This article was co-authored by Edward Hitchen, Trainee Solicitor, London.
Anyone working in financial services will know something of the dramatic impact that IT and communications systems failures can have on their work. The inexorable rise in cyber attacks, set against the total reliance on these systems for staff working from home in recent times has brought these issues even more sharply into focus.
Having looked at key issues for 2021 and developments in product governance, the next “certainty” we consider here is the UK regulators’ new rules on operational resilience, which treat this kind of systems failure as an inevitability.
The Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have been collaborating on a far-reaching framework to improve the operational resilience of firms’ systems and processes that is based on a principle of “when, not if” important business systems are disrupted, by cyber attacks or otherwise. The new framework is not focused on IT systems alone, but as a central part of operations for firms, they are a principal target of the rules.
The UK regulators published their final policy and supervisory statements on operational resilience on 29 March 2021. These papers set out their final clarification on how the new regime will impact authorised financial services firms by the time the rules come into force on 31 March 2022.
Solvency II insurers and Lloyd’s managing agents (in addition to banks, building societies and certain investment and payments firms and exchanges) need to comply with the requirements of both the PRA and the FCA and larger intermediaries (that are “enhanced” firms under the Senior Managers and Certification Regime) with the FCA requirements. A broader application of the rules cannot be ruled out in future, so all authorised firms should take an interest in the direction of the regulators’ thinking.
At a high level, the UK regulators define “operational resilience” as the ability of authorised firms and the financial sector to prevent, adapt, respond to, recover from, and learn from operational disruptions.
The regulators have set out the approach they expect these firms to take to ensure their resilience, with detailed requirements for firms to build into their operational governance. We have set out some of the key elements for firms to be aware of:
1. Identifying important business services (IBS) and setting impact tolerances
The PRA and FCA each define business services provided by or on behalf of the firm to their customers as “important” by reference to their own objectives. The PRA focuses on services for which disruption could risk the stability of the UK financial system, the firm's safety, soundness and (for insurers) the “appropriate degree” of policyholder protection.
The FCA focuses on services which, if disrupted, could cause “intolerable levels of harm” to clients, or a risk to the soundness, stability or resilience of the financial system or orderly operation of financial markets. These differences will affect the importance of business services differently and dual-regulated insurers (authorised by the PRA) will have the burden of complying with both requirements.
The regulators want firms to set a “maximum tolerable level of disruption” to each IBS, as measured by duration (and other metrics), beyond which the risks described above could arise. Firms need to have identified their IBS and set these “impact tolerances” by the time the new rules take effect on 31 March 2022. Firms will need to keep their identified IBS and impact tolerances under review, particularly where their business changes.
2. Ensuring delivery of each IBS within their impact tolerance
The UK regulators are taking a reasonably pragmatic approach to the transition to meeting tolerances. They require operation within the tolerances in a reasonable time from the new rules coming into effect on 31 March 2022 (and by no later than 31 March 2025). However, firms are expected to use the time wisely and have a “prioritised plan” in place. Ultimate responsibility lies with senior management to deliver the desired outcomes, principally the board and senior management function 24 (Chief Operations function).
3. Mapping resources supporting each IBS and scenario testing
Firms must identify the necessary people, processes, technology, facilities and information required to deliver each IBS. This should enable firms to identify and remedy vulnerabilities, understand dependencies for delivering their IBSs and conduct scenario testing. This includes an understanding of how outsourcing and third-party support affect each IBS (and the PRA has published its papers on outsourcing alongside these requirements).
In order to test their ability to respond to, and recover from, the inevitable problems, firms need to carry out scenario testing of their procedures and operations against “severe but plausible” scenarios and notify the FCA if this results in any IBS exceeding its impact tolerance.
By 31 March 2022, the regulators expect firms to have carried out mapping and scenario testing to the extent of identifying each IBS and any vulnerabilities in operational resilience and to set impact tolerances. Further sophistication in mapping and testing with a view to remaining within these impact tolerances then needs to be in place by 31 March 2025.
4. Maintaining communication strategies
The regulators expect firms to have strategies in place to deal with internal and external communication of operational disruptions. This includes planning in advance how to provide important warnings or advice quickly to consumers and other stakeholders, including where there is no direct line of communication due to the disruption.
5. Learning from experience and reporting
Firms should carry out lessons-learned exercises on any operational disruption to identify weaknesses and possible improvements to their response and recovery. The rules require firms to act on these improvements for any future disruptions.
Firms will also need to prepare, and keep updated, a detailed written self-assessment of their compliance with the operational resilience requirements from 31 March 2022. These records must be retained for six years and provided to the FCA on request.
In an increasingly digital environment, regulators expect firms to keep their systems (or an equivalent workaround) working well to meet clients’ requirements in the face of predictable threats. There is a lot for firms to plan and assess for implementation by March 2022. However, ensuring operational resilience is seen as a “dynamic activity” and firms and regulators alike will be learning in the transition to the new environment.
The UK regulators are realistic about disruption occurring, but do expect firms to be ready to deal with the disruption and have contingency plans in place. Even if this means that there might be some more basic processes available in the background in case all else fails.
Read other items in Commercial Brief - July 2021