Transforming the resilience of the financial sector
19 July 2018
Operational challenges are nothing new for financial institutions, but with a number of recent high profile examples of operational difficulties impacting customers, operational resilience is now at the top of the agenda for regulators. As is often the case, regulators in the UK are at the forefront of tackling the issue.
In recent weeks we have seen the Financial Policy Committee (FPC) announce the introduction of an operational stress test from 2019 and the Bank of England, Prudential Regulation Authority and Financial Conduct Authority publish a much-trailed discussion paper (DP) setting out a new framework for managing operational resilience for all financial institutions.
The FPC sets out its plans to set ‘impact tolerances’ for disruption to the provision of vital financial services in the event of an operational incident. While the first stress test will focus on payments and derivatives trading, and firms’ ability to recover following a cyber attack, the FPC’s has signalled that future stress tests may look at other services such as lending, deposit taking, providing insurance and capital markets activity.
The DP suggests that operational resilience should be focused on protecting business services rather than on systems and processes and that firms should establish impact tolerances for disruption to the provision of important business functions.
The Discussion Paper is very clear that disruptions and outages will happen. It’s the way firms respond to these incidents and the plans they have in place to mitigate the impact to customers and the financial system as a whole that is crucial. The DP emphasises that adequate skills and experience at board level and robust management information and data will be key to ensuring that firms’ boards and senior management are fully engaged in improving operational resilience. This complements the recent introduction of the SMF 24 role to drive individual accountability for operational resilience through the Senior Managers Regime.
The UK’s regulators are at the forefront of dealing with operational resilience. But in a global financial system with risks and dependencies crossing borders it is likely that operational resilience will emerge as a key focus for regulators globally. International standards setters such as the Basel Committee on Banking Supervision have already signalled they plan to focus on operational resilience, so firms should keep an eye on global initiatives too.
What does this all mean for financial institutions? First, these recent announcements show that regulators are seeking a step change in the way firms of all sizes manage operational resilience. The scale of this challenge will be significant. Meeting the regulators’ expectations will require a focus from firms on all aspects of their people, technology, premises and third party dependencies. But firms should not be looking at operational resilience as simply a compliance exercise. Improved resilience can act as a differentiator from competitors and increasingly customers and financial counterparts will demand it. All firms need to show they understand and have the capability to protect all aspects of their organisation required to deliver business services (including dependencies on third parties and other entities within the same group).
FinTech is increasingly revolutionising financial services, bringing the potential for increased operational efficiency and new ways to serve customers. But these innovations also bring additional operational challenges which firms will have to manage. In an increasingly interconnected financial system, understanding the impact an operational shock could have on customers and the system as a whole will also be key.
Almost ten years on from the financial crisis, the renewed focus from regulators on operational resilience signals a third phase of the regulatory reform agenda. While it has taken almost a decade for the financial sector to reach a level of financial resilience the regulators are happy with, we can be sure that regulators won’t wait this long to address operational resilience. This could be the regulatory challenge which impacts on firms’ operations the most, and no firm can afford to ignore it.