On 5 December 2019, the FCA, PRA and Bank of England published their joint and coordinated consultation papers on new requirements to strengthen operational resilience in the financial services sector.
They are a response to the Treasury Select Committee’s investigation into IT failures within the financial services industry.
The proposals develop and expand on the ideas set out in their 2018 Discussion Paper and are consistent with the regulators’ stated view that operational risk and resilience is now a shared priority issue, equivalent in importance to financial stability.
The CPs (FCA: CP19/32) set requirements and expectations for PRA firms, enhanced SMCR firms and financial market infrastructure and provide further clarity on the Regulators’ common approach to supervising firms’ operational resilience.
They also emphasise the importance of outsourcing and other third-party service provision to operational resilience.
It is striking that the proposals introduce a new paradigm of outward-facing awareness where firms will have to think about their potential impact on the stability of the UK financial system from an operational perspective (and not just the impact on their own balance sheet).
At a high level, the proposals require firms to:
- identify their important business services;
- set impact tolerances that they can remain within (the PRA’s proposals further specify here that the impact tolerance set for each important business service must specify the first point at which a disruption to that service would pose a risk to the stability of the UK financial system or the firm’s safety and soundness);
- map the people, processes and technology that deliver their important business services;
- test and demonstrate that they can respond to and recover from disruptions;
- produce a self-assessment document outlining the state of their operational resilience; and
- maintain an internal and external communication strategy and provide clear, timely and relevant communications to consumers and other stakeholders in the event of an operational disruption.
The exercise of mapping systems and processes that support business services in order to identify vulnerabilities in the delivery of important business services within an impact tolerance, will require firms to consider systems and processes over which the firm may not have direct control (for example, third-party service providers).
Although the CPs largely mirror the 2018 Discussion Paper on operational resilience, the regulators have added a level of detail that are not typically seen in regulating the ‘nuts and bolts’ of the way financial services firms work.
The CPs include a maximum level of tolerable disruption with the regulators not leaving it up to firms to decide this entirely for themselves.
The regulators have stressed their expectation on firms to fix weaknesses and have set out actions they expect firms to take.
At an even more granular level, the regulators have commented on testing requirements.
Outsourcing and the impact of third-party service providers
The FCA is not proposing changes to the FCA’s Handbook rules and guidance on outsourcing or third-party service provision as part of this consultation, noting that existing rules and guidance in this area are already extensive.
While the FCA suggests the existing requirements for regulated outsourcing are adequate, it highlights “important regulatory developments” that are of relevance to outsourcing and other third-party service provision with implications for operational resilience, and in particular refers to guidelines provided by the European Supervisory Authorities.
In contrast, the PRA has set out new proposals on outsourcing and third-party risk management, including the use of cloud services, which it says will “steer firms to be resilient in their adoption of new technologies” and thus complement the proposals on operational resilience.
It is no surprise then that the proposals go further than any other outsourcing requirements in relation to “stressed exits” and having realistic plans for dealing with them.