The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) are seeking to improve the operational resilience of the UK financial sector. This applies to many organisations, including: banks building societies, PRA-designated investment firms and insurers.
The new rules and guidance will come into force on 31 March 2022. By then, firms must have identified any vulnerabilities in their operational resilience. Sam Tyfield, partner at Shoosmiths, discusses operational resilience with the panellists from Aldbury International.
Who operational resilience applies to
PRA regulated firms and dual regulated companies are in-scope, for example banks, building societies, designated investment firms and insurers.
Third party providers are not in-scope, but the in-scope firms do need to understand fully which providers do not fall under the threshold.
Impact of COVID-19
As a result of COVID-19, those who relied on business continuity centres were struggling. The pandemic has sharpened people’s focus on operational resilience. It is clear that firms need to identify key tolerances and understand that there are severe impacts if firms do not improve their operational resilience.
Therefore, it is important to review the lessons learnt from the impact of the pandemic - but also to conduct robust testing following severe but plausible disruptions as firms are required to take action to ensure they remain within impact tolerances in severe but plausible scenarios.
Operational resilience in practice
From the 31 March 2022, regulators would like to see firms starting out in the operational resilience process and to identify important business services and ensure that their impact tolerances have been tested.
They would also like firms to look outside of their organisation and into their supply chain. Raising questions to key third-party providers to provide support are important. The resilience of global organisations like Amazon Web Services and Microsoft Cloud as third-party providers to firms needs to be reviewed. The same goes for start-ups and fin-techs, there is the opportunity for them to prove they are best in class and provide correct information, but they will need to prove that they are resilient to their in-scope client base.
Therefore, it is important for firms to conduct proper due diligence and ensure that third-party providers meet impact tolerance requirements and are resilient.
Guidance for firms
The guidance for in-scope firms have been included in the consultation documents. These proposals were designed to improve the operational resilience of firms. The consultations proposed certain requirements for firms such as identifying their important business services (IBS).
Firms are finding it hard setting out impact tolerances and mapping. Mapping is key to the whole process, allowing firms to provide a holistic overview. Regulators have stated that it is important to understand processes that deliver the important busines services. Then it is important to highlight dependencies such as technologies and facilities.
One way to help build out correct tolerance levels for firms and important business services would be to model crisis scenarios – to specify the length of time a disruption to the IBS can be tolerated for. Thereby, assessing the levels of tolerance for individual dependencies and top line of building out tolerances.
However, there is a gap between theory and practical. The regulator is looking to see if it’s possible to withstand and recover from external shocks.
Does your business continuity plan cope? Is disaster recovery in place?
Questions
What is a severe but plausible scenario?
It is important to review the mapping of the important business services. Look at the services and the key third-party providers. For example, if a third-party provider has a ransomware attack that takes down a system, the response to the incident could be presented as the test. The policies and procedures of the third-party providers should be aligned with the firm’s so that there is no mismatch to the length of time it takes to recover/ cope with the disruption.
What are the branch obligations of a firm?
A branch is subject to the conduct rules of the jurisdiction of where the branch is located. The regulator will expect the overseas branch to be doing things the right way by following the local rules. A branch can be treated as one of your dependencies in the process by bringing it in-scope. As an example, if you are a UK branch of an overseas entity, the UK branch would be considering the overseas parent organisation as an internal supplier.
Final words
- The framework is a living framework – it is a journey to get your business as operationally resilient as possible; and
- Look at the lessons learnt from COVID-19.
Useful links:
PS21/3 Building operational resilience | FCA
SS1/21 Operational resilience: Impact tolerances for important business services | Bank of England
Disclaimer
This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2024.