Managing operational risks in financial institutions – the regulatory perspective

United Kingdom

Not surprisingly given recent high profile IT failures and the ever increasing reliance placed on technology by financial institutions operational risk remains high on the FCA and PRA’s agenda. Building the UK financial sector’s operational resilience was the subject of a recent joint discussion paper (FCA DP18/4 PRA DP01/18) upon which feedback is awaited and the Treasury Select Committee also announced in October that it would be carrying out an inquiry which will consider the causes and consequences of operational incidents in the financial services sector and examine the work being undertaken by industry and the Regulators to promote operational resilience. The Regulators emphasise the necessity of ensuring continuity of services for firms’ most important business activities – they expect boards and senior management to assume individual systems and processes will be disrupted, and increase the focus on back-up plans, responses and recovery options. Firms need to ensure that not only do they have the systems and controls in place to mitigate the risk of disruptive events but that they focus their attention on the resilience of their key business services to enable them to respond to a disruptive event effectively and in so doing minimise the risk of harm to customers, the firm and markets. This article considers what this means in practice for financial institutions and outlines the steps that firms should consider when dealing with these type of disruption from a regulatory perspective.

The risks and the FCA’s expectations for firms were highlighted in a speech by Megan Butler, the FCA’s Executive Director of Supervision, on 27 November. The level of risk faced by firms is well illustrated by the concerns she expressed that in the year to October 2018 firms had reported a 138% increase in technology outages with 18% of these being cyber related. She stressed, as acknowledged in the recent DP, that the FCA is not suggesting a zero failure approach hence the need to set impact tolerances and having the ability to recover and learn from disruptions but rather the FCA was challenging firms to test how well they manage these incidents. The Regulators have set out a six step framework for firms to consider when developing their policies and have suggested the sorts of questions Boards and senior management should be asking:

  1. Identify the most important business service and consider how much disruption could be toleratedin what circumstances
  2. Map the system and processes that support these business services - can they also respond to emerging threats?
  3. Assess how the failure of an individual system or process could impact the business service – are we effectively managing third party suppliers and do we understand their response and recovery plans, have we planned for disruption, are back up plans in place, do we have effective response and recovery options?
  4. Test using scenarios and by learning from experience, that resilience meets the firm’s tolerance
  5. Invest in the ability to respond and recover from disruptions through having appropriate systems, oversight and training – are staff properly trained, do we create a positive security culture, do we have the right skills and understanding of risk and technology at the top level to steer and set strategy, does the Board have access to people within the business with appropriate technical skills, do we take into account the long term interests of our customers?
  6. Communicate timely information to internal stakeholders, supervisory authorities, customers, counterparties and other market participants - do we have effective internal communication plans, escalation paths and identified decision makers and external communication plans for the most important business services?

Managing a disruptive event

The response to any event will naturally depend on the facts of the event, its severity and impact and the nature of the firm’s business activities. However, there are some key regulatory considerations which will be relevant to responding to most of these types of crisis which are outlined below.

  1. Identify, contain and mitigateOperational resilience is a board level responsibility for all financial institutions. The relevant senior managers must take personal accountability in delivering the response plan, in communicating with regulators, and in the treatment of customers. Roles and responsibilities therefore need to be allocated effectively and comprehensively and in line with responsibilities under the Senior Managers and Certification Regime. In the event of a crisis incident, immediate escalation to senior management is paramount so having robust and clear escalation procedures on which all staff are trained is vital. Senior management remain accountable and must stay engaged to steer and oversee swift resolution and ensure a clear audit trail of response planning is maintained. It is also vital that adequate resources are allocated and engaged not only to resolve the incident but also to meet the increase in demand from customer queries as well as deal with BAU issues.All available information must be assessed so that the broad nature and scope of the issue can be identified, and a response team assembled. The response team must mitigate and contain wider impact of the disruption as soon as possible and an IT incident plan should be implemented to try to ensure continuity of key business services. As outlined above, a firm which has considered and addressed the resilience questions set out should be in a good position to achieve this.
  2. Regulatory NotificationsPrinciple 11, in combination with the guidance and reporting obligations under SUP 15, requires firms to report material incidents to the Regulators as soon as possible. Where business services are disrupted, notification will need to be made as soon as the firm becomes aware there is an issue with updates being provided as issues become clearer or emerge. Incidents are considered material if they:
  • result in a significant loss of data;
  • impact the availability or control over IT systems;
  • affect a material number of customers; or
  • risk unauthorised access of information and communication systems.

This list is not exhaustive and, in terms of the steps that the firm is taking to rectify the situation, the Regulators must be kept updated on key developments and progress.

