As coronavirus puts operational resilience in the spotlight of the Regulators, Andy Peterkin and Kya Fear consider the FCA’s and the PRA’s proposals on operational resilience, published just prior to lockdown.
What is operational resilience?
The FCA’s and the PRA’s recently published Consultation Papers  aim to improve the resilience of the UK’s financial sector and build on the approach first outlined in the Discussion Paper “Building the UK Financial Sector’s Operational Resilience” published in July 2018 by the Bank of England, FCA and the PRA.
The Discussion Paper referred to operational resilience as the ability of firms and the financial sector to prevent, adapt, respond to, recover, and learn from operational disruptions, and the Consultation Papers have kept that definition.
What are the Regulators concerns?
The proposals in the Consultation Papers are broadly consistent as between the FCA and the PRA (although given the strategy of the FCA, the FCA’s Consultation Paper is more focused on preventing harm to customers than the PRA’s Consultation Paper).
Broadly, and as Megan Butler pointed out in a recent speech, the key messages set out in the Consultation Papers are:
- The proposed requirements and expectations for firms and financial market infrastructure around identifying their important business services, by considering how disruption to the business services they provide can have impacts beyond their own commercial interests.
- The requirement to set a tolerance for disruption for each important business service and ensure firms can continue to deliver their important business services. Firms must ensure they are able to remain within their impact tolerances during severe but plausible scenarios.
- The requirements for firms to map and test important business services to identify vulnerabilities in their operational resilience and drive change where it is needed.
Which firms will be affected?
The proposals set out in the FCA’s Consultation Paper will apply to banks, building societies, PRA-designated investment firms, Solvency II firms, Recognised Investment Exchanges, Enhanced Scope Senior Managers & Certification Regime firms and entities authorised or registered under the Payment Services Regulations 2017 and / or the Electronic Money Regulations 2011.
The proposals set out in the PRA Consultation Paper will apply to UK banks, building societies, PRA-designated investment firms, UK Solvency II firms, the Society of Lloyd’s and its managing agents.
However, as Megan Butler’s recent speech has indicated, the FCA’s expectation is that all firms (for example, firms in the “core” of the Senior Managers and Certification Regime (SM&CR)) will have properly tested contingency plans to deal with major events and it is very likely that the proposed rules on operational resilience will apply as guidance for solo-regulated firms that are not Enhanced Scope SM&CR firms.
When will the proposals take effect?
The Regulators had aimed to implement the proposals in the second half of 2021, however, the coronavirus pandemic has led to a delay in the deadline for responding to each of the Consultation Papers from 3 April 2020 to 1 October 2020. We now anticipate a policy statement to be issued in 2021 and an implementation date in 2022.
Who is responsible for operational resilience in a firm?
The FCA notes that irrespective of a firm’s size or complexity, it expects clarity on who is responsible for what, including for operational resilience.
Under SM&CR, individuals that perform the Chief Operations Function (SMF24) are required to have responsibility for managing the internal operations or technology of the firm (or of a part of the firm) including responsibility for areas such as business continuity, internal operations, and operational continuity, resilience and strategy. An SMF24 is likely to find that the scope of their responsibilities is such that they are responsible for implementing the proposals in the relevant Consultation Papers.
If a firm does not have an individual performing the SMF24 function under the SM&CR, the firm must determine the most appropriate individual who is accountable for operational resilience.
What are the key questions that firms should ask themselves in light of the proposals?
1. Has your firm identified its important business services?
The Consultation Papers promote a “business services approach” where firms identify their important business services and focus on: (i) the possible impact disruptive events could have to those services, and (ii) continuing to supply those services in the event of a disruption.
The FCA considers “important business services” to be services that, if disrupted, would be most likely to cause intolerable levels of harm to consumers or market integrity. The PRA proposes that a business service is “important” if its disruption could pose a risk to the firm’s safety and soundness or financial stability.
Both Regulators also note that an “important business service” should be identifiable as a separate service (as opposed to a collection of services). For example, mortgages would be a collection of services and activities, rather than one important business service. The FCA has also said that users of the service – retail customers, business customers ¬or market participants – should be identifiable.
The Regulators are not proposing to publish any detailed taxonomy on what “important business services” are. However, the FCA has proposed non-exhaustive factors as guidance for firms to consider when identifying their important business services. Amongst others, these include considering:
- The consumers potentially affected by the disruption of the service, including the nature of the consumer base, and whether there are vulnerable consumers who are more susceptible to harm from a disruption. The more consumers affected, and the more vulnerable they are, the more likely the relevant service will be considered “important”.
- The impact on the firm itself, where this could cause consumer harm or harm to market integrity. For example, the impact on the firm’s financial position, potential to threaten the firm’s viability or cause reputational damage.
