Following a brief hiatus caused by the COVID-19 pandemic, regulators and governments have been recently been re-engaging with reforms in the areas of operational resilience and outsourcing in the financial services sector.
The developments include:
- in the UK, the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) recently closed consultations to reform operational resilience and outsourcing standards;
- in the US, the US Federal Reserve (FED) confirmed that proposals to address management of operational risks will be announced this year;
- at the EU level, the European Banking Authority (EBA) and the EU Commission ('the Commission') are consulting/proposing reforms of operational resilience rules; and
- internationally, the Basel Committee on Banking Supervision (BCBS) and Board of the International Organization of Securities Commissions (IOSCO) are consulting on reforms to operational resilience and outsourcing.
Taken together, the proliferation of guidelines and requirements represent a major compliance exercise. With the scope for both significant overlap and divergence between approaches developed at the national and international level and across various sub-sectors of financial services, it is essential that firms prepare to respond to the fast-pacing changing area.
Dealing with multiple – sometimes competing – layers of regulation across different jurisdictions is nothing new for international firms; sanctions rules are a good example. What makes operational resilience different is the fact that so many sets of proposals are being developed at the same time. It’s far easier to develop a risk mitigation strategy for a single new piece of legislation that is being added to a body of pre-existing rules, than it is to formulate a plan to deal with several sets of requirements that are each coming into existence at around (but not exactly) the same time.
Very few IT structures are ‘jurisdiction specific’ and so the regulatory position in multiple countries usually needs to be addressed. When you throw into the mix the divergent approach taken by different jurisdictions in relation to data privacy (with data protection forming an important element of operational resilience for many firms), the picture becomes further complicated.
The UK regulators are expected to publish their final policy statements in early 2021. In a nutshell, the FCA and PRA will likely require firms to:
- conduct mapping exercises to prepare 'impact tolerances' for 'important business services' that if disrupted could cause harm to consumers/market integrity (FCA) and/or the financial system (PRA);
- test 'impact tolerances' through a 'range of severe but plausible disruption scenarios' to prepare for 'inevitable' disruption; and
- ensure senior management oversight of operational resilience and outsourcing risk.
In the US, both the FED and OCC have included operational resilience as a priority area in 2019 and 2020. Recently, the FED has confirmed that, in the coming month, it will release guidance on how banks should demonstrate that they can maintain critical business operations to manage the risks of severe disruptions. The FED Deputy Director, Arthur Lindo, is reported to have told an audience at a risk conference that the measures will likely develop existing standards.
As part of its recent digital finance strategy, the Commission has published a draft Digital Operational Resilience Act, which, among other things, introduces a new oversight framework for critical third-party service providers.
How to prepare
- Understand the risks: understanding of a firm’s resilience will require a comprehensive mapping exercise that is carried out consistently.
- Address the risks: from the perspective of the FCA and PRA, delivering operational resilience requires firms to take decisive and effective actions to maintain tolerable impact tolerances. This may require replacing outdated or weak infrastructure, increasing system capacities and/or addressing known dependencies, including those over which the firm may not have direct control (eg outsourcing and third-party service providers).
- Review: ongoing assessments of evolving risks are equally important, particularly given that FCA has indicated it expects at least annual reviews.
- Focus on principles rather than prescription: consistent industry feedback to the UK consultations is that regulators should adopt a principle-based rather than prescriptive approach in this area. The FCA and PRA have indeed recognised the importance of principle based regulation in this area, particularly since operational resilience and responsible outsourcing are 'outcomes' that can be achieved in a number of ways and one size does not fit all. Seeking compliance with overarching principles might help firms avoid becoming weighed down by terminology, and enable dynamic and business specific approaches.
- Bridge internal silos: threats do not respect departmental boundaries and may even exploit silos, particularly in the area of cybercrime. Having joined-up functions embedded in BAU governance structures should help to reduce the frequency of incidents and will certainly improve an organisation's response to them.
- Engage: wider engagement beyond organisational boundaries is also vital. This means not only sharing information with peers, for example to address concentration risks, but also engaging with regulators.
- Follow guidance: the regulators have started to provide guidance on addressing the potential changing landscape, including in publications and direct outreach via roundtable working group discussions. For example, the Financial Stability Board has published a toolkit of effective practices for financial institutions’ cyber incident response and recovery. Follow their recommendations where available and track ongoing developments to ensure that you are aligned with current expectations.