Hogan Lovells 2024 Election Impact and Congressional Outlook Report
In recent years, operational resilience has come under the spotlight of financial regulators globally, leading to a proliferation of new regulation. The sheer number of publications on this topic can be confusing for businesses navigating the regulatory landscape.
This article is Part 1 of our series of articles on operational resilience. The series aims to summarise international and national regulatory developments and how these impact outsourcing and the use of information and communications technology (ICT).
This series is split in three parts:
Operational resilience is the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.
Many firms have been confronted with unprecedented levels of business disruption due to the COVID-19 pandemic, bringing the issue of operational resilience into sharp focus for regulators and firms alike. Even before the pandemic began, operational resilience was becoming a priority boardroom issue. The occurrence of several high profile system failures resulting in customers being unable to access their accounts caught the attention of regulators, and scrutiny over firms' ICT and cyber risk management strategies had already become a key regulatory focus area. But the pandemic has undoubtedly tested firms' operational resilience measures in a much more significant way than could have been anticipated, and many firms are now approaching remediation projects with a greater sense of urgency.
Due to the increasing complexity and interconnectedness of the UK financial system, the UK financial regulators have recognised the need for a harmonised approach to operational resilience regulation. The Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and Bank of England (BoE) are working towards a comprehensive regulatory framework on operational resilience, which they initiated by a joint discussion paper issued in July 2018 on Building the UK financial sector’s operational resilience.
Following that discussion paper, the regulators set out their latest proposals in a series of consultation papers on 5 December 2019:
The consultation papers indicate a clear shift in the industry's mindset towards accepting that severe business disruptions are inevitable. Rather than seeking to prevent disruptions altogether, regulatory focus is shifting towards ensuring continuity of the services that people and the wider economy rely on most, even when faced with a severe disruption.
The regulators have made clear that the new requirements, if brought into effect, will sit alongside existing operational risk management requirements as opposed to replacing them.
CP29/19 proposes to implement (i) amendments to the PRA Rules which will introduce a regulatory framework in relation to operational resilience; and (ii) a Statement of Policy (SoP) setting out the PRA’s approach to the supervision of existing policies.
If this proposal is adopted, the PRA will ask in-scope firms to:
(a) Identify "important business services". These are services provided to users that, if disrupted, could cause “an intolerable level of harm to consumers or market participants, harm market integrity, threaten policyholder protection, the safety and soundness of individual firms, or financial stability”;
(b) Establish "impact tolerances". These are operational resilience standards for each important business service, quantifying the maximum tolerable level of disruption. “Tolerance” should be judged from the perspective of the customer and the wider financial system, rather than the individual firm;
(c) Conduct testing. Testing exercises should be undertaken to ensure that the business can stay within its impact tolerances, and firms should take actions to correct any identified issues;
(d) Ensure board-level oversight. Firms should ensure there is effective supervision by senior management to support important business services. The board should possess sufficient knowledge, skills and experience to meet its responsibilities in overseeing the firm's operational resilience requirements; and
(e) Conduct regular self-assessments. Firms will need to demonstrate compliance by carrying out self-assessments regularly.
From a practical perspective, the impact of the proposed requirements on each firm will depend on the sophistication of their current operation resilience strategy. Although the rules have not yet come into force, in-scope firms would be well advised to start reviewing their operational resilience policies and practices to allow sufficient time to introduce new concepts, test them and implement the appropriate governance in line with CP29/19.
Outsourcing and other third party arrangements are increasingly important in the financial sector as financial institutions have become more and more reliant on third party service providers. This increased reliance can pose risks to a firm's operational resilience as well as the industry as a whole. Risks can range from individual business risks (e.g. disclosure of sensitive information or impediments to conducting effective audits) to industry wide risks (e.g. over-reliance on a small number of dominant service providers leading to systemic concentration risk).
CP30/19 introduces a draft supervisory statement ("SS") setting out the PRA’s expectations as to how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third party risk management. Generally, the requirements set out in the SS broadly align with the EBA Guidelines on outsourcing arrangements (the "EBA Outsourcing Guidelines") and the EIOPA Guidelines on outsourcing to cloud service providers (the "EIOPA Cloud Guidelines"). These include:
There are, however, some important differences between the SS and the EBA Outsourcing Guidelines and EIOPA Cloud Guidelines:
The draft SS acknowledges that where third party arrangements fall outside the definition of “outsourcing” under the EBA Outsourcing Guidelines, they may still have an impact on the financial stability of the UK, the operational resilience of firms, and the performance of regulated activities or a firm's resolution objectives. In such instances, firms are reminded of the obligation to comply with the PRA’s Fundamental Rules and general requirements on governance, risk management and systems and controls.
Similar to the EBA Outsourcing Guidelines and the EIOPA Cloud Guidelines, the PRA’s approach is based on the principle of proportionality under which firms are expected to meet the above regulatory requirements in a manner appropriate to their size, internal organisation and the nature, scope and complexity of their activities.
In light of the COVID-19 crisis and increasing regulatory scrutiny of firms' reliance on third party IT services, there is likely to be a shift away from a strict outsourcing/non-outsourcing view and towards a broader third party risk management approach whereby a risk assessment is undertaken in respect of all third party arrangements, while taking account of the more stringent requirements applicable where an arrangement constitutes an outsourcing.
While CP19/32 has not yet been finalised, FCA’s COVID-19 guidance on operational resilience clarifies that the FCA expects the firms in scope to take the matters set out in the consultation paper into account when responding to the COVID-19 crisis.
CP19/32 includes policy proposals and amendments to the FCA Handbook on operational resilience. Unlike the PRA’s approach to addressing outsourcing matters separately, CP19/32 includes a chapter specifically on outsourcing. CP19/32 specifically notes that the FCA is not proposing changes to the FCA Handbook rules and guidance on outsourcing or third-party service provision as part of this consultation.
Similarly to the PRA’s CP29/19, CP19/32 requires firms:
(a) to identify "important business services" which, if disrupted, would cause "intolerable levels of harm to consumers or market integrity". Notably, the language in CP19/32 mirrors the PRA’s CP29/19, although the PRA’s definition places a heavier emphasis on the tolerance level of the financial system as a whole;
(b) set "impact tolerance levels" beyond which a disruption to an important business service would cause "intolerable levels of harm". Given subtle differences in the FCA and PRA requirements, dual regulated firms may need to have two impact tolerances for each important business service (one based on harm to consumers and market integrity, and another based on financial stability, safety and soundness and policyholder protection); and
(c) conduct mapping and scenario testing exercises to test their impact tolerances in a "range of severe but plausible disruption scenarios".
The final reports on the above CPs are expected in Q1 2021 and will be followed by at least a 12-month implementation period.
For more information on international instruments which are relevant to the UK financial industry please refer to our articles on operational resilience developments in Europe and globally in Parts 2 and 3 of this series.
Authored by John Salmon, Louise Crawford, Victoria Truffaut and Christina Wu