With a new operational resilience framework in force in the UK and similar reforms proposed in the EU and the US, we examine how the regimes compare and their practical impact on financial services firms.
Operational resilience has become an area of increasing focus in the financial services sector in recent years. Reforms to the prudential framework for banks following the 2008 financial crisis, along with resulting structural changes, strengthened financial resilience, but did not address operational resilience. The Basel Committee on Banking Supervision (BCBS) noted in 2021 that further work was necessary to strengthen banks' ability to absorb operational risk-related events such as pandemics, cyber incidents, technology failures and natural disasters, which could cause significant operational failures or wide-scale disruptions in the financial markets.1 The COVID-19 pandemic that began in 2020 dramatically brought operational resilience into sharp focus, and 2022's geopolitical developments, energy market and infrastructure stress, and high-impact climate change events have kept operational resilience near the top of the agenda.
Developments in the UK, EU and US
A new UK regime
A new operational resilience regime took effect in the United Kingdom on March 31, 2022, introducing requirements for UK banks and insurers to ensure the UK financial sector is operationally resilient. The new regime, introduced by the UK's supervisory authorities, the Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA) and Bank of England (BoE), seeks to improve the operational resilience of firms and financial market infrastructures (FMIs), and to protect consumers, the broader financial sector and the UK economy from the impact of operational disruptions.
In developing the framework, the UK supervisors presumed that disruptions will occur that will prevent firms and FMIs from operating as usual and providing their services for a period of time, as occurred, for example, during the COVID-19 pandemic. The rules are intended to ensure firms and FMIs plan and deliver improvements to their operational resilience so they can respond effectively when a disruption does occur.
Under the UK regime, firms and FMIs must identify their "important business services" that could impact clients or the financial system if disrupted, set an "impact tolerance" for disruption to each of those services, and ensure they can continue to deliver those services and remain within their impact tolerances during severe (or extreme, for FMIs), but plausible scenarios. The framework takes an outcome-based approach to enable boards and senior management to identify important business services and set impact tolerances that are appropriate for their firm and clients.
To further enhance the stability of the financial system, a new statutory framework has been proposed in the Financial Services and Markets Bill 2022-23 to manage systemic risks posed by "critical third parties" (CTPs). The proposals give the supervisory authorities powers to assess and strengthen the resilience of material services (such as cloud computing and data analytics) provided by CTPs to the financial sector under outsourcing arrangements.
In the EU, a new regulation on digital operational resilience for the financial sector (known as the Digital Operational Resilience Act or DORA) was proposed by the European Commission in September 2020 and a provisional political agreement was reached by the European Parliament and Council of the EU in May 2022. Like the UK regime, DORA aims to improve the operational resilience of financial institutions, albeit with a focus on digital, or information and communication technologies (ICT), risk. The European Commission flagged in its proposal the continued challenges posed by ICT risks to the operational resilience, performance and stability of the EU financial system, noting that post-crisis reforms had not fully addressed digital operational resilience.
The DORA proposals address this gap by enumerating detailed and comprehensive rules on digital operational resilience, including provisions on firms' ICT risk management and incident reporting, requirements for thorough testing of ICT systems, and providing powers to financial supervisors to oversee risks stemming from firms' dependency on ICT third-party service providers. The powers relating to third parties will be set out in DORA's oversight framework of pan-European critical ICT service providers (CTPPs), which aims to ensure operational risks are no longer addressed exclusively through outsourcing arrangements put in place by financial institutions, but also directly at the CTPP level.
In addition, given the fragmentation within the existing EU legal and regulatory framework for ICT risks and operational resilience in the financial sector—the rules that apply vary depending on the type of financial entity and among member states—DORA aims to ensure harmonization of these rules across the EU.
