Operational Resilience

FCA and PRA Consultations on Operational Resilience: impact tolerances for important business services

This note covers the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) shared policy summary and co-ordinated consultation papers (CPs) on new requirements to strengthen operational resilience in the financial services sector, including:

• FCA CP19/32 - Building operational resilience: impact tolerances for important business services and feedback to DP18/04;  and
• PRA CP29/19 - Operational resilience: Impact tolerances for important business services.

These consultations follow previously published FCA DP 18/04 and PRA/BoE DP 01/18 -Building the UK financial sector’s operational resilience and are open for feedback until 3 April 2020.

Of interest to:

 These consultations will be of interest to:

• UK Banks (including branches and subsidiaries);
• Building Societies;
• Investment firms;
• Solvency II firms;
• Enhanced scope Senior Managers & Certification Regime (SM&CR) firms;
• Recognised Investment Exchanges (RIEs);
• Firms and entities authorised under the Payment Services Regulations 2017 (PSRs 2017) and/or the Electronic Money Regulations 2011 (EMRs 2011).

The FCA CP does not apply to EEA firms.

Executive Summary

The regulators have adopted a coordinated approach in their proposals outlining the detailed requirements on firms to maintain an Operational Resilience framework that will have far reaching implications across the financial sector.

A shared priority of the supervisory authorities is to have a strong regulatory framework promoting operational resilience of firms and Financial Markets Infrastructures (FMIs). In order to achieve this, the authorities published their Joint Discussion Paper ‘Building the UK Financial Sector’s Operational Resilience’ in July 2018.The proposals outlined within the PRA and FCA Consultation Papers are based on this Discussion Paper with the aim of creating specific regulatory requirements in this regard.

Operational resilience has been high on the regulatory agenda for some time and remains in focus due to significant issues experienced by firms which include IT failures and failings in relation to outsourcing arrangements.

Current requirements for operational resilience are outlined in the regulators’ rulebooks and are also covered in various regulations such as MiFID, CRR, PSD II, etc. The proposals introduce requirements for firms on the implementation of a robust operational resilience framework and provide guidance in this respect.

The proposed framework does not replace existing requirements or propose changes to existing rules and guidance on outsourcing or business continuity. Instead, the proposals are designed to build on the existing regulatory framework and enhance operational resilience.

Firms will be required to identify their important business services, set impact tolerances for these services and document the people, processes, technology, facilities and information that support these important business services. Important business services are individual services offered by the firm that are critical to its operation such as transfer of funds, as opposed to a collections of services such as a current account for example.  Firms will need to define and apply impact tolerances to these services aiming to determine the maximum level of acceptable disruption to that important business service.

The supervisory authorities have not provided definitive lists or taxonomies of important business services nor have they set impact tolerances since firms will have to take into account proportionality and their unique business models. The regulator will, however, expect firms to be able to provide their detailed methodologies outlining the process for identification of important business services and setting up impact tolerances.  

The proposals also include the development of testing of scenarios by which to assess the firm’s ability to remain within the set impact tolerances. Firms will also be required to have effective communication strategies in place to manage contact between both internal and external stakeholders in the event of a disruption.

There is a requirement for firms to complete a self-assessment exercise to evidence compliance with the proposed requirements, including outlining the methodology used to identify important business services, apply impact tolerances and test these as well as an action plan outlining how the firm will seek to address any vulnerabilities identified.

In terms of governance, the board and senior management should have an effective oversight of the firm’s operational resilience since they are ultimately responsible and accountable for the implementation of these requirements. Firms also retain full responsibility and accountability for services and activities outsourced to third parties.

Although regulators are stating that the proposed enhancements to the regulatory framework do not conflict or supersede existing requirements and that there are no changes to rules or guidance on outsourcing or business continuity planning, the proposed changes will require some substantial changes to a firm’s governance, processes and procedures for managing operational resilience.  Regulatory expectations are that these will be carried out as soon as reasonably practicable.  This will include taking decisive action to replace outdated or weak infrastructure and increasing system capacity. Managing such changes will require significant planning by firms.

The requirements of each supervisory authority are aligned but not identical

The proposals on the relevant CPs will support supervisory authorities in embedding operational resilience into their prudential and conduct frameworks. The approach taken by each supervisory authority is not identical but their intended outcomes are aligned. For example, the FCA proposes that firms identify important business services and review the possible impact of disruption to these services on at least an annual basis or in the event of a significant change to the firm’s business model. The PRA seems to not have included the yearly review requirement in its proposals, however, the overall aim and intended outcomes are the same.

