As part of a series of coordinated consultation papers, UK supervisory authorities on December 5 proposed new rules and expectations aimed at strengthening the operational resilience of the financial services sector. The latest proposals represent the most significant effort to date by any financial regulator to create formal rules around the topic of operational resilience and bring the policy intentions first discussed in the authorities’ July 2018 discussion paper much closer to implementation.
Jointly issued by the Bank of England (BOE), the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), the consultation papers include a shared policy summary and three consultation papers directed at specific firm types, namely, recognized payment system operators and specified service providers, central securities depositories, and central counterparties.
Additionally, to complement the policy proposals on operational resilience, the PRA issued a paper on outsourcing and third-party risk management. Firms and financial market infrastructures (regulated institutions) have until April 3, 2020 to submit responses to the proposals.
Objectives of Policy Proposals
The consultation papers spell out the supervisory authorities’ clear expectations for regulated institutions, which include taking ownership of their operational resilience, prioritizing plans and investment choices based on their impacts on the public interest, and communicating clearly to customers when disruptions occur.
The overarching objective of the proposals is to help regulated institutions improve their operational resilience in three key areas:
- Prioritization – Boards and senior managers should have a better understanding of the criticality of their businesses and prioritize for resilience those activities and businesses that would pose the greatest risk to the stability of the markets, the regulated institution’s safety and soundness, or, in the case of the insurance industry, the interest of policyholders.
- Standardization – Regulated institutions should set a clear set of standards for resilience, articulating the maximum tolerable level of disruption and anticipated recovery from severe but plausible scenarios.
- Invest and build – Regulated institutions should put contingency arrangements in place to enable the delivery of important business services and take preemptive action to ensure the continuity of those businesses with established impact tolerances.
To advance these objectives, the supervisory authorities provided additional clarity on several key concepts essential to building operational resilience.
Defining Important Business Services
In the July 2018 discussion paper, the authorities used and emphasized the term “critical business services.” However, in the latest consultation papers, that term is replaced by “important business services,” to reflect a broader scope of services that will be affected by operational resilience requirements.
The PRA, for instance, proposes that a service be defined as “important” if its disruption poses a risk to an institution’s safety and soundness or financial stability. The regulator appears open to the idea of regulated institutions making this determination on their own, recognizing that business models differ even for institutions within the same industry and a prescriptive taxonomy may be overly burdensome.
Still, the consultation papers list examples of important business services, such as a bank’s payment services, an investment bank’s currency hedging services, and a retail bank’s provision of ATM cash withdrawals. Understanding the location, substitutability and usage of these important business services is essential to the next phase of building operational resilience: setting impact tolerance.
Setting and Testing Impact Tolerances
Impact tolerance is defined as the maximum tolerable level of disruption to an important business service. In the original discussion paper, impact tolerance was defined simply as tolerance for disruption, and did not identify duration as possible metric for setting tolerances. The supervisory authorities have since refined their approach to impact tolerance based on feedback from respondents and engagement with industry stakeholders. By including a time-based metric, regulated institutions are expected to set and test a point in time when the viability of a service is irrevocably threatened and be able to identify the stakeholders that would create the point of irrevocability. Similar to the proposed definition of important business services, however, the supervisory authorities provide regulated institutions some flexibility in determining impact tolerances. Specifically, they propose that, where relevant, firms and financial market infrastructures (FMIs) may decide to also include other metrics, such as volumes and values, in their impact tolerances, given that a metric based on time alone may be insufficient.
The proposals offer the following considerations when quantifying the maximum acceptable level of disruption:
- Harm to consumers or market participants
- Harm to market integrity
- Policy protection
- Safety and soundness
- Financial stability
The following are additional proposed considerations relating to impact tolerance:
- Impact tolerance should not contemplate an event’s likelihood; it should assume an event will occur, removing any concept of risk weighting.
- Regulated institutions should align impact tolerance to the potential impact of disruption to stability, safety and soundness and policyholder protection.
