The Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have published a shared policy summary and co-ordinated consultation papers on new requirements to strengthen Operational Resilience in the financial services sector.
Speaking at the TISA Operational Resilience Forum shortly after publication, Megan Butler, Executive Director of Supervision at the FCA, stressed the importance of a combined industry response and focus on the continuity of supply of services, even in the event of severe operational disruption. She noted that the proposed regime will apply to the firms and market participants that have the potential to do the most harm – banks, firms subject to Solvency II, recognised investment exchanges and firms subject to payments services regulations.
In some instances, building Operational Resilience will require cultural change. The regulators have made it clear that they are looking for resilient outcomes, not merely compliance with minimum requirements.
The package published comprised the following documents:
The consultation period is open until 3rd April 2020, with final policy statements expected during the second half of 2020.
1. Affirmation of core Discussion Paper (DP) principles: a resilient financial system is in the public interest and firms and FMIs are expected to:
- Take ownership of their operational resilience and prioritise plans and investment choices accordingly.
- Identify important business services that if disrupted could cause harm to consumers or market integrity, threaten the viability of firms or cause instability in the financial system.
- Set impact tolerances for each important business service, which quantify the maximum tolerable level of disruption they would tolerate. Risk appetite and impact tolerance are not the same thing.
- Identify and document the people, processes, technology, facilities and information that support their important business services.
- Ensure that they can remain within their impact tolerances through a range of severe but plausible disruption scenarios.
2. Further evidence of the positive collaboration between regulator and industry
- Positive responses to the DP showed strong support for the proposed approach but also demand for more detail on how proposals would work in practice.
- Broader package than expected – extends to central counterparties, central securities depositories, payment system operators and outsourcing arrangements.
3. Clear evidence of positive and constructive global regulatory collaboration:
- Co-ordinated consultation papers reinforce the shared supervisory priorities.
- Draft Supervisory Statement implements EBA Guidelines on Outsourcing Arrangements and takes into account EIOPA Guidelines on Outsourcing to the Cloud, EBA Guidelines on ICT SREP and operational resilience requirements in EU regulations on market infrastructure (EMIR) and central securities depositories (CSDR).
4. Helpful sector specific guidance, for example:
- Further guidance on the type of business services that boards and senior management could classify as “important”.
- Further guidance on enhanced supervisory scrutiny and engagement on impact tolerances and testing of these.
- Paper on payments and payments providers, incorporating business continuity and payments risk. Draft code of practice builds in Operational Resilience elements.
5. Deeper focus on emerging technology, cloud and third parties:
- In support of the policy proposals on Operational Resilience, the PRA has published a CP and draft Supervisory Statement on Outsourcing and third party risk management.
- As set out in its response to the Future of Finance report the Bank of England’s aim is to embrace forward-looking technology in a resilient way.
6. Elaboration on core elements of the DP (Service, Impact, Tolerance, Organisation)
- Important business services: this now extends further into the supply chain with the proposal that all resources required to deliver important business services are resilient.
- Extended definition of impact tolerance: where relevant, firms and FMIs may decide that impact tolerances can also include other metrics such as volumes and values (in addition to the specific outcomes and metrics set out in the DP).
- Actions to achieve Operational Resilience: the DP did not detail the actions firms and FMIs would be expected to take after identifying vulnerabilities in their operational resilience. Firms and FMIs will now be expected to ensure they are able to remain within impact tolerances. This means that where weaknesses in operational resilience are identified, firms and FMIs will be expected to act, for example, by replacing outdated or weak infrastructure, increasing system capacity, achieving full fail-over capability, addressing key person dependencies, and being able to communicate with all affected parties.
- Expectations for testing: the DP stated that firms and FMIs could test themselves against their own severe but plausible operational scenarios to identify and address vulnerabilities. The supervisory authorities have now set out more detailed expectations for scenario testing and how it should be conducted and reviewed.
- Link to other policies: the supervisory authorities have drawn together existing policy material which is relevant for the resilience of firms and FMIs as promised in the DP and have also clarified that firms and FMIs should consider how other policies such as operational risk management and business continuity planning support the delivery of important business services.
Considerations for clients
- Technology and innovation are fundamentally changing the financial services industry.
- Looking at resilience comprehensively will help firms to avoid pitfalls, protect their customers and build a more resilient industry.
- Having a clear end to end understanding of key business activities and their associated risks makes it easier to focus investment on the services that matter most to the business and its customers.
While firms have another four months to feedback to the regulators on the consultation papers, the direction of travel is clear; regulation is coming to ensure enterprise-wide resilience is seen as a board level priority. For firms who needed an impetus to act on operational resilience, these publications should be just that.
We view this package from the regulators as a positive step and one which should provide firms with a solid foundation to assess their status quo and actively plan the next steps in their operational resilience journey.