Operational resilience: Developments in the financial services sector in the UK

This series is split in three parts:

• Part 1 includes an overview of the most recent operational resilience regulatory developments in the UK.
• Part 2 addresses the regulatory framework on operational resilience in the EU, and includes a table summarising the key UK and EU rules and guidelines relating to operational resilience. We also explain the impact of Brexit on the regulations that apply to UK firms and how we expect evolving EU regulations to affect UK firms.
• Part 3 outlines global regulatory developments in relation to operational resilience which are likely to be relevant to firms in the UK.

Introduction

Operational resilience is the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.

Many firms have been confronted with unprecedented levels of business disruption due to the COVID-19 pandemic, bringing the issue of operational resilience into sharp focus for regulators and firms alike. Even before the pandemic began, operational resilience was becoming a priority boardroom issue. The occurrence of several high profile system failures resulting in customers being unable to access their accounts caught the attention of regulators, and scrutiny over firms' ICT and cyber risk management strategies had already become a key regulatory focus area. But the pandemic has undoubtedly tested firms' operational resilience measures in a much more significant way than could have been anticipated, and many firms are now approaching remediation projects with a greater sense of urgency.

Due to the increasing complexity and interconnectedness of the UK financial system, the UK financial regulators have recognised the need for a harmonised approach to operational resilience regulation. The Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and Bank of England (BoE) are working towards a comprehensive regulatory framework on operational resilience, which they initiated by a joint discussion paper issued in July 2018 on Building the UK financial sector’s operational resilience.

Following that discussion paper, the regulators set out their latest proposals in a series of consultation papers on 5 December 2019:

• the PRA’s consultation paper “Operational resilience: Impact tolerances for important business services” (CP29/19);
• the BoE and the PRA’s consultation paper “On outsourcing and third party risk management” (CP30/19); and
• the FCA’s consultation paper “Building operational resilience: impact tolerances for important business services and feedback to DP18/04” (CP19/32).

The consultation papers indicate a clear shift in the industry's mindset towards accepting that severe business disruptions are inevitable. Rather than seeking to prevent disruptions altogether, regulatory focus is shifting towards ensuring continuity of the services that people and the wider economy rely on most, even when faced with a severe disruption.

The regulators have made clear that the new requirements, if brought into effect, will sit alongside existing operational risk management requirements as opposed to replacing them.

The PRA’s consultation paper “Operational resilience: Impact tolerances for important business services” (CP29/19)

CP29/19 proposes to implement (i) amendments to the PRA Rules which will introduce a regulatory framework in relation to operational resilience; and (ii) a Statement of Policy (SoP) setting out the PRA’s approach to the supervision of existing policies.

If this proposal is adopted, the PRA will ask in-scope firms to:

(a) Identify "important business services". These are services provided to users that, if disrupted, could cause “an intolerable level of harm to consumers or market participants, harm market integrity, threaten policyholder protection, the safety and soundness of individual firms, or financial stability”;

(b) Establish "impact tolerances". These are operational resilience standards for each important business service, quantifying the maximum tolerable level of disruption. “Tolerance” should be judged from the perspective of the customer and the wider financial system, rather than the individual firm;

(c) Conduct testing. Testing exercises should be undertaken to ensure that the business can stay within its impact tolerances, and firms should take actions to correct any identified issues;

(d) Ensure board-level oversight. Firms should ensure there is effective supervision by senior management to support important business services. The board should possess sufficient knowledge, skills and experience to meet its responsibilities in overseeing the firm's operational resilience requirements; and

(e) Conduct regular self-assessments. Firms will need to demonstrate compliance by carrying out self-assessments regularly.

From a practical perspective, the impact of the proposed requirements on each firm will depend on the sophistication of their current operation resilience strategy. Although the rules have not yet come into force, in-scope firms would be well advised to start reviewing their operational resilience policies and practices to allow sufficient time to introduce new concepts, test them and implement the appropriate governance in line with CP29/19.

The BoE and PRA’s consultation paper “On outsourcing and third party risk management” (CP30/19)

Outsourcing and other third party arrangements are increasingly important in the financial sector as financial institutions have become more and more reliant on third party service providers. This increased reliance can pose risks to a firm's operational resilience as well as the industry as a whole. Risks can range from individual business risks (e.g. disclosure of sensitive information or impediments to conducting effective audits) to industry wide risks (e.g. over-reliance on a small number of dominant service providers leading to systemic concentration risk).

CP30/19 introduces a draft supervisory statement ("SS") setting out the PRA’s expectations as to how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third party risk management. Generally, the requirements set out in the SS broadly align with the EBA Guidelines on outsourcing arrangements (the "EBA Outsourcing Guidelines") and the EIOPA Guidelines on outsourcing to cloud service providers (the "EIOPA Cloud Guidelines"). These include: 

• governance requirements for entering and overseeing outsourcing arrangements;                                                               
• requirements for pre-outsourcing analysis which must include appropriate due diligence, a materiality assessment and a risk assessment; 
• record-keeping obligations; 
• requirements for maintaining an outsourcing policy; 
• provisions that must be included in written outsourcing agreements; and 
• a requirement to notify the PRA when entering or amending material outsourcing arrangements.

