Other Authors Thea Wilkinson, Lawyer
Last week the Financial Conduct Authority, Prudential Regulation Authority ("PRA") and Bank of England published a joint policy statement on operational resilience in relation to the impact tolerance of important business services in the financial sector (the "Statement"). The new rules aim to help firms prevent, adapt, respond to, recover and learn from operational disruptions. This follows an initial discussion paper in 2018 and a December 2019 consultation on the same issues.
There has not been a material change from the rules consulted on in December 2019. Instead, changes are largely around implementation – giving firms more time and flexibility.
The Statement notes that the COVID-19 pandemic has highlighted the importance of managing risk from important business services, and that respondents to the consultation had found it had shown their reliance on third parties.
Types of organisations in scope
These new rules will affect a range of financial institutions including banks, building societies, designated investment firms, and insurers. Notably, entities authorised or registered under the Payment Services Regulations 2017 or the Electronic Money Regulations 2011 will also be included within scope.
1. Identifying Important Business Services – by 31 March 2022
The new rules focus on the identification and governance of important business services ("IBSs"). The Statement confirms that the definition of IBS will be a service, which when disrupted, will either:
- "cause intolerable levels of harm to one or more of the firm's clients; or
- pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of financial markets."
The Statement suggests that while internal processes (such as payroll) are important for operational resilience, they will not usually be an IBS, unless they are necessary for the external provision of services to clients.
Firms are expected to consider the nature of their clients when determining if a service is an IBS, meaning in some cases services affecting only a small number of clients can be an IBS. Firms are also directed to guidance on the fair treatment of vulnerable customers to be considered when identifying IBSs and their impact tolerances.
Starting now, firms are expected to have identified all of their IBSs before 31 March 2022, when the new rules come into force, and then review these at least once per year. Firms should also identify and record the people, processes, and technology that support these IBSs.
Firms are also asked to review their IBSs when there has been a material change to their business, or the market in which they operate. Examples of material changes include: undertaking a new activity, outsourcing a new service, and changing the scale of services provided.
2. Defining impact tolerances – by 31 March 2022
Having identified IBSs, firms must then set their impact tolerances for each IBS individually. This will be "the first point at which a disruption to an important business service would cause intolerable levels of harm to consumers or risk to market integrity."
In addition to the above, firms also regulated by the PRA must record a second impact tolerance level at "the first point at which financial stability is put at risk or a firm's safety and soundness". Some smaller PRA-regulated firms will not be required to consider financial stability when setting tolerances.
Time and duration will be mandatory metrics for these impact tolerance levels, in addition to any other markers the firm deems relevant. Other examples include cost, scale, data volume, value of market impact or number of customers affected.
Firms are asked to consider plausible disruption scenarios when setting impact tolerances, for example, the Statement describes the COVID-19 pandemic as a severe but plausible scenario.
Where IBSs are outsourced, firms must work with their third party providers to set impact tolerances and ensure they are not exceeded. Where work is outsourced further by a third party provider, firms must be able to understand any potential vulnerabilities. This understanding is important as firms will be held responsible for the failings of their third (and even fourth) party providers where those disruptions cause customer or market detriment by the firm itself.
Before 31 March 2022 firms must have carried out sufficient testing to accurately set impact tolerances for all IBSs, and identify any vulnerabilities.
3. Staying within impact tolerances – by 31 March 2025
Firms are then asked to remain within these impact tolerances, and make any investments necessary to do so, as soon as possible but by no later than 31 March 2025.
Global view on operational resilience
Operational resilience remains a focus of regulators globally, and in response to calls by respondees for global regulatory alignment through common defined terms, the Statement suggested that these new rules were a step towards greater consistency in global standards.
The Statement also acknowledges close links with work globally by other regulators including:
- European Banking Authority guidance on ICT and Security Risk Management and outsourcing arrangements.
- the Basel Committee for Banking Supervision's proposed Principles for Operational Resilience and the European Commission's proposed Digital Operational Resilience Act ("DORA"); and
- the International Organization of Securities Commission's Principles on Outsourcing.
Therefore firms considering the application of these rules to their international businesses should be comfortable that in complying with the Statement they will also be broadly in compliance with other major international operational resilience regimes, such as those referred to above.
Firms with presence in the UK and EU should note the difference in scope between the new UK rules and DORA. DORA aims to harmonise digital operational resilience rules, in relation to operation resilience testing and specifically ICT third party service providers, for financial organisations in the EU. DORA also implements several practical requirements such as the use of an ICT risk management framework.
Recent policy on operational resilience represents a paradigm shift in both UK and international regulators' approach to the way financial services firms plan for and manage major operational incidents. No longer will firms be able to argue that a disruptive event was unforeseen when consumer or market harm has occurred as a result. The new rules make it clear that firms must not have systems and controls in place that merely aim to avoid disruptive events from taking place – instead they are expected to assume that they will happen and to be able to maintain continuity of services and avoid market disruption when they do. In an age of increasing cyber incidents and in the wake of the Covid-19 pandemic this is a logical progression in the regulators' thinking.