On 5 December 2019, the FCA, PRA and Bank of England (the “Regulators”) all published their joint and coordinated Consultation Papers (“CPs” the CPs are available here, here and here) on new requirements to strengthen operational resilience in the financial services sector. They are a response to the Treasury Select Committee’s investigation into IT failures within the financial services industry. (The report is available here and our commentary here).
The proposals develop and expand on the ideas set out in their 2018 Discussion Paper and are consistent with the Regulators’ stated view that operational risk and resilience is now a shared priority issue, equivalent in importance to financial stability.
The CPs set requirements and expectations for PRA firms, enhanced SMCR firms and financial market infrastructure and provide further clarity on the Regulators’ common approach to supervising firms’ operational resilience. They also emphasise the importance of outsourcing and other third-party service provision to operational resilience.
What is striking, is that the proposals introduce a new paradigm of outward-facing awareness where firms will have to think about their potential impact on the stability of the UK financial system from an operational perspective (and not just the impact on their own balance sheet).
At a high level, the proposals require firms to:
— identify their important business services;
— set impact tolerances that they can remain within (the PRA’s proposals further specify here that the impact tolerance set for each important business service must specify the first point at which a disruption to that service would pose a risk to the stability of the UK financial system or the firm’s safety and soundness);
— map the people, processes and technology that deliver their important business services;
— test and demonstrate that they can respond to and recover from disruptions;
— produce a self-assessment document outlining the state of their operational resilience; and
— maintain an internal and external communication strategy and provide clear, timely and relevant communications to consumers and other stakeholders in the event of an operational disruption.
The exercise of mapping systems and processes that support business services in order to identify vulnerabilities in the delivery of important business services within an impact tolerance, will require firms to consider systems and processes over which the firm may not have direct control (e.g. third-party service providers).
Although the CPs largely mirror the 2018 Discussion Paper on operational resilience, the Regulators have added a level of detail that we do not typically see in regulating the ‘nuts and bolts’ of the way financial services firms work. The CPs include a maximum level of tolerable disruption with the Regulators not leaving it up to firms to decide this entirely for themselves. The regulators have stressed their expectation on firms to fix weaknesses and have set out actions they expect firms to take. And, at an even more granular level, the Regulators have commented on testing requirements.
Outsourcing and the impact of third party service providers
The FCA is not proposing changes to the FCA’s Handbook rules and guidance on outsourcing or third party service provision as part of this consultation, noting that existing rules and guidance in this area are already extensive. While the FCA suggests the existing requirements for regulated outsourcing are sufficient, it highlights “important regulatory developments” that are of relevance to outsourcing and other third-party service provision with implications for operational resilience, and in particular refers to guidelines provided by the European Supervisory Authorities.
In contrast, the PRA has set out new proposals on outsourcing and third-party risk management, including the use of cloud services, which it says will “steer firms to be resilient in their adoption of new technologies” and thus complement the proposals on operational resilience. It is no surprise then that the proposals go further than any other outsourcing requirements in relation to “stressed exits” and having realistic plans for dealing with them (see further PRA Consultation Paper on outsourcing and third party risk management, which can be found here).
The approach in the CPs reflects the Regulators’ concern that firms’ dependencies on outsourced service providers is increasing and that poor governance of those arrangements may lead to, or amplify, insufficient operational resilience in firms. The Regulators’ expectations here are clear: firms should effectively manage their use of third parties to ensure that they can meet the required standard of operational resilience and firms should be able to remain within impact tolerance for important business services, irrespective of whether or not they use third parties in the delivery of these services.
The FCA is proposing that it will provide “individual guidance” as to whether a firm’s compliance with the new rules is adequate and, if necessary, require a firm to take the necessary actions or steps to address any failure to meet the requirements. FCA-regulated firms already have experience of this method of supervision with regards to compliance with capital requirements and are therefore likely to be familiar with the associated risk that the FCA can issue individual guidance that is not wholly appropriate for the particular firm. While there is some scope for firms to discuss individual guidance with the FCA before any action is taken, ultimately if the FCA and the firm still do not agree, the FCA may use other tools available to it to require the firm to take specific steps in line with the FCA’s view.
The PRA plans to continue to use a wide range of existing tools and powers to support its supervision of operational resilience, including for example the senior managers’ regime, and its powers under section 166 of the Financial Services and Markets Act to require skilled persons’ reports.
— Firms need to consider whether they have the human capital to navigate the challenges ahead. Given the complexity, proper assessment and supervision of third-party dependencies requires highly skilled personnel at firms. Yet, as the Financial Stability Board has observed, it may be challenging to hire and retain such talent and particularly burdensome for small and medium-sized firms.
— Industry trends show that firms are increasing their use of third parties to deliver services and that new and more complex interdependencies may be emerging. There is an inherent tension within the CPs; on the one hand firms are encouraged to invest in new solutions to fix out-dated infrastructure but then, on the other hand, they are challenged on their ability to oversee third party suppliers.
— Moreover, there is a risk that as technology advances, knowledge asymmetries develop between firms (which may struggle to keep up with the pace of technological development and consequently the investment required in the technical side of outsourcing oversight and mitigating measures) and third-party providers.
— Even assuming that firms overcome this hurdle, as they will have to do if they are to comply with the Regulators’ expectations, increased reliance on third-party providers’ services will present additional challenges to firms’ compliance with the operational resilience requirements. For example, the requirements require firms to test their ability to deliver important business services within impact tolerances in severe but plausible disruption scenarios. For firms that use third parties to deliver important business services, either wholly or in part, it may be difficult to test how effectively such third parties will respond to incidents.
— The PRA has said that firms should, at a minimum, monitor not only outsourced service providers but also sub-outsourced service providers involved in the provision of important business services. This suggests a greater level of oversight by firms over sub-outsourced service providers than generally currently exists and raises a number of questions over how control and responsibility for sub-outsourced service providers will be shared between firms and service providers.
— At an EU level, there has been a raft of recent and pending regulation on recovery and resolution, outsourcing and cloud, governance, and cyber risk that covers much of the same ground. It will be a challenge for firms to simply piece together the regulatory landscape as it develops in the year ahead and to implement this “operational regulation” in an efficient way.
The consultation closes on 3 April 2020 and we encourage all regulated firms to take time to review and understand the Regulators’ proposals and what they will mean for your business and respond where appropriate before the Regulators decide upon their final policy.
It is notable that there are significant cost implications associated with these proposals. The FCA estimates a total cost of £492.3m for firms to implement the proposals and that FCA-regulated firms will also incur ongoing annual costs of £231.3m. Large PRA-regulated firms each stand to incur between £850k to £1.9m in implementing the proposals and annual ongoing costs of between £400k to £800k. Small PRA-regulated firms’ likely costs are £100k to £500k to implement, and £50k to £200k annual costs to maintain compliance.
While the final policy has yet to be determined, it is evident that clearly outlined contractual and operational responsibilities will be critical to protecting operational resilience and demonstrating compliance with the regulatory requirements. Firms already have experience of managing risks and coordinating outsourcing arrangements of many types, but this new and emerging area of regulation will require more concentrated efforts to mitigate and oversee the complex balance of risks surrounding internal service flows and third-party dependencies and ensure that firms are able to deliver important business services during disruptions.