Prevent. Adapt. Respond. Recover. Learn.
The UK Financial Services regulators are seeking assurance that firms in the sector protect their operational resilience.
The Bank of England, Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) have a duty to ensure the resilience of the UK financial services sector. Financial insecurity, or even a lack of confidence, can shake an economy. The regulators want to ensure that the sector can weather any storm – pandemic-related or not.
In this article we’ll look at:
- What is changing
- Who the changes apply to
- What the FCA will be looking for
- The steps that firms will need to perform
- Key takeaways and timelines
What Is Changing?
Each of the three regulators have distinct supervisory authorities. We’re focusing on the remit of the FCA, which wants to protect consumers and keep a safe and secure financial sector. Operational resilience is one factor they’re focusing on to achieve this.
Currently known as CP19/32, the regulators have been on a path with firms since 2018, when it launched the Discussion Paper.
The final consultation period ended on the 1st October.
Now, the FCA will gather the feedback it has received from the industry and formulate a Policy Statement. This will be incorporated into the Handbook, the book of regulations for the sector.
The FCA isn’t intending the final regulations to be prescriptive. Rather, they’ll instruct firms on what needs to be achieved, not how they should be achieved.
Who Do They Apply To?
The FCA is the regulator for 60,000 firms and FMIs in the UK, as well as the prudential supervisor for 49,000 firms.
When it is written into the Policy Statement next year, the regulations for demonstrating operational resilience will apply to:
- Building societies
- Investment firms designated by the PRA
- Recognised Investment Exchanges
- Solvency II insurance-related firms
- FCA enhanced scope SM&CR firms
- FMIs registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011
If you fall into one of these categories, the FCA will be concerned with your operational resilience from 2021.
However, as is increasingly the case with regulations, those regulated also need to ensure the resilience of their supply chain.
This means that if your customers are in the financial services sector, you’ll need to be clued up on what the FCA wants.
What Are The FCA Looking For?
The FCA is looking for firms to demonstrate that they can continue servicing other businesses and, importantly, consumers throughout any shock to the economy or their individual operations.
“It is in the public interest that a resilient financial system is able to supply the most important services with minimal interruption even during severe operational events. The proposed new requirements are aimed at achieving this outcome,” said Andrew Bailey, former FCA Chief Executive.
Specifically, the FCA is concerned with the impact beyond the commercial interests of the individual firms and FMIs, including:
- Harm to consumers
- Harm to market integrity
- Threats to policyholder protection, safety and soundness
- Financial stability
The steps shouldn’t be too much of a shock for any company that has a business continuity plan in place, but there is a subtle difference between business continuity and operational resilience. In broad terms, business continuity focuses on how your company would pick itself up after an event. Operational resilience is how your company could continue to operate through the risk event.
The financial services sector underpins the economy. Without the ability to make payments, other businesses will strain at the seams of how they can operate. It’s understandable, therefore, that the FCA cares less about how an individual firm would pick itself up after an event, and more about how they could continue to operate regardless of outside circumstances.
An interesting note is that the FCA is specifically looking to see how firms will communicate with key customers and consumers should impact tolerances be reached.
This could be because a lack of information can cause severe confusion and fear amongst consumers, even if there isn’t a problem with accessing their cash.
Breakdown of the Steps to Perform
The Consultation Paper defined operational resilience as “the ability of firms and FMIs and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.”
Crucially, the regulators aren’t going to tell anyone exactly how to comply with the regulations. This is because each firm and FMI will have its own individual risks and impact tolerances.
What the Policy Statement is likely to give, however, are steps that it expects regulated firms to follow and demonstrate.
These steps are likely to be:
1. Identification of important services that would disrupt consumers or the market integrity if lost
Firms and FMIs can define their own ‘important’ services, but they should be tasks which, if disrupted, would cause harm to consumers, market integrity, financial stability or the safety and soundness of the company.
Basically, if your firm’s operations are disrupted in a way that will affect those outside the firm, they should be considered within your operational resilience governance.
2. Set impact tolerances for each of the important services identified above
The impact tolerance of a disruption is how long operations can continue during a risk event. How much can the organisation accommodate before customers are affected?
The impact tolerances are referenced through the rest of the FCAs guidelines, so they need to be accurate and realistic.
3. Map the key people, information, processes and technology that are involved in the delivery of the important services
Organisations operate as a network of people and processes that rely on technology and infrastructure.
Any part of the network could be a loose link. The mapping process should identify vulnerabilities in the ability to deliver important services and be a steppingstone to mitigate them.
Additionally, the regulators will be expecting the map to link back to the impact tolerance of the services.
4. Use test scenarios to prove the ability of those key personnel and infrastructure mentioned above to stay within their impact tolerances, even under severe strain
Stress testing has been undertaken by regulators since the early 1990s, with the first iteration of the Basel Accords introduced in 1996. Stress tests of banks involves devising a hypothetical scenario, such as rising unemployment or falling house prices, and models the effects on the bank’s capital.
Scenarios for operational resilience can go further than this to test more than capitalisation. For example, a sustained loss of power or critical technology could have an impact on important services. The scenario should test how long the company could facilitate this loss without disrupting services (its impact tolerance), and what potential disruption it could cause to consumers.
The tests should be realistic but severe.
5. Learn from these test scenarios to continuously improve, prioritising investment in the right areas
This is the next step after creating a risk matrix: the company knows the probability of a risk event occurring and the impact that would cause, now it needs to target mitigation strategies in the right areas.
It’s unlikely that the FCA will look favourably on a company that doesn’t believe it has any room for improvement. Companies will need to invest in key areas so they can handle disruption effectively.
6. Develop communication plans for when services are disrupted, which should communicate internally and externally to consumers
This step could be done in parallel with the previous ones. Communication out to the market is critical for the regulators. As mentioned earlier, damage to the economy can be caused by confusion and a lack of communication.
Even if you’re not directly regulated by the FCA, your customers will want to know when they’ll be informed of any disruption to your services. It could be critical for their business operations.
Key Takeaways & Timeline
For firms that already have an operational resilience governance structure in place, the new guidelines shouldn’t cause any concerns.
The main takeaway is that operational resilience needs to be demonstrated, tested and documented. There needs to be a formal mapping process of important services, even if these are provided by third parties. The FCA is looking for proof that the sector is taking resilience seriously and that it can survive, adapt and learn from any disruptions.
The process has been delayed during the pandemic. Now, the final Policy Statement won’t be published until 2021, with firms being unlikely to have to comply until the end of that year.
Conclusion | What Does This Mean For Me?
Any firm or FMI within the UK financial services sector needs to prepare its operational resilience governance.
Naturally, FCA is less interested in the financial cost to an individual company and more concerned with the impact on consumers and the market, so you’ll need to target the operational resilience governance structure in this way.
Each company will need to define its own risk events and test scenarios. Operational resilience will be different from firm to firm, so there isn’t a set pattern that can be followed.
Similarly, the supply chain needs to be ready to ensure its own resilience because the sector cannot negate their responsibilities by placing blame with a third party.
In much the same way as we’re all used to fire drills, the sector will need to accustom itself to testing operational resilience. If you’re in the financial services sector, you’ll get used to these words:
Prevent. Adapt. Respond. Recover. Learn.