The FCA, PRA and BoE consult on building operational resilience

On 5 December 2019, the Bank of England (BoE), the PRA and the FCA published a long-awaited suite of documents and consultation papers (the proposals), setting out their proposed approach to embed new operational resilience requirements into the financial services regulatory framework:

• a joint BoE, PRA and FCA Discussion Paper (DP01/8) on their approach to operational resilience
• PRA Consultation Paper (CP29/19) on operational resilience and third party impact tolerances for important business services
• FCA Consultation Paper (CP19/32) on operational resilience and third party impact tolerances for important business services
• PRA Consultation Paper (CP30/19) on outsourcing and third party risk management, and
• BoE individual Consultation Papers and draft SSs for each of central counterparties, central securities depositories and recognised payment system operators and specified service providers.

Aims of the proposals

Putting in place a regulatory framework to promote operational resilience is one of the key priorities for the BoE, PRA and FCA. The proposals develop many of the concepts in the earlier 2018 joint discussion paper, and also respond to the recent Treasury Select Committee report on IT failures in the financial services sector (to which the authorities will provide a full response in due course).

The proposals are designed to promote stronger and more effective governance of operational resilience and more organisation and co-operation between market participants. The authorities will consider developing further policy requirements in the future, such as on operational resilience reporting.

What is operational resilience?

The proposals define operational resilience as "the ability of firms and FMIs in the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions", with customer interests paramount. The starting point is the premise that operational disruptions happen, but that firms need to be prepared for the unexpected.

The new concepts of "important business service" and "impact tolerance" are central to the proposed approach for identifying and addressing operational resilience concerns. Note that these definitions are slightly different under the FCA and PRA proposals, which may create implementation challenges for dual-regulated firms.

Who do the proposals apply to?

Not all firms and activities will be subject to all of the proposals. Broadly:

• The FCA's proposed new SYSC Chapter 15A would apply to banks, building societies, enhanced scope SMCR firms, PRA-designated investment firms, Solvency II firms, recognised investment exchanges, electronic-money institutions, payment institutions and registered account information service providers. It does not apply to EEA firms.
• The PRA's proposals apply to banks, building societies and UK designated investment firms, UK Solvency II firms (plus Lloyds and managing agents). They include specific provisions for group arrangements, including identifying "important group business services" undertaken by other members of the firm's group outside of the UK where those services could pose a risk of harm if disrupted. Accordingly, firms may need to consider how the proposals would affect them on a consolidated group basis.
• The BoE's proposals apply to central counterparties, recognised payment system operators and specified service providers, and central securities depositories.

For the purpose of this alert, these are referred to as "in-scope firms".

When would they apply?

The authorities aim to finalise their rules by the end of next year and for most of them to take effect in late 2021, although full compliance is not expected until 2024.

What do they require?

The proposals share a common overarching approach to operational resilience, with differences to reflect the particular regulatory framework and supervisory approaches of the PRA, FCA and BoE. Broadly, the proposals would require in-scope firms to:

Identify their "important business services"

No definitive list is provided, but guidance is provided on the type of services that boards and senior management could classify as "important". Business services are distinguished from 'business lines'. Firms may also need to consider which particular part of a chain of activities is critical to delivery and should avoid identifying a collection of services as a single important business service.

Set impact tolerances for each important business service

This should be the first point at which a disruption would pose an intolerable risk of harm to consumers or market participants, harm integrity, threaten policyholder protection/safety/soundness, or pose a risk to financial stability. They should include the maximum tolerable duration of disruption.

Identify and document the people, processes, technology, facilities, and information that support each important business service ("mapping")

Mapping is essential to identify and document the vulnerabilities in delivery of important business services, such as limited substitutability of resources, high complexity, single points of failure, and a concentration of reliance on a single resource. Mapping then allows firms to take action to remedy and test those vulnerabilities.

Take actions to be able to remain within their impact tolerances through a range of "severe but plausible" disruption scenarios

This involves taking effective actions to ensure firms can continue to deliver within impact tolerances during severe scenarios. This might include addressing vulnerabilities in legacy systems, replacing outdated infrastructure, achieving full-fail dependencies and being able to communicate with all affected parties. This should include developing a "testing plan" to carry out regular and proportionate scenario testing.

Some particular points to note:

• Metrics for impact tolerances: Both the FCA and PRA require that the impact tolerance must specify the length of time for which a disruption to an important business service can be accepted. The FCA consults on whether other metrics should also be mandatory.
• Self-assessment: In-scope firms must prepare and regularly update written self-assessment of its compliance which is proportionate to their activities.
• Governance: A firm's management body must approve the important business services and impact tolerances, and regularly review their self-assessment.
• Notification: Both the FCA and PRA expect to be notified of failures to meet an impact tolerance in accordance with existing notification requirements.
• Communication: In-scope firms would need to have in place and maintain an internal and external communication strategy.

Interaction with outsourcing requirements

Both the FCA and PRA are clear that they expect in-scope firms to ensure their important business services are able to remain within their impact tolerances, even when they rely on outsourcing or third party providers.

The PRA's separate consultation on outsourcing is in part in response to implementing the EBA Guidelines on Outsourcing, and also takes into account the draft EIOPA Guidelines on Outsourcing to Cloud Service Providers (except that these proposals apply to all outsourcing, not just cloud).

What about service providers?

Inevitably, the additional requirements on in-scope firms to identify dependencies and set impact tolerances will require greater engagement with third parties and service providers, particularly around mapping and scenario testing.

However, there may also be opportunities here for service providers. For example, where in-scope firms identify that their own IT infrastructure is inadequate, third party services may be necessary to implement back-up data storage, for example.

Help is at hand

If you would like to discuss any of the above points, please do get in touch.