costs of the third party. Termed ‘Section 166’ orders (the legislative provision), these are very useful ways for regulators to conduct ‘deep dives’ into an area of a firms’ activity as a prelude to potentially taking supervisory action, and/or as a means of providing assurance that various compliance activities have taken place. They may be highly technical, for example be focusing on a particular aspect of firms’ capital models, or be more focused on cross-cutting organisational matters such as risk management and governance. They are not cost-free for the regulator, who still has to engage with and follow up on the reports, but they are a very effective way for a regulator to bring in specialist skills, or expand its capacity in an existing skill for particular projects without having to carry those staff overheads on a permanent basis.

Alternatively, they may be (or become) actively enrolled into the regulatory system in a way which pervades the system. As discussed above, the incorporation of indices, measurements, assessments, models, or evaluations made by third parties into regulatory rules can be by design, as in the case of credit rating agencies. Other examples are requirements to have third-party accreditation, such as with ISO standards, or to have insurance. Such enrolment can have unintended consequences and indeed cut across the aims of the regulatory system itself. A current UK example comes from legal services regulation. In an attempt to liberalise the market for legal services in England and Wales, the regulator allowed those holding the professional title of solicitor to operate through different business models. However, anecdotally, insurance companies who provide the professional indemnity insurance (which legal services regulators require solicitors to have) are unwilling to grant insurance to those using these newly allowed business models. What the regulator gives, a third party takes away.

Third parties can also be relevant actors in the regulatory system through the outsourcing practices of regulated firms, or through regulatees’ reliance on them as knowledge and compliance intermediaries, or because they are model providers, producing models on which firms (and regulatory systems) rely. Examples in financial services include reinsurance providers and rating agencies. Many financial institutions produce their models in house, but there are important third-party market providers, particularly for new or emerging risks. Newly emerging model markets are in AI and modelling of the financial impacts of climate risks. The role of such third-party providers may be fairly ad hoc, but certain providers may pervade the market, and thus the regulatory system. Such pervasiveness, or systemic presence, may arise from the nature of the markets in which firms are operating (including requirements of other regulators with respect to that market).

The systemic presence of particular third-party actors may also arise from concentration effects produced by the aggregated impact of firms’ individual outsourcing decisions, which in turn can be exacerbated by concentrated market structure, i.e., small range of providers. A very live example is cloud services providers. The market is highly concentrated at present, with just three main providers, and they are hosting an increasing amount of both services for financial institutions and critical infrastructure for financial markets, as well as critical infrastructure for operators in other regulatory domains including energy systems and intelligence. Where there is significant reliance on a relatively small set of unregulated third parties who are providing models (or indeed physical as well as intangible infrastructure) at significant levels, such as cloud providers, they may themselves be a source of endogenous systemic risk—but one which regulators may not have powers to manage (note the draft EU Digital Operational Resilience Act is intended in part to address this risk).

3.4 Third Parties in Regulatory Systems: Dependencies and Resilience

As noted above, the activities of third parties in regulatory systems can produce unintended consequences. This should come as no surprise—each will have their own capacity and motivations/incentives, and their goals and motivations may not be aligned with those of the regulatory system. Their authority and legitimacy to perform different regulatory functions will also vary, though that point cannot be developed here.

One of the consequences can be that the regulatory system ends up dependent on the activities of various third parties. As discussed above, such dependency may arise either by design, or through the operations of regulatees. But even if incorporated by design, as were the ratings for credit rating agencies prior to the 2008 crisis, or index providers such as LIBOR, regulators can fall into the trap of assuming that the third parties producing such ratings, indices, assurance, etc., are doing so in a neutral, objective, expert manner—i.e., in a way which means that they can be relied upon. As the crisis showed (and as endless auditing failures have also demonstrated, most recently Wirecard), such an assumption can be baseless, or at least flawed.

It is critical that regulators identify: where there are dependencies on third parties; who those third parties are; the nature and extent of the dependencies; and the risks associated with them. That involves looking at the capacities and motivations of the third parties, and asking how they are likely to change over time. Regulators also need to ask: are those third parties themselves regulated? In which case, issues of interactions between regulatory systems are likely to arise.

Mitigating the risks of dependencies, enhancing the resilience of reliance (1)

Where the third party is not regulated at all by any regulator for its main business functions, the regulator may need to consider a range of strategies to try to influence them. These may include:

  • Indirect regulation by regulating the contracts that regulated firms enter into with the third party (e.g., ‘you must ensure that the service provider does the following)’.

  • Informal engagement with the third parties to try understand, and even to influence, their behaviours. Regulators could include them in simulation exercises for handling of disasters/adverse events, for example, if they are willing.

  • Seeking powers for direct regulation—transforming third parties into regulatees. Ultimately, if the risk of the third party staying outside the regulatory perimeter is deemed too great, the regulator could engage with legislators to seek some form of regulatory control over them—though it can be challenging to get political buy-in, and if they do agree, then the additional responsibilities can pose capacity issues for regulators.

Where the third party is regulated by another regulator, issues of inter-regulatory system dynamics arise. In such cases, in addition to the strategies outlined above for non-regulated third parties, the regulator may need to consider how to engage with the third party’s regulator. However, such engagement can be inhibited by the lack of a forum or mechanism to enable engagement, including legal barriers to information sharing. Other, wider challenges of inter-regulator engagement may also come into play, notably potentially conflicting goals, priorities, and logics. A relevant example from financial services is the competing approach to loss accounting taken by accounting standard setters, the International Accounting Standards Board (IASB), and the aims of prudential supervisors to avoid pro-cyclicality. This issue is quite technical, but in essence IASB standards (post-2008 crisis) require firms to book losses in advance of them crystallising, which means that firms’ financial positions are worse from an accounting point of view in a downturn. The interlinkage of financial statements and capital standards means that drives capital requirements up in a downturn, which is the point when, from a macro-economic point of view, regulators want those requirements to be (moderately) reduced to enable banks to be able to continue to provide finance into the economy and mitigate the downturn, facilitating financial stability in the long run. An emerging tension is also appearing with respect to the regulation of cloud service providers. They are currently unregulated, but competition regulators are looking at them closely. However, the logic of competition, which is to drive efficiency, can be at odds with that of resilience, which not only tolerates redundancies but actively requires them. So, while competition regulators may be concerned that the market for cloud services is competitive and not be overly concerned about resilience, financial regulators whose mandate is to protect the safety and soundness of financial systems will be much more concerned about financial and operational resilience. Clearly, the challenges are only enhanced when such inter-regulatory dynamics have to occur across national jurisdictional boundaries.

3.5 Summary

So in sum: Regulatory systems can include a variety of third-party intermediaries, performing a variety of roles, with variable capacities, motivations, strategic position, and authority. Third parties may be deliberately ‘enrolled’ in the regulatory system, or they may be ‘enrolled’ de facto, due to the business model/activities/markets of the regulated firms. Such third parties can be a benefit to the regulator, expanding its capacity. But as well as introducing unintended consequences, they can also introduce key dependencies, with associated risks to which the regulator needs to be alert, and which it needs to mitigate where possible through a range of formal and informal strategies.