2021年4月19日
The FCA, PRA and Bank of England (BoE) on 29 March 2021 published their final and long-awaited policy papers on 'Building operational resilience'. This article highlights the key requirements and some of the challenges as firms look to implement the requirements.
When the FCA, PRA and BoE published their suite of consultation papers on operational resilience back in December 2019 (see our earlier article), Covid-19 was only just beginning to make headlines. The subsequent disruption caused by the pandemic has brought the issue of operational resilience to the fore, demonstrating why firms need to understand and invest in their resilience to enable them to protect themselves, consumers and the financial system from disruption.
The simplest definition of operational resilience used by both the FCA and PRA is "the ability of firms, financial market infrastructures and the financial sector as a whole to prevent, adapt and respond to, recover and learn from operational disruption."
The regulators' approach to operational resilience is based on the assumption that disruptions will occur and will prevent firms from being able to operate as usual. The aim of embedding operational resilience in policy is to ensure that firms deliver improvements to resilience, so that they are able to respond effectively and continue to deliver key services when a disruption does occur.
Central to the requirements is the idea that firms must identify their important business services and set an impact tolerance for each, based on the maximum tolerable level of disruption to an important business service. This represents a shift in thinking, away from thinking about the resilience of individual systems to instead considering the continuity of services that firms provide to their external users and customers.
The regulators' expectations on operational resilience are set out in a number of documents, which apply to specific types of firm. Broadly these encompass:
For the purpose of this article, the firms identified above are referred to as "in-scope firms".
The final rules for the FCA, PRA and BoE all come into force on 31 March 2022. The requirements include a one-year implementation period until 31 March 2022, during which in-scope firms can identify their important business services, set impact tolerances and begin to operationalise the framework. After this, in-scope firms must be able to remain within their impact tolerances as soon as reasonably practical, but no later than 31 March 2025.
The regulators recognise that mapping and scenario testing are ongoing and dynamic processes; in-scope firms are not expected to have performed these to the full extent of sophistication by 31 March 2022, but their approach should evolve over time. In-scope firms should also prioritise their implementation with the ultimate goal of delivering the outcomes of the policy.
The proposals share a common overarching approach to operational resilience, which broadly, requires in-scope firms to:
Respondents asked for clarity and the regulators have made some relevant amendments, in particular to improve consistency between the FCA's and PRA's supervisory approach. For example, the definition of "impact tolerance" has been harmonised, with confirmation that dual regulated firms will need two impact tolerance statements. Both regulators expect that time will be the primary metric for measuring impact tolerance, but the scope is open for in-scope firms to use additional metrics in their resilience planning.
Additional provisions have also been added to clarify the expectations where in-scope firms rely on third party service providers for the delivery of an important business service. For example in such cases, the FCA expects in-scope firms to have sufficient understanding of the people, processes, technology, facilities and information that support the third party provider's delivery of those services; this is likely to increase compliance arrangements and information exchange between in-scope firms and key vendors.
The UK operational resilience framework shares similarities to the EU's proposals (known colloquially as DORA, see our article here), such as a focus on governance and risk management, testing, and overall resilience. However, whereas DORA focusses on ICT risk, the UK regulators' approach is very much led by the in-scope firms' own important business services and the underlying processes, people and technology supporting them (including but not limited to ICT services).
Where there is overlap, the EU's proposals are more specific compared to the UK operational resilience framework, which grants wider flexibility to firms in how they implement the policy in line with the objectives. For example on testing, Article 23 of DORA sets out specific requirements for advanced threat-led penetration testing (TLPT) of ICT systems by certain firms, with further regulatory technical standards to specify details of the testing requirements. By contrast, the UK approach grants wider flexibility in how testing is conducted, leaving it to firms to assess the best way to implement policy.
The requirements may also present opportunities for the industry, in particular for Fintech and Regtech firms to help support operational resilience through effective technology (as highlighted in the recent Kalifa Review). This might include advisory and reporting services, helping in-scope firms improve communication channels, or helping build redundancies within networks to make them more resilient to disruption.
Third party vendors that support in-scope firms with their important business services should anticipate customers approaching them for further compliance and contractual requirements, including in relation to testing assistance, recovery time objectives, and continuity planning in case worst-case scenarios happen.
Whilst responsibility for operational resilience rests solely on in-scope firms, third party vendors will need to work with in-scope firms as part of their mapping, testing and contingency planning; enabling customers to meet their operational resilience requirements may therefore offer a competitive advantage compared to other providers.
If you would like to discuss any of the above points, please get in touch with one of the team.