Paul Walsh is Practice Lead, Digital Transformation, and Head of European Consulting for Capital Markets at Treliant. He is an accomplished change leader, with more than 25 years’ experience and a proven track record of delivering large-scale transformation programmes across business and technology in complex global banking environments. He has…
Operational and Technological Resilience Model
Even before COVID-19 had an unprecedented impact on the global financial services industry, regulators worldwide were focusing on the ability of financial institutions and firms to respond to unforeseen events. Preparing for, avoiding, and eventually recovering from such events must be consistent. The need to manage the complexity by utilizing a coherent data set is paramount.
With the lack of centralized data governance, fragmented systems, disparate data sources, and highly manual and interdependent processes, institutions are challenged with multiple versions of the truth, decreasing control, and increasing costs. These factors are the internal threats to financial institutions’ ability to deliver excellent services effectively and consistently to their customers and ensure regulatory compliance.
One issue that continues to gain momentum centers on operational resilience. Operational resilience falls into two parts: internal operational resilience and the resilience of third parties that form the supply chain to banks and other financial institutions. This has been a common theme for the last three years, with the first compliance dates for those institutions directly impacted in March 2022. With the growth of reliance on external parties such as cloud service suppliers, the resilience of third parties will be an area of specific focus for regulators next year.
One initiative is the potential introduction of a dedicated portal, managed by the regulators, which will capture the nature and detail of the third-party relationships that are essential to banks, whether they be Cloud Computing service provers, credit reference agencies, or payroll service providers for example. An organization should complement the information captured in a routine compliance review by regulators. While the consultation process will get a range of feedback, it is clear that regulators will want greater visibility of the supply chain of financial institutions.
What is Operational Resilience?
The U.S. Federal Reserve, the Central Bank of the United States, the Financial Conduct Authority (FCA), and the Prudential Regulation Authority (PRA) define operational resilience as the ability of financial services firms and the financial services sector to prevent, adapt, respond to, recover, and learn from operational disruptions.
Essentially, it is all about ensuring that the organization has contingency plans and risk mitigation strategies. Why? So that you are as prepared as possible for adverse scenarios. This should prevent harm from manifesting or help the organization recover more quickly if something goes wrong.
Building operational resilience goes beyond protecting the organization from becoming victim to operational risk. It is also in the public interest. Financial firms are better placed to protect consumers and the broader financial industry by being prepared for unfavorable situations.
Operational resilience is also about changing your organization’s mindset. Instead of thinking about operational disruption as something that could happen, firms should assume it will happen. This shift in attitude should propel the organization to make operational resilience a priority and will help to drive cultural change within the industry.
What Are the Federal Reserve, the Central Bank of the United States, and FCA Operational Resilience Guidelines?
If you are not already familiar with the U.S. Federal Reserve, the Central Bank of the United States, and the FCA operational resilience policy, it focuses on five key areas:
Important business services – This refers to services that would cause intolerable damage to consumers or the market if they were disrupted.
Impact tolerances – This is the maximum level of disruption that can be endured while still delivering essential business services. Disruption to essential business services beyond this level would cause intolerable harm to consumers, the financial system, and financial markets.
Transitional arrangements – Firms have until March 31, 2022 to implement the new requirements. Following this, the FCA outlines a three year transitional period where firms must ensure they are remaining within their set impact tolerances.
Mapping and scenario testing – Mapping involves establishing what resources are needed to continue to deliver essential business services, from people and processes to technology and facilities. Scenario testing requires firms to assess whether they can remain within their impact tolerances under different harmful yet possible situations.
Communication and self-assessment – When essential business services are disrupted, the Federal Reserve, the Central Bank of the United States, and the FCA expect firms to have internal and external communication plans in place. Firms should also self-assess their operational resilience and document this.
While the regulator’s operational resilience requirements may seem complex, they ensure that firms are prepared for the worst. That way, severe operational disruption and harm to consumers and the market can be avoided.
Building the Operational Resilience Strategy
What should you do now to ensure that your firm strengthens its operational resilience to meet the Federal Reserve, the Central Bank of the United States, and the FCA’s framework? In summary, the organization should be taking the following steps:
- Identify the organization’s essential business services. Which services, if disrupted, could cause severe damage?
- Set impact tolerances so that you can plan what actions are needed to stay within them.
- Spot vulnerabilities in your operational resilience. The organization must learn from any operational disruptions.
- Carry out appropriate mapping and testing. This only needs to be conducted to a level that enables the organization to perform the previous steps properly.
- Regularly update the organization’s operational resilience self-assessment; the Federal Reserve, the Central Bank of the United States, and the FCA may ask to see this document at any time.
- Put a robust communication plan in place to prepare the organizations for adverse scenarios and minimize further disruption if a risk occurs.
At least once a year, or when there is a significant change in the organization or the market, review the organization’s essential business services and impact tolerances. Update these as required so that nothing is missed.
