UK: UK Regulators Consult On Improving Operational Resilience

On July 5, 2018, the BoE, the PRA and the FCA published a joint discussion paper entitled "Building the UK financial sector's operational resilience." The Discussion Paper is aimed at opening a dialogue with the financial services industry on achieving what the Authorities view as a "step change" in the operational resilience of firms and Financial Market Infrastructures and at generating debate about the expectations regulators and the wider public might have of the operational resilience of financial services institutions.

While the existing regulatory framework already supports operational resilience, the BoE, PRA and FCA are together considering the extent to which they might supplement existing policies, to improve the resilience of the financial system as a whole and increase the focus on operational resilience within firms and FMIs.

In the discussion paper, the Authorities explain that operational disruptions can threaten the viability of affected firms, cause harm to consumers and market participants and cause instability in the financial system. Firms and FMIs must have the capabilities to prevent, respond to, recover from and learn from operational disruptions such as cyber-attacks, failures in outsourced services or large scale technological changes. Poor operational resilience in firms can impact the interlinked objectives of the Authorities, with the consumer protection objective being likely to be affected more often (and by more firms) than the safety and soundness and financial stability objectives.

The Authorities consider that managing operational resilience is most effectively addressed by focusing on business services, rather than on the systems and processes that support those services. In the Authorities' view, firms and FMIs are more likely to be operationally resilient if, rather than focus on ensuring robust systems to avoid potential disruption, they work on the assumption that the individual systems and processes that support particular business services will be disrupted. If firms assume that disruption will occur then they will increase focus on the back-up plans, response plans and recovery options required to provide continuity of service, regardless of the cause of the disruption.

The Authorities note that, in the context of cyber incidents, the FPC has announced that, in line with its responsibility to mitigate systemic risk, it will set an "impact tolerance" for disruption to the delivery of certain vital services the financial system provides to the economy. The FPC's impact tolerance relates to the point at which the FPC judges that a disruption would begin to cause a material economic impact. The Authorities consider that firms and FMIs should derive their own impact tolerances for their business services and use them to set operational resilience standards, prioritize and take investment decisions. The Authorities suggest that the highest priority should be given to those business services that have the most potential to affect the firm or FMI's viability, harm consumers or threaten financial stability.

The Authorities expand in the discussion paper on the concept of impact tolerances and how they might complement existing requirements on firms. Impact tolerances express an upper limit where a breach is to be avoided in all but the most extreme scenarios, which can be contrasted with risk appetites or recovery time objectives, which tend to express a desired outcome that is achieved with high probability. Impact tolerances would need to be expressed clearly and would be separate from any risk appetites or recovery time objectives. The Authorities consider that engagement from firms' and FMIs' boards and senior management in setting impact tolerances and setting and overseeing business and operational strategies (including communication strategies) is crucial for ensuring operational resilience.

The Authorities consider that setting impact tolerances would support existing regulatory expectations and obligations and are reviewing the existing regulatory framework in the light of the overall approach set out in the discussion paper. This review has regard to existing international, EU and domestic requirements and regulatory frameworks. The Authorities outline that any future supervisory approach might cover the following four broad areas:

• sector-wide work, including any potential stress testing developed by the Bank and the PRA with input from the FPC;
• supervisory assessment of how firms and FMIs set and use impact tolerances;
• analysis of systems and processes that support business services; and
• requiring firms and FMIs to provide assurance to the Authorities that they have the capabilities to deliver operational resilience and are in compliance with existing rules, principles, expectations and guidance.

The Authorities hope to receive feedback from a broad range of stakeholders on the issues raised in the discussion paper. Comments on the discussion paper are invited by October 5, 2018.

The Discussion Paper (BoE/PRA DP 01/18; FCA DP 18/04) is available at: https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/discussion-paper/2018/dp118.pdf.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.