- Regulated institutions are expected to meet their impact tolerances in the event of a disruption. The PRA is proposing that regulated institutions comply within a reasonable amount of time, to a maximum of three years, although the regulator acknowledges that complexity and technology changes may challenge this timeframe.
Implementing Operational Resilience
The supervisory authorities provide substantial guidance on how regulated institutions can implement or deliver operational resilience, focusing on:
- Enhancing weak or outdated infrastructure
- Increasing system capacity
- Achieving full fail-over capabilities
- Addressing key person dependencies
- Improving communications
Of the above, potential technology improvements that regulated institutions would need to perform to be compliant with resilience expectations or requirements may prove to be the most burdensome and costly.
The latest proposals encourage scenario testing in a manner that is systemic and open to supervisory challenge. Scenario testing of resilience would serve multiple functions, including help regulated institutions better understand extreme but plausible scenarios and their ability to remain within their impact tolerance under those circumstances. The nature of the testing should be proportionate to the size, complexity and importance of the organization or important business service.
IT Security Breaches
The supervisory authorities identify data security breaches as significant causes of operational disruptions and discuss how they can disrupt the financial sector’s capacity to provide important services to the economy. They cite a UK government survey in 2015 that found 90% of large businesses across all sectors had experienced a malicious IT security breach in the previous year. Also, in 2018/19, 852 technology and cyber incidents were reported by firms to the FCA. The introduction of security breaches as an operational resilience consideration, something not explicitly noted in the earlier discussion paper, significantly increases the scope of institution’s potential compliance obligations with operational resilience. Going forward, regulated institutions should be able to demonstrate not only their ability to keep important business services running efficiently but also how they can keep data secure.
Regulated institutions should identify and document the necessary people, processes, technology, facilities and information (referred to as resources) required to deliver each of their important business services. This exercise is known as mapping and is proposed to help regulated institutions achieve the following outcomes:
- Identify vulnerabilities in delivery of important business service within an impact tolerance.
- Take action to remedy discovered vulnerabilities.
- Test the institution’s ability to remain within tolerances.
Regulated institutions may be required to perform a self-assessment of their operational resilience, under the latest proposals. The self-assessment would include documentation on methodology, how important business services are derived and how impact tolerances are set. Testing strategy and outcome and planned improvements would also be part of the self-assessment. The supervisory authorities propose that all parts of the self-assessment must be maintained for a period of three years. While this is a new addition, it does seem consistent with what institutions would normally do and what regulators would generally expect.
Key Takeaways From the Proposals
Here are additional key takeaways from our review of the consultation papers and policy proposals:
- So far, the supervisory authorities have stayed away from proposing taxonomies and prescriptive definitions relating to operational resilience.
- Regulated institutions are expected to take a group-level view of operational resilience to ensure the risks of the whole group or organization, including parts or subsidiaries that are not subject to individual requirements, are considered. PRA proposes that it would expect a regulated institution’s self-assessment to cover the whole group. Also, regulated institutions may be required to identify a proportionate number of important group business services and respective impact tolerances at the level of the group.
- The migration from the term “critical business services” to “important business services” expands the number of services a regulated institution would have to validate as resilient. It also means increased mapping of more processes and systems (possibly data flows) in a front-to-back manner to identify important business services.
- The supervisory authorities articulated a clear need for front-to-back mapping of business services. Firms should consider this as a critical item in demonstrating compliance to the UK regulators.
- There is acknowledgement by the supervisory authorities that important business services will differ by institution.
- Firms should earnestly begin to define their important business services with sufficient granularity so that they can improve their understanding of the potential harm to stakeholders from a disruptive event or severe but plausible events
- The clear callout of impact tolerance as a time-based metric provides regulated institution’s more clarity in direction than previously outlined within the original discussion paper.
- Regulated institutions should be prepared to address issues that may extend their resilience beyond their impact tolerances, e.g., large-scale and sustained power outages.
In the coming weeks, Protiviti’s financial services industry subject-matter experts will produce additional papers on the topic of operational resilience, including the latest regulatory developments. Protiviti has developed a framework with which institutions can approach and evaluate operational resilience. To learn more about this framework, visit this page.