UK banks given operational resilience deadline

The UK’s financial regulators have announced new operational resilience measures, giving banks one year to implement their plans.

The Bank of England (BoE), Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) announced the changes in a policy statement on 29 March.

The new rules will require firms to identify their most important business activities, by considering impacts beyond their own commercial interests of any disruption to the business services they provide. They will also require firms to determine their impact tolerance, which measures the maximum tolerable level of disruption to an important business service.

Firms will have to ensure they can continue to provide their important business services, and are able to remain within those impact tolerances, during “severe but plausible” scenarios.

“The speed at which vulnerabilities are remediated should be commensurate with the potential impact that a disruption would cause, and will be an area of supervisory focus,” the BoE said.

The regulator has given firms until 31 March 2022 to implement strategies for these measures and commence a programme of scenario testing. They will be required to show they can recover within their impact tolerances by March 2025.

It also said that senior management are expected to take responsibility for delivering the policy outcomes.

The PRA, together with the FCA, initially proposed new rules on operational resilience in the form of a consultation paper in 2019, after high-profile technological glitches at TSB and other banks left millions without access to their online accounts and unable to make payments.

At the time Andrew Bailey, then-CEO of the FCA, highlighted the growing importance of operational risk, comparing it to the risk mitigation measures implemented following the 2008 financial crisis: that “The relative standing of operational risk, both growing as a risk in its own right, and as we have mitigated other things, has come up.”

To minimise operational risk, firms will now have to identify their most critical business services and specify the resources, people, processes, technology and facilities required to deliver them – a process it calls “mapping” – with the regulators saying that “the most critical parts of the chain should be operationally resilient”.

Firms should also begin scenario testing, where they state specific maximum levels of disruption they can withstand, and provide a time limit – using a “time-based” metric – within which they will be able to resume the delivery of important business services following severe but plausible disruptions.

The regulators said the testing should not be “unduly burdensome” but should be regular, and that firms should review their mapping annually, in order to better understand their systems and identify any vulnerabilities that need remediation.

The regulators said they received “an excellent level of engagement with the consultations” and that respondents were “supportive” of the approach set out in the proposals. But they acknowledged that a recurring theme had been requests from respondents for more detail on how they should apply the proposals and clearer definitions.

The regulators argued there are “benefits in maintaining an outcomes-based approach” and said while final policy is not overly prescriptive in terms of defining lists of important business services and setting specific impact tolerances, they expect best practice to emerge over time.

Respondents also asked if internal services, such as human resources or payroll, were included within the definition of an important business service. The regulators said that while internal services may support the delivery of an important business service, they should not fall under the definition important business services on a standalone basis.

“If internal services alone were defined as important business services, this would expand the coverage of the policy, and could reduce focus on the most important external services,” it said.

Outsourcing and third-party risk management

The PRA simultaneously published new rules related to outsourcing and third-party risk management, which came into effect on 31 March.

Under the new rules, board members at firms will have greater responsibilities to manage the risks the institution may be exposed to, and are tasked with setting the “control environment” throughout the firm, including the appetite and tolerance levels related to outsourcing.

This includes appropriately identifying and having an understanding of their firm’s reliance on critical service providers, and ensuring that it has appropriate and effective risk management systems and strategies in place to deal with outsourced service providers.

It also says that firms should periodically assess and take reasonable steps to manage their overall reliance on third parties and be aware of concentration risks. It says these can arise from multiple arrangements with the same or closely connected service providers, and where multiple otherwise unconnected service providers depend on the same sub-contractor for their services.

Rakesh Majithia, head of outsourcing and third-party risk at PwC, said the new rules “mark the end of the beginning, not the beginning of the end. They represent a shift in how firms should look at the role they play in the financial ecosystem and how they should prepare themselves to cope with incidents that will inevitably occur”.

“Looking ahead, firms may need to exercise stronger oversight as their suppliers, like themselves, are likely to move into an operating model with greater remote working on a more permanent basis,” he added.

Get unlimited access to all Global Banking Regulation Review content