Blog article
See all stories »

PRA regulations: Building operational resilience in financial services

Financial services providers operate some of the most critical systems that both consumers and businesses interact with on a daily basis. Everything from buying a coffee to paying an invoice or taking out a mortgage is dependent on having continuous access to a bank and its services. It is vital that these services are resilient and always available, or financial services organisations risk not only losing consumer trust but could also be in breach of policy from industry regulators.

However, as the financial sector continues to become more innovative in its use of technology, with everything from open banking, contactless payment, and biometric authentication becoming widespread, the systems powering these services have also become more complicated. As a result, it is becoming increasingly difficult for IT operations and development teams to maintain the end-to-end view needed to ensure services are continually available and are delivering a seamless customer experience.

Regulating for resilience

These issues recently became even more pertinent with the introduction of the new operational resilience policy from the PRA. The policy requires financial organisations to identify their ‘important business services’ by considering how disruption to those areas could have an impact beyond their own commercial interests. For example, an hour-long outage in a core banking platform could have far-reaching consequences outside the bank, from the exchange of contracts on a house purchase being delayed, to consumers being left stranded in supermarket queues unable to pay for their groceries.

Once their important business services have been identified, the policy requires financial providers to assess their operational resilience. In other words, they need a clear understanding of the organisation’s ability to prevent, recover from, and learn from disruptions to important business services. It also requires them to define an impact tolerance for those services, to make clear what is the maximum level of disruption an important business service can withstand before it causes a risk to the organisation or its customers.

At their core, the new regulations were designed to protect the wider finance sector and UK economy from the impact of operational disruptions that could create situations like these. This is a significant step in underscoring the strategic importance of observability in the financial services sector.

Increasingly complex services

This faster pace of innovation has come at the cost of greater complexity in the way financial services are designed, built, and operated. Organisations have adopted a wealth of modern approaches such as multicloud environments, cloud-native architectures, and open source code libraries to drive innovation and create new digital solutions. But while these have allowed banks to move at speed, they are also increasingly difficult to monitor manually. In fact, 67% of CIOs in the financial services sector say the complexity of their environment has surpassed human ability to manage.

This complexity has the potential to create blind spots that lead to disruption for important business services if it goes unchecked. Without visibility across the entire technology stack, it becomes more likely that a software update to add a new function or fix a vulnerability in a critical banking application could impact service availability. Limited visibility also makes it very difficult for developers to quickly identify the precise root cause of the issue and fix it, meaning that the downtime could go beyond the impact tolerance.

To anticipate where these problems may emerge and proactively resolve them before customers are impacted, financial organisations need end-to-end observability across the entire environment supporting their critical business services. By combining this observability with AIOps capabilities, financial services providers can identify any threats to the stability of their important business services in real time, making it easier to ensure their resilience.

Benefits beyond compliance

The new PRA policy only reinforces the fact that it is no longer a ‘nice to have' for banks to have an end-to-end view of their technology stack – it is a critical requirement. At first these regulations may seem like a cumbersome approach to enforcing the need to monitor critical services and report disruption. But in the long-term, the results of these efforts will have a significant impact on financial services providers’ ability to differentiate by delivering seamless digital experiences to their customers. If financial organisations see these regulations as an opportunity to improve the way they deliver IT services to the business and its customers, then they will soon find they are discovering new ways of delivering innovation and getting ahead of competitors.


Comments: (0)

Martin Bradbury

Martin Bradbury

Regional Director, Financial Services UK&I


Member since

28 Oct 2022



Blog posts


This post is from a series of posts in the group:

Banking Regulations

Discussion around current trends in regulations for banks globally

See all

Now hiring