18 December 2019
On 5 December 2019, the Bank of England (BoE), the PRA and the FCA published a long-awaited suite of documents and consultation papers (the proposals), setting out their proposed approach to embed new operational resilience requirements into the financial services regulatory framework:
Putting in place a regulatory framework to promote operational resilience is one of the key priorities for the BoE, PRA and FCA. The proposals develop many of the concepts in the earlier 2018 joint discussion paper, and also respond to the recent Treasury Select Committee report on IT failures in the financial services sector (to which the authorities will provide a full response in due course).
The proposals are designed to promote stronger and more effective governance of operational resilience and more organisation and co-operation between market participants. The authorities will consider developing further policy requirements in the future, such as on operational resilience reporting.
The proposals define operational resilience as "the ability of firms and FMIs in the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions", with customer interests paramount. The starting point is the premise that operational disruptions happen, but that firms need to be prepared for the unexpected.
The new concepts of "important business service" and "impact tolerance" are central to the proposed approach for identifying and addressing operational resilience concerns. Note that these definitions are slightly different under the FCA and PRA proposals, which may create implementation challenges for dual-regulated firms.
Not all firms and activities will be subject to all of the proposals. Broadly:
For the purpose of this alert, these are referred to as "in-scope firms".
The authorities aim to finalise their rules by the end of next year and for most of them to take effect in late 2021, although full compliance is not expected until 2024.
The proposals share a common overarching approach to operational resilience, with differences to reflect the particular regulatory framework and supervisory approaches of the PRA, FCA and BoE. Broadly, the proposals would require in-scope firms to:
No definitive list is provided, but guidance is provided on the type of services that boards and senior management could classify as "important". Business services are distinguished from 'business lines'. Firms may also need to consider which particular part of a chain of activities is critical to delivery and should avoid identifying a collection of services as a single important business service.
This should be the first point at which a disruption would pose an intolerable risk of harm to consumers or market participants, harm integrity, threaten policyholder protection/safety/soundness, or pose a risk to financial stability. They should include the maximum tolerable duration of disruption.
Mapping is essential to identify and document the vulnerabilities in delivery of important business services, such as limited substitutability of resources, high complexity, single points of failure, and a concentration of reliance on a single resource. Mapping then allows firms to take action to remedy and test those vulnerabilities.
This involves taking effective actions to ensure firms can continue to deliver within impact tolerances during severe scenarios. This might include addressing vulnerabilities in legacy systems, replacing outdated infrastructure, achieving full-fail dependencies and being able to communicate with all affected parties. This should include developing a "testing plan" to carry out regular and proportionate scenario testing.
Some particular points to note:
Both the FCA and PRA are clear that they expect in-scope firms to ensure their important business services are able to remain within their impact tolerances, even when they rely on outsourcing or third party providers.
The PRA's separate consultation on outsourcing is in part in response to implementing the EBA Guidelines on Outsourcing, and also takes into account the draft EIOPA Guidelines on Outsourcing to Cloud Service Providers (except that these proposals apply to all outsourcing, not just cloud).
Inevitably, the additional requirements on in-scope firms to identify dependencies and set impact tolerances will require greater engagement with third parties and service providers, particularly around mapping and scenario testing.
However, there may also be opportunities here for service providers. For example, where in-scope firms identify that their own IT infrastructure is inadequate, third party services may be necessary to implement back-up data storage, for example.
If you would like to discuss any of the above points, please do get in touch.
by multiple authors
by multiple authors