On 5 December 2019, the FCA, PRA and Bank of England published their joint and coordinated consultation papers on new requirements to strengthen operational resilience in the financial services sector.
They are a response to the Treasury Select Committee’s investigation into IT failures within the financial services industry.
The proposals develop and expand on the ideas set out in their 2018 Discussion Paper and are consistent with the regulators’ stated view that operational risk and resilience is now a shared priority issue, equivalent in importance to financial stability.
The CPs (FCA: CP19/32) set requirements and expectations for PRA firms, enhanced SMCR firms and financial market infrastructure and provide further clarity on the Regulators’ common approach to supervising firms’ operational resilience.
They also emphasise the importance of outsourcing and other third-party service provision to operational resilience.
It is striking that the proposals introduce a new paradigm of outward-facing awareness where firms will have to think about their potential impact on the stability of the UK financial system from an operational perspective (and not just the impact on their own balance sheet).
The requirements
At a high level, the proposals require firms to:
- identify their important business services;
- set impact tolerances that they can remain within (the PRA’s proposals further specify here that the impact tolerance set for each important business service must specify the first point at which a disruption to that service would pose a risk to the stability of the UK financial system or the firm’s safety and soundness);
- map the people, processes and technology that deliver their important business services;
- test and demonstrate that they can respond to and recover from disruptions;
- produce a self-assessment document outlining the state of their operational resilience; and
- maintain an internal and external communication strategy and provide clear, timely and relevant communications to consumers and other stakeholders in the event of an operational disruption.
The exercise of mapping systems and processes that support business services in order to identify vulnerabilities in the delivery of important business services within an impact tolerance, will require firms to consider systems and processes over which the firm may not have direct control (for example, third-party service providers).
Although the CPs largely mirror the 2018 Discussion Paper on operational resilience, the regulators have added a level of detail that are not typically seen in regulating the ‘nuts and bolts’ of the way financial services firms work.
The CPs include a maximum level of tolerable disruption with the regulators not leaving it up to firms to decide this entirely for themselves.
The regulators have stressed their expectation on firms to fix weaknesses and have set out actions they expect firms to take.
At an even more granular level, the regulators have commented on testing requirements.
