Britain’s financial regulators have come together to publish a shared policy document and co-ordinated consultation papers that detail plans for how they plan to crack down on the complacency of financial institutions when it comes to technology failures.
The BoE, PRA and FCA are consulting are new requirements on firms they supervise to help strengthen ‘operational resilience’ - or, as the group describe it, the ability for the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.
This comes after a number of banking failures and disruptions in recent years. Particular attention has been paid to TSB’s botched IT upgrade in 2018, which left 1.9 million customers locked out of their accounts for weeks.
However, the regulators also mention cyber-related attacks and operational incidents outside of a firm’s control. The new rules will apply to banks, building societies, investment firms, and investment exchanges, amongst others.
Megan Butler, executive director of supervision at the FCA, was speaking this week at TISA’s Operational Resilience Forum, where she said:
Our intention is to bring about change in how the industry thinks about operational resilience – a shift in mindset as it were – informed and driven by the public interest.
It is fair to say there have been a number of cyber-attacks over the past three years which have shown that it is more important than ever to remain vigilant against cyber adversaries. From the Eurofins attacks to the data breaches affecting Ticketmaster and Tesco Bank.
But it is not just the external threat we need to be vigilant against. The disruption resulting from TSB’s IT upgrade served as an important reminder that our organisations need to be resilient to a far wider range of potential operational issues than cyber-attacks alone.
What’s being considered?
Butler said that the regulators’ view is that operational disruptions happen and that they understand this. They do not expect firms to stop all operational disruptions altogether, but instead focus on the continuity of financial products and services to customers - even in the event of severe operational disruptions.
She outlined the three core areas of the new regulations:
First, firms should identify their important business services and map successful delivery back to the key underlying resources,
Second, they should test their ability to withstand a severe event with reference to an impact tolerance, and
Third, they should use the test results to identify resilience gaps - and make investment choices that increase their ability to provide these important business services - even when severe disruptive events happen.
The group said that they are not proposing changing rules and guidance on outsourcing or third-party service provision, but added that all firms remain responsible for the management of their outsourcing and third-party relationships.
The regulators added, however, that firms may need to recogniser these relationships in the light of the renewed focus on operational resiliency. The consultation states:
In an increasingly complex and fast changing business environment, we want the delivery of important business services by firms to be able to prevent, adapt, respond, recover and learn from disruptive operational incidents. To achieve this outcome, firms need to consider their dependency on services supplied by third-parties and the resilience of these third-party services.
This includes those third-parties typically outside the regulatory perimeter, where firms retain responsibility for the delivery of their regulated services, including any dependency on the third-party service provider.
The consultations will be open for four months and close on 3 April 2020. During this time the regulators will engage with industry and the wider public on the proposals.
After the consultation closes and consideration has been given to the feedback and responses received, the group will publish a policy statement towards the second half of 2020.