Consolidating the US regime
The US federal banking regulators have formally recognized that the banking organizations they regulate have experienced in recent years significant challenges from a wide range of disruptive events, including technology-based failures, cyber incidents, pandemics and natural disasters, which may be further exacerbated by the increasing reliance on third-party service providers to deliver their products and services. As a first step, the US regulators, including the Federal Reserve Board, Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation, have sought to identify and consolidate existing guidance that can be used to form the framework for an effective operational resilience regime for those banking organizations deemed systemically important; that is, with either at least US$250 billion in total assets or at least US$100 billion in total assets and US$75 billion or more in cross-jurisdictional activity, short-term wholesale funding, average nonbank assets or off-balance sheet exposures. Second, the US federal banking regulators have focused on issuing new rules to help banking organizations establish and maintain the tools needed to identify and address evolving cybersecurity risks.
For the first area of focus, the consolidated guidance, known as Sound Practices to Strengthen Operational Resilience (Sound Practices), was issued simultaneously by the three federal banking regulators to outline the sound practices large banks are expected to have in place to address risks to operational resilience such as cyberattacks, natural disasters and pandemics. The Sound Practices include concepts from existing rules and guidance on operational risk management, business continuity management, third-party risk management, cybersecurity risk management, and recovery and resolution planning. Among other things, the guidance sets the expectation that covered firms will use existing governance and operational risk management rules to establish a specified "tolerance for disruption," essentially a risk appetite based on the capabilities of the firm's operating environment to support a disrupting event.
The second area of focus of US banking regulators is the increasing and ever-evolving nature of cybersecurity risk. The Sound Practices highlight the practices that firms should have in place to address cybersecurity risk, including using established industry risk assessment tools such as the FFIEC Cybersecurity Assessment Tool, the National Institute of Standards and Technology Cybersecurity Framework (NIST), the Center for Internet Security Critical Security Controls and the Financial Services Sector Coordinating Council Cybersecurity Profile, to measure and align cybersecurity risk with industry standards. Moreover, the three US federal banking regulators recently adopted a new Computer-Security Incident Notification Rule that requires banks and their key service providers to ensure that their incident response plans include a mechanism to identify and provide immediate notice to regulators of "material" cybersecurity incidents, including a ransomware, malware, denial of service (DoS) attack, or other hacking or similar incident. An attack or incident requires notice where it has or is reasonably likely to materially disrupt or degrade the bank's ability to carry out banking operations, including delivering its products and services, or continuing to operate business lines that are material to the bank's profits and franchise value. Notice is also expressly required for any attack or incident involving any services or functions performed by the bank whose failure or discontinuance would be deemed to pose a threat to US financial stability.
How do the UK and EU approaches compare?
Since the UK regime is already in effect, the details of its measures are more developed than those of the EU's DORA proposals. Nonetheless, there are some interesting similarities and differences between the two regimes.
The EU's DORA proposals establish an EU framework for digital operational resilience in contrast to the UK regime, which broadly addresses operational resilience. Digital operational resilience, as defined in DORA, is a financial entity's ability to build, assure and review its operational integrity from a technological perspective by ensuring it has the full range of ICT-related capabilities necessary. For UK purposes, the FCA and PRA describe operational resilience as the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions and, accordingly, look beyond the technological aspect.
Although DORA focuses on digital operational resilience, it applies to a broad range of EU-regulated financial entities, including banks, payment institutions, investment firms, FMIs, fund managers, insurers and others. This is similar to the UK regime: Banks, building societies, PRA-designated investment firms and insurers are subject to both the PRA and the FCA's operational resilience rules, while other firms, including payment institutions, electronic money institutions and recognized investment exchanges must comply with the FCA requirements.
Under the UK regime, a firm's "important business services" are services provided to its clients, which, if disrupted, could cause intolerable levels of harm to one or more clients or pose a risk to the soundness, stability, or resilience of the UK financial system or the orderly operation of the financial markets. The rules outline a variety of factors to consider when identifying these services, including the firm's clients and their ability to obtain the service from another provider, time criticality of the service and the number of clients receiving the service, and considerations around the impact of disruption on the firm, its legal and regulatory obligations and the broader UK financial markets and system.
Once a firm identifies its important business services, it must then consider the maximum length of time a disruption to that service could be tolerated—its "impact tolerance." Again, there are several factors (in addition to time) to consider when setting each impact tolerance such as the client base, how many clients may be adversely impacted by the disruption, the nature of the impact, potential financial losses to the clients and firm, and broadly, the impact on the firm, its reputation, confidentiality, market or consumer confidence and the UK financial system.
