Several high profile systems failures resulting in customers being unable to access their finances and an ever-increasing reliance on outsourcing key activities to group entities or third parties have unsurprisingly caught the regulators' attention.
The PRA and FCA are consulting on proposed new rules on operational resilience. "Operational resilience" is defined as the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.
The new rules are designed to shift the mindset of firms' boards and senior management away from traditional risk management and towards a new attitude where firms accept that disruption to business services is inevitable and it needs to be managed actively.
Firms are likely to need to set up organisation-wide projects to meet the requirements – and the regulators expect firms' boards and senior management to be involved.
The regulators believe this is an area where board leadership is necessary as strategic decisions about budgets and spending will inevitably have implications for a firm's operational resilience.
The PRA gives a proposed implementation date for implementation of its proposals of the second half of 2021. The FCA explains that it will consider feedback to its consultation and publish finalised rules in a Policy Statement next year too.
What do I need to do now?
Both the PRA and FCA consultations are open until 3 April 2020 - now is the time to have your say on the proposals.
Now is also the time to brief your board and senior management teams on this fast approaching new area of regulation. Make sure that compliance with the new rules on operational resilience forms part of your firm's plans for 2020-21.
Don't worry if you're not sure where to start – our integrated team of lawyers and regulatory consultants are helping clients get to grips with this and we have views on the best way to address the consultation and prepare for the new, more structured, approach to operational resilience.
Who will the new rules apply to?
Those affected will be:
- Building societies;
- PRA designated investment firms;
- Solvency II firms;
- Recognised investment exchanges;
- Enhanced scope Senior Managers & Certification Regime firms; and
- Firms authorised under the Payment Services Regulations 2017 and/or the Electronic Money Regulations 2011.
The proposed new rules will not apply to EEA incoming firms.
What will firms need to do to comply?
Although the rules contain flexibility so firms are able to take a proportionate approach to reflect their products and size, meeting the requirements will still require all firms to identify their important business services, map them, identify risks, set impact tolerances and carry out testing as well as complete a self-assessment which is reviewed regularly.
Hardly light work!
1. Identifying "important business services"
The key upfront task will be to identify the important business services which, if disrupted, could cause harm to consumers or market integrity. The current proposals require firms to identify their own important business services. Proposals for publishing a taxonomy have been dropped as any taxonomy could quickly become out of date. The key point here is to consider what counts as an important business service to users rather than sticking to internal categorisations of business lines or products.
The examples of important business services are generally more granular than you would first expect and include:
- a retail bank's provision of ATM cash withdrawals or telephone banking services;
- a building society's disbursement of mortgages; and
- a life insurer's payment of annuities.
Once important business services have been identified, firms will need to identify and document all people, processes, technology, facilities and information that support each important business service. Ultimately, firms will need to understand how every important business service is delivered to work out how it could be disrupted.
3. Setting impact tolerances
Firms will be required to set their own impact tolerances at the maximum tolerable level of disruption for an important business service. When setting impact tolerances, firms should consider the point at which disruption to a firm's important business service would pose a risk to factors such as:
- the firm's safety and soundness or financial stability;
- financial loss to customers;
- loss of customer confidence; and
- loss of functionality or access to customers.
Impact tolerances should be expressed as a clear metric such as the time the disruption lasts for; the number of customers impacted; the number of transactions impacted; and the maximum value of transactions impacted.
The PRA gives an example of a challenger bank whose only product is a current account. The challenger bank identifies that the ability for customers to check their account balances is an important business service.
The bank judges that after 4 days of not being able to show customers an accurate account balance their reputation will be damaged; customers will close their accounts or transfer their balances as a result of loss of confidence; and investors will withdraw funding which puts the financial stability of the bank at risk.
As a result, its impact tolerance for checking account balances should be set at less than four days of disruption. It should also be specific e.g. 48 hours, to provide the bank with a clear standard.
Once set, impact tolerances will need to be reviewed annually in order to make sure they are still appropriate.
Under the new rules, firms will be required to carry out testing. Testing should focus on the response and recovery actions firms would take to continue the delivery of an important business service assuming a disruption had occurred, rather than just on a firm's ability to remain within tolerances.
Where vulnerabilities are identified, action should be taken to address the issues – which the regulators say includes fixing vulnerabilities in legacy systems, if necessary.
Firms will need to test themselves against a range of scenarios in order to identify resilience gaps, such as:
- Corruption, deletion or manipulation of critical data;
- Unavailability of facilities or key people;
- Unavailability of critical third party services;
- Disruption to other market participants; and
- Loss or disruption of technology underpinning important business services.
To carry out testing, firms will need to develop plans for each important business service identified.
5. Lessons learned and self-assessment
Firms will need to demonstrate compliance by carrying out self–assessments regularly. There are currently no proposals for the self-assessment results to be submitted to the regulators at regular periods but they will need to be sent on request. The self-assessment will need to be carried out more frequently in times of change such as during structural changes to the firm, rapid expansion or entry into new markets.