Regulators publish policy summary on building operational resilience

Operational resilience broadly relates to the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from, operational disruptions, the understanding being that a lack of operational resilience poses a systemic threat to the stability of the financial services industry as a whole.

The CPs have been issued in response to a joint Discussion Paper published by the Bank of England, FCA and PRA in July 2018 aimed at starting a dialogue on achieving operational resilience within financial services.

Amongst other institutions, the CPs will be relevant to banks, building societies, PRA designated investment firms, financial market infrastructures, Solvency II firms and entities authorised or registered under the Payments Services Regulations 2017 and/or the Electronic Money Regulations 2011 (the Firms).

Although each CP is tailored to the individual policy framework and supervisory approach of the relevant regulator, the delivery of a joint policy summary and the coordinated content of the CPs illustrates the regulators’ shared interest in and desire to adopt a harmonised approach to operational resilience issues.

The key recommendations are as follows:

Identifying important business services

The policy requires Firms to identify important business services (which are defined in the CPs as services provided to external end users or participants, the disruption of which could cause intolerable harm to consumers or market participants, harm market integrity, threaten policyholder protection, safety and soundness, or financial stability) and implement operationally resilient infrastructure in relation to these.

The CPs provide guidance to Firms on the types of services that could be classified as important. For example, the FCA advises firms to consider the nature and size of the customer base likely to be affected by disruption; the time criticality for people receiving the services; and the potential reputational damage to the Firm, when considering whether a service is an important business service. However, the regulators acknowledge that this identification exercise will be a matter of judgement for boards and senior management of Firms.

Setting impact tolerances for important business services

Under the CP proposals, Firms will need to identify the maximum tolerable level of disruption to the important business services they have identified, including the maximum tolerable duration of disruption (impact tolerance). When setting these, Firms should consider how long they can operate with the relevant disruption and consider measuring this using a number of metrics (for example, measuring the extent of disruption by reference to the number of customers that experience disrupted services).

Delivering operational resilience

The CPs provide guidance to Firms on what they can do to remain within their impact tolerances in severe (or extreme in the case of financial market infrastructures) but plausible scenarios (ie, in the event of a critical failure of important business services which is reasonably likely to occur).

Firms will be expected to ensure that they are able to remain within identified impact tolerances and should also act when they identify weaknesses in operational resilience (for example, by replacing outdated or vulnerable infrastructure, addressing key person dependencies, and communicating with all affected parties).

The regulators propose that specific limitations that may prevent Firms from remaining within their impact tolerances should be identified by completing mapping and scenario testing (as set out below).

Scenario testing and mapping

Firms should use ‘scenario testing’ to stress test the identified impact tolerances of their important business services.

The CPs emphasise that Firms should have a comprehensive understanding of and undertake mapping of the systems and processes that support their business services, which should cover third parties relied upon to deliver their important business services.

In order to comply with these mapping obligations, Firms must identity and document the necessary people, processes, technology, facilities and information (referred to as resources in the CPs) required to deliver each of their important business services.

Firms should also be able to identify and articulate the specific scenarios in which they would not be able to deliver their important business services within their impact tolerances, whether the scenarios are internal or external (for example, power or network failures).

Although the regulators do not currently propose to provide set scenarios for testing, they may consider doing so at a future date.

Governance and communications

The CPs make clear that it is the responsibility of the Firm (in particular, its board and senior management) to set effective standards for operational resilience. The Firm should therefore ensure that its management bodies have the necessary knowledge, skills and experience to meet their operational resilience responsibilities and challenge other stakeholders constructively on the Firm’s operational resilience practices. Firm management will be expected to demonstrate that they are meeting their responsibilities under the CPs.

The CPs also identify the significance of effective communication tools in mitigating service disruptions. They recommend having in place internal and external strategies as well as clear escalation paths in the event of an incident.

Self-assessments are also to be carried out by a Firm’s board in order to demonstrate to the regulators that they are meeting their responsibilities, considering the principle of proportionality (ie, keeping in mind the nature and business model of the Firm, its size, complexity of operations and other relevant factors).

Outsourcing and third-party service providers

The rules proposed under the CPs will apply to all third party service provision arrangements, which is wider than just outsourcings . In its CP, the FCA highlights that IT failures at important service providers and IT changes within Firms accounted for 15% and 20% of the operational incidents reported to the FCA respectively, highlighting the need for appropriate management of third party arrangements. Amongst other things, the FCA identified concentration risks (for example, dependency on a particular service provider within the financial services sector) and global service providers with inconsistent resilience requirements across various countries, as key areas of risk from an operational resilience perspective. In addition to the PRA CP described in this article, the PRA has published a separate Consultation Paper on outsourcing and third party risk management. Please see our separate article on the implications of the recently published CPs from a third party service provision perspective, including the interaction with the European Banking Authority’s (EBA) recently finalised guidelines on outsourcing.

Treasury Committee Report

The regulators also confirmed that the recommendations in the ‘IT Failures in Financial Services’ report published by Treasury Committee are consistent with the proposals in the CPs (read our update on the Treasury Committee’s report here).

Next steps

All consultations are open for comments until 3 April 2020. Subject to the feedback received by the regulators, the final rules will be published in 2020.

Simmons + Simmons, on behalf of its clients, is able to submit a response to the consultations with its views on the regulators’ proposals. Please get in touch if you would like to discuss further.