In the EU, the DORA proposals mandate the creation of an ICT risk-management framework that includes a digital resilience strategy, and requirements involving governance and control, ICT-related incident reporting and digital operational resilience testing. As part of that strategy, a firm must establish its risk tolerance level for ICT risk and analyze the impact tolerance of ICT disruptions—similar concepts to those used in the UK regime. However, DORA does not currently require firms to set impact tolerances for each of their critical functions and services in the same way the UK rules do. The expectation set out in the proposed regulation is less granular, simply stating that a firm's digital operational resilience strategy should include the methods to address ICT risk and attain specific ICT objectives by "analysing the impact tolerance for ICT disruptions," among other things. It remains to be seen what additional details concerning impact tolerances will be set out in the Level 2 legislation.
Nonetheless, certain DORA requirements are similar to those in the UK supervisory framework. For example, both EU and UK frameworks require the identification of critical parts of the business (i.e., "important business services" in the UK and "critical" or "important functions" in DORA). Both regimes also require firms to carry out some form of testing—under DORA, firms must conduct business impact analyses regarding the firm's exposure to severe disruptions while, similarly, the UK provisions introduce requirements for operational resilience testing.
Likelihood versus impact of disruption
The approach taken by the new UK regime represents a mindset change when assessing risk for operational resilience purposes. Under previous UK rules on operational resilience, firms were required to consider how likely a type of disruption was to occur in addition to the impact of the disruption when assessing risk. The new regime does not have likelihood as a factor, although the regulators' current proposals for a critical third-party regime include the likelihood of causing intolerable levels of harm to large numbers of customers as a suggested metric when assessing the potential impact of a third party's failure.
Similar to the UK regime, DORA does not ask firms to consider the likelihood that a disruption will occur, except in relation to critical ICT third-party service providers; the recitals to DORA note that firms should thoroughly assess contractual arrangements with ICT third-party service providers (especially those established in a third country) to identify the likelihood of risks emerging.
A comparison to the US approach
While the US regulators have not yet adopted a standalone operational resilience regime similar to the UK regime, it is worth noting that the provisions that are integral to the UK regime are addressed in existing US regimes governing business continuity and resolution planning. For instance, identifying "important business services" provided and how to protect them are integral to the resolution-planning regulations that apply to US and non-US banks operating in the US. The US resolution plan rules require covered banking entities to identify operations that are material to the banking entity or as a provider to the industry, or identify operations that are critical to the financial stability of the US and, in each case, to establish a plan for the banking entity's orderly resolution that minimizes the disruption of those operations. Similarly, business continuity guidelines established jointly by the US banking regulators require banking entities to identify all critical business functions, assess the potential impact of their disruption, and develop a business continuity plan focused on identifying and managing any potential disruptive event, seeking to recover, maintain or re-establish continuity of services.
Like the UK regime, the US requirements are focused on identifying and mitigating the "systemic risk" to the US financial system that would be caused by a disruption or failure in the ability of a covered banking entity to continue to provide one or more important services. The US regime, however, does not address or create any expectation that a banking entity's resilience planning identify and seek to mitigate "intolerable levels" of harm to clients, absent any systemic risk to US financial stability.
Besides the Sound Practices requirements, the US federal banking regulators have used existing rules and guidance to address emerging threats to operational resilience. For example, the US regulators issued guidance in response to the COVID-19 pandemic to explain their expectations of how banking entities should use business continuity plans to address pandemics. The guidance goes beyond ensuring the continuance of critical operations by requiring the adoption of a preventive program to address the steps to mitigate outbreaks among employees and the adoption of a strategy to address each stage of the pandemic, including mitigation controls to ensure business continuity such as cross-training employees and remote access.