The proposals have redefined ‘important business services’

The proposals have redefined ‘important business services’ which now include the consideration of the chain of activities which make up a business service, from taking on an obligation, to delivery of the service, and determine which part of the chain is critical to delivery.

An important business service is defined as “a service provided by a firm or FMI to an external end user or participant where a disruption to the provision of the service could cause intolerable harm to consumers or market participants; harm market integrity; threaten policyholder protection; safety and soundness; or financial stability.”

The supervisory authorities have not introduced definitive lists or taxonomies of these services. Firms need to use their own judgement to identify these based on size, strategy, activities and risk appetite.

According to the proposals, firms will be required to identify their important business services and all resources that are required to deliver that part of the service. The identification process should be sufficiently granular so that an impact tolerance can be applied and tested. For example, the FCA mentions that important business services should be identified as separate services (e.g. cash withdrawal, bank statements etc.), rather than a collection of services (e.g. current account, mortgage etc.). The PRA mentions that ‘important business services’ could include, for example, a bank’s payments services, a building society’s disbursement of mortgages or a retail bank’s provision of ATM cash withdrawals to customers.

Once identified, the board and senior management should be able to approve the impact tolerances, prioritise and make investment decisions accordingly. In addition, under the FCA’s proposals, firms will be required to review the possible impact of disruption to important services on an at least an annual basis or in the event of a significant change to the firms business model.

Firms will be required to set-up impact tolerances in relation to important business services identified

An impact tolerance is the maximum tolerable level of disruption to an important business service including the maximum tolerable duration of a disruption. These are expressed as specific outcomes and metrics which can be based on maximum tolerable duration (e.g. 24 hours) or volume (e.g. 5% of customer base) of a disruption. The aim is to use them as a planning tool whilst ensuring that the important business services have the ability to remain within impact tolerances in severe but plausible scenarios.

When setting-up impact tolerances firms should consider the harm caused to consumers or market participants, harm to market integrity, the firm’s safety and soundness or financial stability and appropriate degree of policyholder protection.

The Discussion Paper does not comment on how the framework would work for dual regulated firms. Dual regulated firms could have up to two impact tolerances for each important business service – one considering financial stability, safety and soundness and policyholder protection, the other set with reference to consumer harm and harm to market integrity. It is important to note that a dual regulated firm will need to be able to tell the FCA and PRA the relevant impact tolerance for each important business service. The regulators will co-operate when supervising dual-regulated firms.

Firms should identify limitations preventing them from remaining within the impact tolerances for mapping and scenario testing and when a disruption occurs, they should focus on the recovery actions to continue the delivery of the affected important business service.

The FCA proposes that controls should be in place to ensure the firm operates within impact tolerances and these must be reviewed on an annual basis or in the event of a significant change to the firm’s business model. The PRA on the other hand does not appear to specify a review period.

Both CPs provide for transitional arrangements.  The PRA clarifies that firms must be able to remain within impact tolerances within a reasonable time of it coming into effect, up to a maximum of three years. The FCA has taken a similar approach by highlighting that firms must be able to remain within their impact tolerances as soon as reasonably practicable, but no later than three years after the rules come into effect.

Mapping of Important Business Services

Firms will need to identify and document the resources required to support important business services, considering key individuals, processes, technologies, facilities and information. This process is referred to as mapping and the requirement only applies to ‘important business services’ (not all business services).

Firms are allowed to develop their own methodology for mapping.  Such mapping will then allow firms to identify vulnerabilities and take action to address them and test their ability to remain within impact tolerances. Examples of such vulnerabilities include complexity or substitutability of resources or single point of failure.

Scenario Testing

Firms will need to develop and implement a testing plan to assess the ability to remain within the set impact tolerances in order to gain assurance over the resilience of important business services. The nature and frequency of the testing plan should be proportionate to the size and complexity of the firm. For example, firms must determine the most appropriate methods of testing, whether this is paper based testing, simulations or testing of live-systems.

Testing should focus on response and recovery actions, rather than focusing exclusively on prevention, and include a range of scenarios, including those in which they anticipate exceeding their impact tolerance.

Self-assessment

Firms will be required to create a self-assessment to evidence compliance with regulatory requirements documenting the methodology they have used, such as how firms have identified important business services and how they set impact tolerances.

The assessment should include an action plan to address the vulnerabilities to remain within the set impact tolerances. Firms should also demonstrate that the timing for these actions is reasonable and proportional of the firm’s important business service. Firms’ boards and senior management should approve the self-assessment and are accountable for ensuring that appropriate mechanisms for resilience are in place.

The assessment should be provided to regulatory authorities upon request.

