The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) have published their joint consultation papers on operational resilience, warning financial services firms to make better preparations for disruption to key services.
The proposals set requirements and expectations for firms and financial market infrastructure to identify their important business services by considering how disruption can have impacts beyond their own commercial interests.
They must set a tolerance for disruption for each important business service and ensure they can continue to deliver these within set impact tolerances during severe but plausible scenarios.
Late last month, Which? analysis of FCA data revealed that banks suffer five IT failures every week, leading it to call on the next government to protect cash as a backup.
This followed the October publication of the Treasury Committee's report warning that regulators must act to reduce the “unacceptable number” of IT failures in financial services sector.
The consultation closes on 3 April 2020, with the FCA’s executive director of supervision for investment, wholesale and specialist laying out the regulator’s expectations in a speech at TISA’s Operational Resilience Forum in London.
Megan Butler explained that the intention is to bring about change in how the industry thinks about operational resilience, informed and driven by the public interest.
“It is fair to say there have been a number of cyber attacks over the past three years which have shown that it is more important than ever to remain vigilant against cyber adversaries,” she stated.
“But it is not just the external threat we need to be vigilant against – the disruption resulting from TSB’s IT upgrade served as an important reminder that our organisations need to be resilient to a far wider range of potential operational issues than cyber attacks alone.”
Butler said that the FCA wanted to dispel the belief, which many firms hold, that it expects them to stop all operational disruptions altogether.
“The outcomes we are seeking are more focussed on the continuity of supply of the financial products and services that people, businesses and the wider economy rely on most; even in the event of severe operational disruptions.”
Since last year’s discussion paper on the subject, the FCA has had a “significant amount” of engagement with industry and feedback in terms of scope.
The proposals in these consultation papers will therefore apply to banks, building societies, PRA-designated investment firms, Solvency II firms, Recognised Investment Exchanges, enhanced scope Senior Managers & Certification Regime firms, entities authorised or registered under the Payment Services Regulations 2017, and Electronic Money Regulations 2011.
Butler accepted that operational risk management is not infallible, noting that firms can assume harm will occur and still be comfortable, so long as they are able to stay within an agreed risk appetite.
“The proposals in the papers make it clear that we expect you to understand your vulnerabilities, invest in protecting those and protecting yourselves, consumers and the market,” she added.
“Operational resilience is not about protecting the reputation of your firms or the reputation of the industry as a whole – it is about preventing operational incidents from impacting consumers, financial markets and UK financial system.”
Butler warned that the FCA will not accept operational failures that, but for a lack of sufficient contingency planning, “see consumers stuck on the phone for hours trying to speak to their bank, unable to complete a house sale or purchase or facing uncertainty over whether they will be able to pay their rent on time because they cannot transfer their money”.
She came back to the TSB IT migration issues, stating that the FCA was clear about its dissatisfaction with the bank’s initial communications to customers. “In the consultation papers, we explain that we will expect firms to have effective internal and external communication plans to reduce harm when things do go wrong.”
Butler continued: “I will be asking your chairs and CEOs what strategic decisions and investment choices they are making to build operational resilience and to maintain the supply of important business services in the event of a major incident, or, as we say in the papers ‘a severe, but plausible, scenario’.”
Firms should identify their important business services and map successful delivery back to the key underlying resources, then they should test their ability to withstand a severe event with reference to an impact tolerance, and finally they should use the test results to identify resilience gaps - and make investment choices that increase their ability to provide these important business services - even when severe disruptive events happen.
Butler made it clear that these processes should not just become a box ticking exercise.
“This is not about what you are willing to, or think you can, ‘get away with’, because you think the worst is unlikely to happen – we need to know that you have planned for the worst and are able to continue to deliver your important business services when the worst does happen.”
She also pointed out that firms cannot ‘game the system’ by setting an excessively high impact tolerance that will never require additional steps to be taken. “When it comes to supervising firms, you can expect this to be an area where we will pay close attention.”
Butler added that the regulators are also reviewing their supervisory approach and strategy towards continuity of business services.
“Key elements of our existing approach, such as reviewing the effectiveness of firms’ governance, will continue to be an important component in assessing firms’ operational resilience capability.”
After the consultation closes, and following consideration of the responses, the FCA and PRA will publish a policy statement towards the second half of 2020.
Recent Stories