This is an excerpt from Finextra’s report, ‘The Future of Payments 2022: The Cutting Edge of Digital Payments.’
The Covid-19 pandemic and Russia’s invasion of Ukraine are two highly relevant recent examples which underscore the need for greater operational resilience (OR) across financial services.
Aimed at developing a far more resilient financial system that can absorb and manage shocks rather than exacerbating them, operational resilience has become a key focus for regulators over the past few years. Given the rapid digitisation of financial services,
the highly interconnected nature of the system means that there is a far greater exposure to impact from operational disruptions, with significant risk of crippling knock-on effects.
Equally, with such technological evolution, regulators, central banks and the private sector are better positioned to leverage tech tools which reinforce their systems than ever before.
How banks should prepare for the OR reset
Simon Treacy, senior associate, Linklaters, explains that financial institutions (including payment service providers) across the EU and UK are being asked to take a new approach to withstanding disruption. “Both new and incoming rules on operational resilience
require financial institutions to anatomise how they provide their business to their clients. The gauntlet for firms to take up is to identify where operational risks lie and prepare to manage those risks when (not if) disruption strikes.”
Treacy notes that the EU and UK are at different stages in the regulatory process, with the UK currently leading the way. The Bank of England, Prudential Regulation Authority and Financial Conduct Authority have set rules which started to take effect on
31 March 2022, although certain aspects do not apply in full until after a three-year transition period.
“If you take that transition period into account, the EU is not far behind. Its proposals for a Digital Operational Resilience Act (DORA) are currently wending their way through the EU’s legislative process.”
Negotiations on the final text should be completed later this year and the rules should start to take effect before the end of 2024.
Both the EU and UK regimes set a more prescriptive process for anticipating operational disruption. For example, Treacy elaborates, the UK regime spells out exactly what documentation in-scope firms are expected to maintain.
These documents should not only evidence compliance with the operational resilience rules as a whole, but also “show their working out” by justifying decisions made during implementation. This suite of documentation must be available to the regulators on
request. As a note of warning, Treacy adds that in many cases the regulator will review these papers for the first time in the wake of an incident, and with the benefit of hindsight.
Adam Stage, senior manager and operational resilience practitioner for TSB Bank, furthers that the policy and supervisory statements on operational resilience and third party risk management (including outsourcing) are live in the UK, and most financial
institutions are focusing on how they continue to mature their approach and embed resilience practices within their business-as-usual operating model.
“This means increasing the sophistication of how they map their services and test their resilience, and also how to maintain the resilience assessments and monitor that agreed actions are being done, all in an efficient way. Of course, financial institutions
are also curious about what others have done and how they compare against their peers, and here discussions with supervisors and public speeches, like that by
David Bailey of the PRA, can help.”
Echoing Treacy’s observations about the prescriptive nature of OR regulations, Stage elaborates that in the lead up to the new regulations going live, regulators have reminded the industry that the policies would be principles-based and outcomes-focused,
meaning that firms cannot rely on regulators giving them the answer.
“Instead,” Stage continues, “firms would have to interpret the rules and guidance in a way which makes sense for them, and would need to articulate this confidently to their Board, to get their approval on the approach, and ultimately with their supervisors.
Ensuring you have the right people engaged internally, and the right challenge along the way through your second line, is a great way to build this confidence.”
For firms with international footprints, Stage notes that they should be looking at new expectations being set in other jurisdictions, including the DORA which is likely to come next. “Forming a clear view of the main components of each piece of regulation
and where firms can ‘undertake an activity once and use it many times’, is important from an efficiency and also a consistency perspective.”
The UK’s impending consumer duty final rules present another key deadline for firms operating the UK according to Roger Tym, partner, Hogan Lovells. Firms won't have long after the publication or the final rules to prepare or make necessary changes.
Tym argues that to meet OR requirements, in scope firms should have identified their important business services, set impact tolerances and assessed how they will remain with tolerances. “Going forward, they should be undertaking the necessary investment
and resource allocation to resolve any areas of potential weakness they have identified. In scope firms will also need to have brought their outsourcing contracts and arrangements in line with EBA guidelines. The review of end to end customer journeys that
will be needed to meet new Consumer Duty requirements (which the FCA have said will need to be implemented by the end of April next year) and firms will need to reassess their overall operational resilience plans.”
Broadly speaking, explains Treacy, OR impact tolerance levels represent the point at which disruption causes a risk to market integrity or intolerable harm to customers. In-scope firms are required to remain within their impact tolerances for important business
services by no later than end-March 2025.
How is technology helping banks with their OR strategy?