- The impact on the UK financial system. For example, the firm’s potential to impact the soundness, stability or resilience of the UK financial system, potential to cause knock-on effects for other market participants (particularly those that provide financial market infrastructure or critical national infrastructure), and the importance of a service to the UK financial system (for example, government services or pension funds).
The FCA’s Consultation Paper also includes hypothetical examples to demonstrate how different firms might identify their important business services. In one example, a large dual-regulated bank that provides online and telephone banking services for retail customers identifies telephone banking consumer authentication as one of its important business services. The firm considers the consumers potentially affected by a disruption to the service and concludes that consumer harm is likely given the significant number of consumers that use telephone banking as a primary channel to access several banking services. That firm then analyses its consumer base and determines that there are consumers that do not have access to other channels such as online banking and those consumers may therefore be more susceptible to harm if the telephone banking consumer authentication service is disrupted.
The PRA Consultation Paper also provides an illustrative list of certain important business services including a bank’s payment services and a retail bank’s provision of ATM cash withdrawals to customers.
It is not expected that firms will have very long lists of important business services. The Investment Association has gathered some feedback from its members on their important business services and in terms of numbers, almost all had opted for a number less than ten, with some in the low teens. However, firms should not be focused on the numbers but rather on the importance of its business services.
The FCA proposes that firms review important business areas once a year and whenever there is a material change to their business or the environment in which they operate. The PRA’s proposed policy would require boards and senior management to approve important services identified for their firm.
2. Has your firm set impact tolerances for each important business service?
The Regulators expect firms to set an impact tolerance for each of their important business services, quantifying the maximum acceptable level of disruption through severe but plausible scenarios.
The Regulators believe that by setting impact tolerances the mindset of firms’ boards and senior management will be changed away from traditional reactive risk management towards one of accepting disruption to business services as inevitable.
The Regulators propose that impact tolerance should always include the maximum tolerable duration for which the delivery of the important business service could be affected.
The expectation is that firms will use impact tolerances as a planning tool, assuring themselves they are able to remain within them in severe but plausible scenarios, and that they will take all possible actions to ensure they are able to operate within their impact tolerances.
The Regulators note that impact tolerances differ from risk appetites: impact tolerances assume a particular risk has crystallised whereas risk appetite focuses on the likelihood and impact of particular operational risks occurring.
For FCA solo-regulated firms, there will be one impact tolerance for each of their important business services by having regard to the potential harm posed to consumers, market integrity and, where appropriate, financial stability. Such firms will need to assess whether they have adequate financial resources to address potential harm.
For firms regulated by both the FCA and the PRA there will be two impact tolerances for each important business service. One impact tolerance would be set at the first point at which there is an intolerable level of harm to consumers or market integrity, and another tolerance at the first point at which financial stability is put at risk, and a firm’s safety and soundness or policyholder protection is impacted.
In determining the harms that can be caused to consumers and / or market integrity, the FCA proposes the following factors, amongst others, as guidance for firms to consider:
- the number and types of consumers adversely affected;
- financial loss to consumers and to the firm (where this could harm the firm’s consumers and / or the resilience of the UK financial system);
- the spread of risks to other business services, firms or the UK financial system;
- loss of functionality or access for consumers.
The FCA proposes that firms set and review their impact tolerances at least once a year and whenever there is a material change to their business or environment in which they operate. However, the Regulators recognise that firms will need time to ensure they can take actions necessary to improve their operational resilience. The Consultation Papers therefore propose that firms remain within their impact tolerances within a reasonable time after the rules come into effect, but no later than three years from that date and what is “reasonable” will differ between firms.
3. Has your firm tested its ability to remain within its impact tolerances through a range of severe but plausible disruption scenarios?
The Regulators propose that a firm tests its ability to remain within its impact tolerances for each of its important business services in the event of a severe but plausible disruption of its operations.
In carrying out such tests, the FCA Consultation Paper suggests that firms should identify an appropriate range of adverse circumstances varying in nature, severity and duration relevant to its business and risk profile. The firm should then consider the risks to delivery of the firm’s important business services in those circumstances.
As noted above, impact tolerances assume the event has crystallised. This requires firms to focus on testing response and recovery actions, rather than focusing exclusively on preventing incidents from happening.
The FCA believes that firms are best placed to determine the scenarios for testing and suggests that firms consider previous incidents (or near misses) within their organisation, across the financial sector and in other sectors and jurisdictions. As guidance, the FCA proposes the following scenario factors:
- corruption, deletion or manipulation of data critical to the delivery of the important business service;
- unavailability of facilities or key people;
- unavailability of third-party services which are critical to the delivery of important business services;
disruption to other market participants; and
- loss or reduced provision of technology underpinning the delivery of important business services.