There are, however, some important differences between the SS and the EBA Outsourcing Guidelines and EIOPA Cloud Guidelines:

• As with the EBA and EIOPA Guidelines, the SS imposes more stringent requirements for higher risk outsourcing arrangements, however the SS refers to these as “material” outsourcings (in line with the PRA Handbook terminology), whereas the EBA and EIOPA Guidelines use the concept of "critical or important" outsourcings (terminology drawn from MiFID II). "Material outsourcing" is defined as an outsourcing of "services of such importance that weakness, or failure, of the services would cast serious doubt upon the firm's continuing satisfaction of the threshold conditions or compliance with the Fundamental Rules". This differs from the definition of an outsourcing of "critical or important functions" used in the EBA and EIOPA Guidelines. While the two concepts in practice will likely encompass the same types of arrangements, having separate definitions may present challenges for firms establishing their own criteria for materiality assessments. 
• The PRA proposes obligations for both parties to implement and test business continuity plans.  
• Unlike the EIOPA Cloud Guidelines which apply only to cloud outsourcing arrangements, the SS will take the same approach as the EBA Outsourcing Guidelines in their application to both cloud and non-cloud outsourcing arrangements. This means insurance companies will likely need to review their non-cloud arrangements and existing outsourcing policies to bring them in line with the new requirements. 

The draft SS acknowledges that where third party arrangements fall outside the definition of “outsourcing” under the EBA Outsourcing Guidelines, they may still have an impact on the financial stability of the UK, the operational resilience of firms, and the performance of regulated activities or a firm's resolution objectives. In such instances, firms are reminded of the obligation to comply with the PRA’s Fundamental Rules and general requirements on governance, risk management and systems and controls.

Similar to the EBA Outsourcing Guidelines and the EIOPA Cloud Guidelines, the PRA’s approach is based on the principle of proportionality under which firms are expected to meet the above regulatory requirements in a manner appropriate to their size, internal organisation and the nature, scope and complexity of their activities.

In light of the COVID-19 crisis and increasing regulatory scrutiny of firms' reliance on third party IT services, there is likely to be a shift away from a strict outsourcing/non-outsourcing view and towards a broader third party risk management approach whereby a risk assessment is undertaken in respect of all third party arrangements, while taking account of the more stringent requirements applicable where an arrangement constitutes an outsourcing.

The FCA consultation paper “Building operational resilience: impact tolerances for important business services and feedback to DP18/04” (CP19/32)

While CP19/32 has not yet been finalised, FCA’s COVID-19 guidance on operational resilience clarifies that the FCA expects the firms in scope to take the matters set out in the consultation paper into account when responding to the COVID-19 crisis. 

CP19/32 includes policy proposals and amendments to the FCA Handbook on operational resilience. Unlike the PRA’s approach to addressing outsourcing matters separately, CP19/32 includes a chapter specifically on outsourcing. CP19/32 specifically notes that the FCA is not proposing changes to the FCA Handbook rules and guidance on outsourcing or third-party service provision as part of this consultation.

Similarly to the PRA’s CP29/19, CP19/32 requires firms:

(a) to identify "important business services" which, if disrupted, would cause "intolerable levels of harm to consumers or market integrity". Notably, the language in CP19/32 mirrors the PRA’s CP29/19, although the PRA’s definition places a heavier emphasis on the tolerance level of the financial system as a whole;

(b) set "impact tolerance levels" beyond which a disruption to an important business service would cause "intolerable levels of harm". Given subtle differences in the FCA and PRA requirements, dual regulated firms may need to have two impact tolerances for each important business service (one based on harm to consumers and market integrity, and another based on financial stability, safety and soundness and policyholder protection); and

(c) conduct mapping and scenario testing exercises to test their impact tolerances in a "range of severe but plausible disruption scenarios".

The final reports on the above CPs are expected in Q1 2021 and will be followed by at least a 12-month implementation period.

For more information on international instruments which are relevant to the UK financial industry please refer to our articles on operational resilience developments in Europe and globally in Parts 2 and 3 of this series.

Key takeaways

1. The financial services industry mindset has shifted towards accepting business disruptions as inevitable. Rather than preventing disruptions altogether, regulators will expect firms to ensure continuity of the services that people and the wider economy rely on most, even when faced with a severe disruption.
2. The new requirements, if brought into effect, will sit alongside the existing risk management requirements as opposed to replacing them.
3. Under regulatory proposals, firms will be expected to:

• identify important business services based on what matters to customers, consumers and the industry as a whole;
   
• undertake mapping to identify and document the resources that deliver and support important business services;
   
• establish impact tolerances for each important business service. 'Tolerance' should be judged from the perspective of the customer and the wider financial system, rather than the individual firm;
   
• conduct testing to ensure that firms can remain within their impact tolerances in the event of a severe but plausible disruption scenario;
   
• ensure board-level oversight of operational resilience strategy; and
   
• conduct regular self-assessments.
   

4. Key steps to be taken by firms will likely include replacement of legacy IT infrastructure, more robust vendor engagement processes, enhanced staff training, revised communications plans for managing disruptions, and improved governance structures.
5. The PRA's draft supervisory statement on Outsourcing and Third Party Risk Management seeks to implement and elaborate on the EBA Outsourcing Guidelines. Although the measures are similar, there are some differences which could give rise to interpretational challenges for firms that are in-scope for both sets of requirements.

Authored by John Salmon, Louise Crawford, Victoria Truffaut and Christina Wu