Part four of our FCA Priorities series looks at operational resilience and what the FCA will expect from your firm in the coming year.
Operational resilience in the financial sector spans all firms and is also a key area for the PRA. The use of technology is now integral to the delivery of financial services and therefore firms' arrangements for business continuity and effective cyber-attack deterrents are vital.
The eye watering fines, public loss of confidence and at least one resignation of a chief executive over operational outages and cyber-attacks means this can no longer be seen as an 'IT issue'. We look at the key risks your firm needs to stay on top of this year.
Highly publicised service outages in the banking world have caused substantial problems for many customers and the FCA is cracking down on senior management to ensure any outages are minimised and the firm's response to these outages is swift and effective.
Paul Pester felt the brunt of the Treasury select committee and Mark Carney's criticism over his stewardship of the service outages at TSB in 2018. A problematic migration of data from one IT system to another prevented a reported 1.9 million mobile and online banking customers from accessing there accounts and making payments over a period of days. TSB paid millions of pounds in compensation to its customers for lost interest and fees and charges.
Visa also experienced an embarrassing service outage in June last year which resulted from a hardware failure.
The FCA, PRA and Bank of England jointly issued a discussion paper in July 2018 "Building the UK financial sector’s operational resilience". Key to this is firms' setting their own impact tolerances and stress testing their business continuity.
Firms will have seen the sizeable fines levied by the FCA in relation to cyber-attacks and operational outages over the last few years. The fine imposed on Tesco Personal Finance plc (Tesco Bank) for £16,400,000 for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber-attack put this into sharp focus. The FCA commented that "Tesco Bank is in the business of banking and fundamental to that business is protecting its customers from financial crime."
The business plan also specifically highlights, as the FCA has been doing for some time, that senior managers and the firm's board are ultimately responsible for ensuring its cyber-crime controls are "designed to meet standards of resilience."
Tesco Bank's behaviour was seen as particularly egregious due to the, perceived, foreseeability of the particular cyber-attach risks which the FCA said were not acted upon. The FCA accepts that firms will not be able to stop every cyber-attack so what is the tolerance level or resilience baseline for firms?
The FCA has stressed that its focus will be on providing clear guidance on its expectations, however each firm must carry out its own assessment by reference to its critical business systems.
Third party service providers and outsourcing to the cloud
The FCA has stressed that this is a key area and that IT failures at third party suppliers were the second highest root cause of disruption to services in 2018. Firms are able to delegate critical systems but cannot delegate responsibility to third party suppliers so must ensure they do their due diligence and contract on robust terms to ensure effective operational resilience. The importance of ongoing management and monitoring of these arrangements was highlighted by both the FCA and PRA recently fining Raphaels Bank.
The FCA published guidance in July 2018 covering the lifecycle of outsourcing arrangements, although this guidance does not apply to banks, building societies, designated investments firms or IFPRU investment firms. Those institutions will look to the EBA guidelines on outsourcing arrangements published in February 2019 and effective by 30 September 2019, assuming the UK regulator adopts them.
Topping third party suppliers as the single highest cause of operational failure is change management according to figures in the FCA business plan. With some larger firms struggling with replacing or integrating legacy IT systems and adapting to changing customer expectations on how they access financial services the FCA is keen to learn more with a review of a selection of firms to be carried out to identify approaches and causes of problems.
A key theme running through each of these aspects is clear Senior Management accountability and responsibility for operational resilience. The Senior Managers and Certification Regime now requires relevant firms to allocate a Senior Management Function responsible for the internal operations and technology of a firm.
Testing resilience and supervision
The FCA will increase the use of 'CBEST' (ethical hacking) to test the cyber capabilities of high impact firms. The FCA has previously used CBEST jointly with the Bank of England on a small number of firms and they intend to roll this out to a larger number of priority firms in 2019/2020. They have yet to provide details of which firms will be subject to this testing.
The discussion paper discussed above highlights that supervisory intervention will increasingly be through seeking assurance that appropriate impact tolerances are set, monitored and tested. Boards should set their own impact tolerances and prioritise those business systems which, should they fail, could impact customers and cause the most harm. The FCA will be developing policies jointly with the PRA and Bank of England and will consult later in 2019.
Firms need to consider building 'resilience' into their culture across the whole business rather than silo the risk within a few earmarked teams to ensure regulatory compliance.