International approaches to operational resilience
The BCBS published the Principles for Operational Resilience in 2021 to strengthen operational resilience by increasing international engagement and promoting greater cross-sectoral collaboration to build on the work already implemented by several jurisdictions and standard-setting bodies (including in the UK, EU and the US, and at the international level by the International Organization of Securities Commissions (IOSCO)). The BCBS's seven principles, largely adapted from existing guidance issued by it or national supervisors, are: governance; operational risk management; business continuity planning and testing; mapping of interconnections and interdependencies of critical operations; third-party dependency management; incident management; and resilient ICT including cybersecurity.
In the PRA's March 2021 policy statement on operational resilience (PS6/21), which was published shortly before the finalized BCBS principles, the PRA commented on the alignment between the UK regime and the BCBS approach. The PRA explained that although the BCBS concept of "critical operations" is not identical to the UK's "important business services," it considered the terms to be aligned. The BCBS "critical operations" definition includes "critical functions" as defined by the Financial Stability Board and expanded to include "activities, processes, services and their relevant supporting assets, the disruption of which would be material to the continued operation of the bank or its role in the financial system"—the PRA considers this to be consistent with the reference in its policy to safety and soundness, and financial stability. The BCBS also uses the term "risk tolerance," which is focused on a bank's risk appetite, risk capacity and risk profile; the PRA considers this to be aligned with its impact tolerances. The PRA concluded it is realistic to assume there will be local differences in implementation of operational resilience regimes and it is reasonable that different jurisdictions will have different views on what they consider critical or important, but, as long as the principles are aligned, firms and supervisors should be able to work effectively across borders.
In October 2021, the IOSCO published a revised Principles on Outsourcing, which established expectations for regulated entities that outsource tasks and briefly addressed the impact of COVID-19 on outsourcing and operational resilience. IOSCO noted that the pandemic and the increasing reliance on outsourcing that resulted from it (particularly due to the increased use of technology for remote working) were a useful reminder to increase attention to operational resilience. It also suggested that regulated entities should consider the Principles on Outsourcing when thinking about how to maintain and improve resilience.
At its recent meeting in July, the members of the UK and US Financial Regulatory Working Group, composed of senior staff from the HM Treasury, US Treasury Department and the financial regulatory agencies in each country, addressed the importance of operational resilience for "critical" third-party providers that provide services across borders and sectors. The regulators recognized that there would be value in developing shared international approaches to identifying critical services and providers, and to collaborate on how to address any disruptions in their services.
Practical impacts and challenges for firms
The introduction of the new UK requirements concerning operational resilience is likely to have considerable practical consequences for in-scope firms. Firms will already have had to identify their important business services, set impact tolerances, carry out a certain level of mapping and testing, conduct "lessons learned" exercises involving their ability to respond to and recover from disruptions effectively, develop internal and external communications plans for when important business services are disrupted, and prepare and submit self-assessment documentation to the regulators. Going forward, firms (by March 31, 2025 at the latest) will need to have performed mapping and testing to ensure they remain within impact tolerances for each important business service, and made the investments needed to enable them to operate consistently within those impact tolerances. While March 2025 may sound far away, regulators will expect progressive improvement during this timeframe, so firms should be ready to demonstrate this when the next impact events arise.
Given the development of DORA and the ongoing re-emphasis in the US on its existing standards, it seems clear that operational resilience is a focus area for regulators over the upcoming economic cycle, and firms in all regions can expect to be required to review and, where necessary, refresh their approach.
To meet all of these requirements, firms will need to ensure they have sufficient internal resources to implement the assessments, mapping, testing and other additional actions the new regime demands. Employees may need to be trained to ensure they have the requisite skill sets and knowledge, and it will be important to ensure senior management are sufficiently informed and engaged to enable them to provide the requisite level of oversight of the firm's operational resilience. There will also be cost implications given the requirement to invest as necessary to operate consistently within the firm's impact tolerances. In this regard, cross-border firms will be required to adopt a consistent approach to operational resilience group-wide, and each firm will have to meet specific requirements in accordance with the relevant home country implementing provisions.
Looking ahead, if the proposed measures to oversee critical third parties are implemented, these will have additional practical impacts, including the potential for service providers, such as cloud providers, to pass on any costs of complying with the requirements to the firms receiving those services.