Governance and SM&CR

Firms must be able to demonstrate compliance with the existing requirements that PRA and the FCA have in relation to governance of operational resilience. In order to do so, senior management should have sufficient knowledge, skills and experience to meet its operational resilience responsibilities for example by challenging senior management constructively on the firm’s operational resilience.

Boards and senior management should be actively involved in the oversight of their firm’s operational resilience work, in particular the ones focusing on the strategic outcomes such as identification of important business services, setting up impact tolerances and ensuring that the firm remains within impact tolerances in case of disruption.

Boards and senior management would need to take action to improve operational resilience where the firm was not able to remain within the set tolerance for an important business service in a severe but plausible scenario. This would include for example, taking action to address vulnerabilities in legacy systems.

The FCA CP outlines the FCA’s expectations as to how accountability for operational resilience is allocated in line with SM&CR. Where firms have a designated Chief Operations Function (SMF24), this individual will likely be responsible for implementing the proposals outlined in the FCA CP.  Firms that do not have a designated SMF24 will have to delegate responsibility for operational resilience to the most appropriate Senior Manager. The PRA does not specify a specific function responsible for implementing the proposals but rather expects that boards satisfy themselves that their firm is meeting the overall requirements.

Outsourcing

Firms are required to remain within impact tolerances for important business services, irrespective of whether or not they use third parties in the delivery of these services. Firms retain, therefore, full accountability for all services that have been outsourced. This includes having appropriate governance and internal controls to identify, manage and report risks resulting from all arrangements with third parties.

When mapping resources that support important business services, firms should also consider third-party providers and implement appropriate operational resilience contingencies.

Planning & Communication

Firms are required to develop communication strategies for internal and external stakeholders to prepare in advance how they can minimise the impact of disruptions and ensure that customers, the wider market and regulators are informed of an incident. Firms should include the escalation paths they would use to manage communications during an incident and to identify the appropriate decision makers.

Clear, timely and relevant communications should be provided to counterparties and other market participants.

High Level Impact Analysis

The concept of operational resilience is not new and regulatory expectations are clear in this regard. However, to date, there is no single and primary source for all regulation relating to operational resilience. Instead, there are various pieces of legislation, relating to the management of operational resilience, e.g. MiFID, CRR and PSD requirements on risk management, outsourcing, systems and controls, communication plans and business continuity plans.

Although regulators are stating that the proposed enhancements to the regulatory framework do not conflict or supersede existing requirements and that there are no changes to rules or guidance on outsourcing or business continuity planning, it is clear that the proposed changes will require some substantial changes to firm’s governance, processes and procedures for managing operational resilience and that regulatory expectations are that these will be carried out as soon as reasonably practicable. Managing such changes will require significant planning by firms.

In particular, regulators expect firms and FMIs to take “decisive and effective” actions to improve operational resilience, including (but not limited to):

•             Replacing outdated or weak infrastructure;

•             Increasing system capacity;

•             Achieving full fail over capability;

•             Addressing key person dependency;

•             Being able to communicate with all affected parties; and

•             Addressing vulnerabilities in legacy systems.

Such changes are likely to require significant investment by firms, with the FCA for example envisaging costs for all medium size-firm to total £315.3m (one off) and £128.2m (ongoing per annum).

From a governance point of view, the requirements will also have a significant impact, with firms having to carefully review their set up around accountability in view of regulatory expectations of senior staff and the Board.

For example, the FCA Consultation Paper(s) indicate that enhanced scope SM&CR firms will be subject to the proposals. Given that just under 400 sole FCA regulated firms have only been subject to SM&CR since 9 December 2019, these firms now face a further wave of regulatory requirements under the proposals.

The key issue for enhanced firms will be the apportionment of responsibilities in respect of operational resilience. This will be less of an issue for firms that have an appointed SM24 - Chief Operations Function, as this individual will hold responsibility over the systems and technology of a firm. Where firms do not have an SMF24 the apportionment of responsibilities will need to be closely managed to ensure seamless oversight and compliance with regulatory expectations.

The current framework changes the focus from thinking about the resilience of individual systems and resources to considering the services that are provided to users and will therefore require firms to plan and organise the relevant activities around that focus.

Next Steps

The consultations are open for feedback until 3 April 2020 and the proposed implementation date for the proposals is the second half of 2021 and it is likely that the bulk of the proposals will be likely adopted by the regulator. Further policy requirements may be developed in the future, including reporting on which the PRA intends to consult in 2020.

Firms should review their current provisions for operational resilience against the current regulatory requirements outlined in the SYSC handbook and in the proposed requirements outlined in the Consultation Papers to identify any improvements that could usefully be made now.

If you have questions or require assistance please get in touch.