Post Lehman, regulators all over the world introduced legislative measures to prevent banks being “too big to fail”. Now the regulatory net is being more widely cast across the financial services industry to ensure it remains operationally resilient in the face of deep and fast-moving change.
UK Operational Resilience proposals
On 5 December 2019, the FCA, PRA and Bank of England (the “Regulators”) published their joint Consultation Papers (“CPs”) on new requirements to strengthen operational resilience in the UK financial services sector.
The proposals develop the ideas set out in their 2018 Discussion Paper and reflect the Regulators’ view that operational risk and resilience is now equivalent in importance to financial stability. What is striking, is that the proposals introduce a new paradigm of outward-facing awareness where firms will have to think about their potential impact on the stability of the UK financial system from an operational perspective (and not just the impact on their own balance sheet).
The CPs set requirements and expectations for PRA firms, enhanced SMCR firms and financial market infrastructure and provide further clarity on the Regulators’ common approach to supervising firms’ operational resilience. The PRA has simultaneously set out new proposals on outsourcing and third-party risk management which it says will “steer firms to be resilient in their adoption of new technologies”.
The CPs include a level of detail that we do not typically see in regulating the ‘nuts and bolts’ of the way insurers work. They set out a maximum level of tolerable disruption. The Regulators have stressed their expectation on firms to fix weaknesses, even where it comes at a cost. And, at an even more granular level, the Regulators have commented on detailed testing requirements. The PRA’s proposals on outsourcing go further than any other outsourcing requirements in relation to both “stressed exits” and oversight of suppliers looking down the supply chain.
The view from Europe
From EIOPA, there has been a raft of recent and pending regulation on outsourcing and cloud, governance, and IT security and cyber risk, which covers similar ground. Most recently, the European Commission has launched a consultation to explore how an enhanced, cross-sectoral, “digital operational resilience framework” for the EU financial services sector could be set up. Brexit deal dependent, this could change the landscape again.
To add to this jigsaw of regulatory change, EIOPA has proposed a recovery and resolution regime for insurers, mirroring that regime introduced for banks a decade ago. Such a regime would include more preparation and planning for future times of financial stress, early intervention powers for national authorities and broad powers to resolve insurers, including the ability to temporarily prevent policyholders and other creditors exercising their contractual rights against the insurer.
The industry has long rallied against such a move as insurers have a very different risk profile to banks. But the tide looks set to turn in 2020.
While the final policy has yet to be determined, it is evident that clearly outlined contractual and operational responsibilities will be critical to protecting operational resilience and demonstrating compliance with the regulatory requirements. Insurers already have experience of managing risks and coordinating outsourcing arrangements of many types, but this evolving area of regulation will require more concentrated efforts to map out business continuity arrangements, mitigate and oversee the complex balance of risks surrounding internal service flows and third-party dependencies and ensure that insurers are able to deliver important business services during disruptions. Or otherwise be wound down with minimal disruption.
Industry trends show that insurers are increasing their use of third parties to deliver services, and, indeed, are doing so to increase their resilience through digitalisation and more robust IT systems. But, as a result, new and more complex interdependencies may be emerging that will make compliance with these new regulatory measures even more challenging.
With so much regulatory change in “operational regulation”, it will be a challenge for insurers to simply piece together the regulatory landscape as it develops in the year ahead. Insurers will have to grapple with different requirements on similar themes, each with a different scope, implementation dates and supervisory approaches.
Insurers will need to fit together all of these requirements in order to identify how they apply to their business and then create organisational change programmes, and contract remediation exercises, to implement this in the most efficient way.