The growing technological pressure of digital-only FinTech and challenger banks will need to be addressed by the established traditional banks. As more of these companies are awarded banking licenses, incumbent financial service providers must counter their legacy technology constraints to keep pace and protect market share. This inevitably will demand an increased focus on innovation and the customer. To support consumers’ shifting demands and behaviors, traditional institutions will bring their modernization agenda and cloud adoption to the forefront of strategy with intensified investment, combatting the ability of new entrants to gain significant market share.
Heightened Environmental Attention
The growing obligation for companies to respond to external environmental pressures will ensure that eco-friendly products and services are made increasingly available for customers. Financial service providers, and their wider supply chains, will face more probing inspection into their environmental footprint. This will lead to an organizational requirement to better understand and manage supply chains to ensure environmental alignment with regulations and consumer demands.
Digital Operational Resilience Testing
Firms will have to test their capabilities and functions regularly and at least annually. This includes testing for preparedness, identifying weaknesses or gaps, and prompting implementation of corrective measures. For significant and cyber mature entities, there is a further obligation in Article 23 to conduct advanced threat-led penetration testing. This testing must be conducted every three years and requires testing of critical functions and services of the financial entity and is performed on the live production systems supporting such functions.
Managing Information and Communications Technology (ICT) Third-Party Risk
The regulation requires the organization to monitor ICT third-party risk effectively. It sets out 11 principles that financial entities must follow to manage third-party risks. These principles (which overlap with requirements under the European Banking Authority (EBA) Guidelines on Outsourcing and are consistent with the Basel Principles) cover wide-ranging areas, including contractual arrangements, adoption of strategies, inspection and audit rights, maintenance of a register of third-party service providers, and implementation of exit strategies (including conditions when contracts must be terminated). However, the regulation pointedly does not confine itself to arrangements that qualify as “outsourcing” or “material outsourcing.”
The regulation also imposes minimum contractual terms, which are crucial for financial entities to monitor ICT third-party risk and regulators to suggest standardized contractual terms.
Crucially, it requires firms to maintain a Register of Information about the use of third-party ICT service providers, not just at the individual firm but also at consolidated and sub-consolidated levels. The Registers must be available for inspection by the regulator. An additional Regulatory Technical Standard (RTS) will further supplement these requirements.
In a move that regulators have hinted at in the past few years, the most important inclusion in the regulation is the extension of oversight to critical ICT service providers. The proposal is that if an ICT service provider is considered “critical” for financial entities, then a “Lead Overseer” will be appointed from among the European Supervisory Authorities (ESA). Whether a service provider is “critical” will depend on factors such as its potential systemic impact, how widely it is used, the extent to which it is substitutable, and its geographical reach. The Lead Overseer will assess whether the critical ICT service provider has comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements to manage the ICT risks that it may pose to financial entities.
Information Sharing Arrangements
The regulation will also allow financial entities to share information among themselves if it relates to cyber threat information and intelligence. This includes indicators of compromise, tactics, techniques, procedures, cybersecurity alerts, and configuration tools. The aim is to enhance the digital operational resilience of financial entities, in particular through raising awareness about cyber threats, limiting or impeding the cyber threats’ ability to spread, supporting financial entities’ range of defensive capabilities, threat detection techniques, mitigation strategies, and recovery stages.
This is a sweeping regulation that applies to most of the global financial sector. Although its requirements are extensive, it builds on concepts already familiar to financial services firms.
Of much greater significance is the new oversight requirements on ICT service providers. Clearly, there is thinking that the existing requirements on regulated financial institutions to include audit and access rights in outsourcing agreement is not enough, and the regulator is keen to oversee the sector more consistently.
A company’s board of directors and senior management must establish, oversee, and implement an effective operational resilience approach that enables them to respond, adapt to, recover, and learn from, disruptive events so that they can minimize the potential impact of disruptions and operate with confidence during a disruption.
Regulatory attention will focus on the effectiveness of:
- Board review and approval of the “tolerance for disruption” at the enterprise level and critical operations and core business lines, given its risk profile and operational capabilities under various scenarios.
- Board oversight, and senior management implementation, of sound practices, including maintaining a culture of risk management; sufficient and appropriate financial, technology, and staffing resources; and adherence to the tolerance for disruption.
- Business line front-to-back ownership of services and assignment of clear management responsibilities that incorporate resilience into governance protocols and provide transparency to the board.
- Information systems and controls to timely detect anomalous activity and provide the board and senior management sufficient data, including depth of information and metrics, to respond promptly.
- Board reporting during cyber incidents, including notification times.
Most of 2022 is likely to be dominated by supervisory and policy design to address the impact of the COVID-19 pandemic. This will have enormous implications for organizations’ design of their future operating models.
In a growing number of jurisdictions, organizations will have no choice but to move quickly to implement new regulatory frameworks around operational and technological resilience and address vulnerabilities that are identified in how they operate.
This Article is Co-Authored By: Allen Moy, Senior Consultant