If a personal data breach has occurred, this must be reported as the data controller under the GDPR to the ICO. Similarly, where criminal activity is suspected, the firm should contact Action Fraud, the UK’s national fraud and cybercrime reporting centre. Notifications to other bodies and/or persons may also be necessary.

  • Internal and external communications

Staff members

In the very first instance, an assessment should be made as to whether internal communication should be limited to a ‘need to know’ basis to avoid leaks of potentially misleading information. Alternatively, a wider alert may need to be made to reinforce security measures and guidance should also be given to customer facing staff on how to respond to customer enquiries and complaints.

Customers and counterparties

Inherently, an operational crisis incident will have an impact on either an institution’s customers or its counterparties, if not both. Where it does, prompt and effective communications should be made to all those affected so that they understand what services and data have been impacted and the consequent risks attached. Open communication is likely to be vital in retaining or restoring confidence in the business.

The content of communications should be clear, fair and complete. For customers, advice should be given on practical solutions and any relevant protective measures that should be taken. Messaging across all social media, online channels and other broadcasting media should be consistent, timely and proactive.

  • Customer redress

As part of a firm’s TCF obligations under Principle 6, firms should consider proactive redress where customers have suffered loss as a result of the firm’s failings. Not only is this the right thing to do, it should also help mitigate the risk of claims and complaints thereby saving costs and management time in the long run and a well run project should also help to restore the firm’s reputation.

Any customer redress scheme will be dependent on the facts, but the following are points to consider for any redress scheme:

  • Early identification and prioritisation of vulnerable customers;
  • Possible automation such as reversal of charges, interest, etc.;
  • Consistency with approach to complaints and briefing complaints team to deal with issues;
  • A process for inviting and assessing consequential loss claims;
  • Goodwill payments where customers may have suffered material inconvenience;
  • Possible compensation to third parties affected by the firm’s customers not being able to make payments etc.
  • Robust QA and adapting scheme to take account of issues that may arise; and
  • Keeping Regulators updated and comfortable with the approach the firm is taking.
  • Lessons learnt

Whilst the firm addresses and responds appropriately to the crisis incident, measures must also be taken to ensure such issues do not reoccur in future and to provide confidence to its board, shareholders, customers and Regulators.

There is always the risk that the FCA will require a 166 skilled person report but in our experience if firms take the initiative commissioning their own independent review to identify causes and make recommendations, this will speed the process up and allow the firm to have an element of control over the scope and process.

Again there a number of issues to consider when commissioning a report:

  • Who and what skills are required, do you need a mix of skills, do you want to maintain privilege if there are risks of claims?
  • Carefully define the scope and ensure it is manageable within a reasonable time frame (there is always a tendency at the start to throw everything in), what are you trying to achieve, do you know some things already?
  • Ensure it is agreed with the Regulators in advance as they may wish to use it for their own investigation and of course, the firm will need to agree to share the report with them.
  • The process for review and reporting should be designed so there is an opportunity throughout the process to provide input and correct inaccuracies and add important context.
  • Will the reporter need access to third party suppliers, who will facilitate that, will the firm pay their costs?
  • Provide a good quality briefing and ensure efficient and speedy provision of key material.

It will also be critical to make sure there is strong governance around the plan to implement any recommendations which tracks actions and implementation.

  • Investigations into past conduct

Where the incident impacts customers or the integrity of the UK markets, a regulatory enforcement investigation into the firm may be inevitable which may result in public enforcement action and financial penalties being imposed. At a minimum, these investigations will typically involve the Regulators looking at the firm’s systems and controls, its risk management, regulatory transparency, and its treatment of customers. The firm’s senior management who have accountability for the issues which arose are also likely to find themselves under individual investigation and may therefore require independent legal advice.

While investigations are usually kept confidential, if the incident was well publicised and there is political and press interest, the investigation may be made public and listed institutions may need to announce it in any event.

Investigations are lengthy, very time consuming and costly, firms should have regard to any insurance cover they may have for defence costs for the firm or individuals under D&O cover. There may also be merit in the firm proactively assisting the Regulators in getting to the facts quickly which may shorten the time and costs involved and the Regulators may also take into account this type of cooperation in terms of any penalties being proposed.

Notwithstanding any regulatory investigations, the firm may also need to have regard to any individual misconduct, fitness or propriety issues or breach of conduct rules and carry out its own investigations and take action where necessary including any obligations to undertake performance adjustment investigations.

Whilst the threats posed by new technology may indeed be difficult to anticipate and disruption may be inevitable, it is clear that the better equipped a firm is when responding to crisis incidents and disruptive events, the better position it will be in to resolve an incident swiftly and effectively and the more likely it will be in a position to convince the Regulators it has taken appropriate action and avoid regulatory sanctions.