Technology-based tools intended to provide a solution to manage all of a bank’s operational resilience needs are increasingly available, observes Stage. For the most part, these appear to be data repositories which provide a convenient way of storing information
about your important business services in one place.
“These tools will likely be most helpful where they can integrate into firms’ existing management frameworks such as their risk registers, or their business impact assessments (for business continuity), or their IT configuration management database (CMDB).
A key area of focus for firms at the moment is identifying the right tool to maintain the maps of the IBS in an efficient manner and in a way which enables firms to identify vulnerabilities in their delivery model.”
Conversely, senior director at Hogan Lovells, Frank Brown, argues that with firms increasingly hosting systems on the cloud across multiple availability zones they could be forgiven for thinking this addresses their operational resilience requirements.
“It is important for firms to remember that a robust approach to operational resilience also requires consideration of key third party suppliers (and identification of potential alternatives), the robustness and security of connections, system backups and
post-implementation testing and a roll back approach in case of issues.”
Brown continues that firms also need to ensure they have a deep understanding of how their customers use the products to identify which aspects of the service are important.
“Regardless of the tools used to support operational resilience firms need to be sure their process, approach, oversight and testing are sufficiently robust and understood by senior management,” Brown states.
Can true operational resilience be inconsistent?
Stage believes that The Basel Commission on Banking Supervision (BCBS) will be key in driving a common approach to operational resilience around the world.
“I agree with the PRA’s view that the UK and BCBS approaches align on the core principles, and the existing US approach is similar too.”
These approaches are effectively driving firms to define those services where an operational disruption would be most impactful, through external as well as internal lenses, i.e. the impact on customers and markets as well as the firm’s own financial viability.
The approaches require firms to deepen their understanding of how the services are delivered (through mapping), to set a tolerance for disruption, and to test their ability to remain within those tolerances.
Matthew Handfield, principal consultant, Hogan Lovells, says similarities across jurisdictions include the need to consider the products and services on offer, including how they are used by customers, to understand what is important, a robust approach to
oversight of third parties and having a plan in place for when things go wrong, including the approach to communication during a service interruption.
Where jurisdictions diverge is on the interpretation of exactly what parts of the business are considered important. “However, a robust approach to operational resilience is not only something to demonstrate to regulators; it is key to providing a reliable
service and building customer trust,” and going beyond the bare minimum of regulatory compliance is wise.
While several aspects of DORA echo the UK regime, notes Treacy, such as the proposed requirements around testing, documentation and governance, divergences remain.
“One significant difference between the two regimes is that DORA does not have a strict liability standard requiring firms to remain within impact tolerances – something which is at the heart of the UK rules.”
Another difference Treacy points to between the two regimes relates to scope. The UK rules apply to many but not all financial institutions, with in-scope firms including banks and payments firms. Conversely, DORA is likely to apply to all financial entities
in the EU, although a principle of proportionality should mean that firms can take into account the size, nature, scale and complexity of their business when implementing the rules.
Treacy continues that DORA also proposes a new regime for some businesses which provide IT services to the financial sector. Tech firms, such as cloud providers, could be designated as being “critical” to the functioning of the financial sector and subject
to oversight by EU authorities. There is no equivalent in the UK regime, although the UK authorities plan to open a discussion paper later in 2022 on applying operational resilience standards to critical third parties.
According to Stage, the main differences in those approaches seems to come down to the responsibilities of regulators in each jurisdiction (e.g. the FCA brings a strong consumer interest focus to the UK) and the desire to evolve an existing approach (BCBS
and US) vs trigger a step-change in the approach (UK).
Handfield explains that the UK’s approach to OR is arguably more holistic and forward looking, and is likely to deliver better outcomes for customers and counterparties than some other jurisdictions. This is because it is focussed not only on assessing the
risk of failure, but in building more robust systems to recover more quickly from service interruptions.
Equally, it is arguable that the European approach is more fragmented, with different initiatives dealing with different aspects of operational resilience. Handfield cites the EBA guidelines on Outsourcing, EBA guidelines on ICT and security risk management,
EIOPA guidelines on outsourcing to cloud, ESMA guidelines on outsourcing to cloud. “Viewed comprehensively, these will achieve some of the same outcomes – but do not give a comprehensive view. DORA is likely to provide a more consistent regulatory framework
across sectors as this progresses through the legislative process.”
Stage adds that DORA “is a different beast entirely” as it focuses on the management of ICT risk and third party risk as underlying capabilities, rather than looking through the lens of an end-user service. Getting these things right will make a financial
institution more resilient to a point, but without applying the external lens of what is most important.”