Operational resilience under focus of UK financial regulators

The proposals, set out in a shared policy summary and coordinated consultation papers published by the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and Bank of England, are aimed at improving the operational resilience of firms and financial markets infrastructure and come after the FCA and PRA issued a joint discussion paper in 2018 setting out an approach on operational resilience. The new joint policy summary and coordinated consultation papers have been issued in response to developments since then, which include a number of high-profile system outage incidents in the sector, and industry feedback received to the discussion paper.

Megan Butler, the FCA's executive director of supervision, announced the latest phase of the regulators' work at The Investing and Saving Alliance's (TISA's) operational resilience forum, which was hosted by Pinsent Masons, the law firm behind Out-Law, in London on Thursday.

In her speech, Butler said she expects firms to "understand your vulnerabilities, invest in protecting those and protecting yourselves, consumers and the market". She said risks to operational resilience can arise from cyber attacks and systems upgrades, among other sources of potential disruption.

"It is fair to say there have been a number of cyber attacks over the past three years which have shown that it is more important than ever to remain vigilant against cyber adversaries," Butler said.

"Our starting point is the premise that operational disruptions happen. We want to dispel the belief, which many firms hold, that we expect them to stop all operational disruptions altogether. We understand these happen. The outcomes we are seeking are more focussed on the continuity of supply of the financial products and services that people, businesses and the wider economy rely on most. Even in the event of severe operational disruptions," she said.

The proposals outlined by the respective regulators differ slightly to reflect the different policy frameworks and supervisory approach they each take. However, they each seek to ensure that operational resilience is built in to 'important business services' offered by firms.

Firms will be expected to identify which of their business services are 'important' and set an "impact tolerance" for each of those services, using a "clear metric" for such a measure. This should "include reference to the maximum tolerable duration for which the delivery of the important business service would be affected", with that assessment to be based on a single event of disruption and not on the cumulative effect of multiple incidents.

The PRA said business services should be classed as 'important' "if its disruption could pose a risk to the firm’s safety and soundness or financial stability, or in the case of insurers, the appropriate degree of policyholder protection". It examples might include a bank's payment services or a life insurer's payment of annuities.

To inform assessments of how important business service could remain within impact tolerances set, firms will need to "understand how the service is delivered and how it could be disrupted", and this will involve mapping the role that people, processes, technology, facilities and information play in the delivery of those services.

Businesses will be expected to test their ability to deliver their important business services within their impact tolerances "in severe but plausible scenarios". The frequency of such tests will depend on "the potential impact on financial stability, safety and soundness, and policyholder protection of failure to deliver their important business services", which it will be up to individual firms to assess.

"Firms should focus testing on response and recovery actions rather than focusing exclusively on preventing incidents from occurring," the PRA said in its consultation paper. "This is because impact tolerances assume a disruption has occurred, and the approach is designed to focus firms on how they would continue to deliver important business services in those circumstances."

Firms will also be expected to invest in ways to respond and recover from disruption based on the lessons they learn from incidents, and develop both an internal and external communications plan that they can turn to when important business services are disrupted.

Tobin Ashby of Pinsent Masons, who specialises in financial services regulation, said: "The joined-up approach of the regulators in this area demonstrates its importance and it is clear from their statements that they will expect operational resilience to be at the heart of firms’ planning and decisions."

"The holistic view of business services that are provided to customers and measuring impact tolerances will be key areas that firms need to understand and consider and it will be worth firms engaging with the consultation process in any areas they feel need to deflect their model and customer approach," he said.

The regulators' consultations are open until 3 April 2020. The FCA said it plans to issue a finalised policy statement in the second half of 2020, while implementation of the finalised requirements that the PRA is planning is expected in the latter half of 2021.

Since August 2018, banks in the UK have had to publicly disclose how often they have had to report major operational and security incidents to the FCA.