In developing a testing plan, the PRA notes that the following should be considered:
- the type of scenario testing: paper-based, simulations or live-systems testing;
- the frequency of scenario testing: if implementing changes to operations frequently, more frequent scenario testing should be undertaken;
- the number of important business services tested;
- testing the availability and integrity of resources; and
- how their environment is changing and whether this will give rise to different vulnerabilities.
Helpfully, the FCA provides some examples of how firms might set and remain within their impact tolerances. One example involves a wealth management firm that identifies that the delivery of investment administration could be disrupted and harm to consumers could crystallise quickly if it has operational issues. In that scenario, the firm regards the time-criticality of ensuring the service is available, the size of its market share and the nature of its consumer base when it sets an impact tolerance. That wealth management firm would then provide a methodology and rationale which supports its decision to set an impact tolerance of 8 hours for the administration of investments as an important business service.
The Regulators believe that testing will enable firms to identify where they might need to act to increase their operational resilience before problems crystallise. Firms can consequently develop testing plans that detail how they will be assured that they can remain within their impact tolerances.
4. Has your firm identified the resources that support its important business services?
To have a complete view of its resilience, a firm will need to identify and document the people, processes, technology, facilities and information (resources) that it relies on to deliver each of its important business services. This is referred to as "mapping".
The Regulators each believe it appropriate for firms to develop their own methodology that best fits with their business, and to document their mapping in a way that is proportionate to their size, scale and complexity. Methods could include process mapping, transaction life cycle documentation and consumer journeys.
The PRA Consultation Paper recognises that the mapping exercise could be quite complex for some firms especially where resources used to deliver important business services come from across business areas, entities, or different jurisdictions. The PRA proposes introducing expectations that:
- mapping should enable firms to identify vulnerabilities and test their ability to remain within impact tolerances, and
- firms must take action where a vulnerability is identified, or where testing highlights a limitation to remaining within impact tolerances.
Similarly, the FCA Consultation Paper provides that mapping should allow firms to meet the following outcomes:
- identify vulnerabilities and remedy these as appropriate, and
- enable firms to conduct scenario testing to test their ability to stay within impact tolerances.
Vulnerabilities might include a lack of substitutability, high complexity, single points of failure, concentration risk, dependency on third parties and matters outside of a firm’s control such as power failures.
The FCA noted that to design and understand the full implications of scenarios, a complete map of the relevant business service(s) is necessary.
5. Has your firm developed communication plans for when business services are disrupted?
The Regulators stress the importance of communication with internal and external parties (external parties being the Regulators, consumers and the media).
Internal communication plans should include escalation paths that will be used to manage communications during an incident and identify key decision makers. A firm’s external communication plan should consider, in advance of a disruption, how the firm would provide important warnings / advice quickly to consumers, the Regulators, the media and other stakeholders (including where there is no direct line of communication).
Effective communication would also include gathering information about the cause, extent and impact of operational incidents (feeding into the lessons learned exercise).
6. Has your firm demonstrated how it will meet operational resilience requirements?
The Regulators will require firms to document a self-assessment of their compliance with the requirement to identify their respective operational resilience requirements.
The PRA proposes that such self-assessment would:
- include how firms have identified important business services;
- include how firms have set impact tolerances;
- summarise vulnerabilities identified to the delivery of important business services;
- outline scenario testing performed and findings from tests; and
- indicate what actions are planned to improve a firm’s ability to remain in impact tolerances and
- consider if the timing for these is reasonable and in proportion to the systemic importance of the firm’s important business services.
The FCA proposes that a firm’s self-assessment would include:
- the firm’s important business services;
- the impact tolerance set for these important business services;
- the firm’s approach to mapping (including how the firm has identified its resources and how mapping has been used to identify vulnerabilities and support scenario testing);
- the firm’s strategy for testing its ability to deliver important business services within impact tolerances through severe but plausible scenarios, including a description of the scenarios used, the types of testing undertaken and the scenarios under which firms could not remain within their impact tolerances;
- an identification of the vulnerabilities that threaten the firm’s ability to deliver its important business services within impact tolerances, including the actions taken or planned, and justifications for their completion time;
- the firm’s lessons learned exercise; and
- the methodologies used to undertake the above activities.
Firms boards and senior management would be accountable for, and should approve, the self-assessment.
Although the Regulators’ proposals are at the consultation phase, with responses due in October this year, recent speeches by the FCA have emphasised that this topic is more relevant than ever. Alongside the Bank of England, the FCA is currently testing firms’ contingency plans and has emphasised that firms will need to keep their focus on operational resilience as circumstances change and return to some form of the “new normal”.
We believe that the coronavirus pandemic has given firms a key opportunity to test their operational resilience and start putting in place robust contingency plans for plausible and severe future events.
Should you have any queries concerning the proposals in the Consultation Papers, current regulatory obligations, contingency planning or best practice, please do get in touch.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, July 2020