The Bank of England (the Bank), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have published a shared policy summary(link is external) and co-ordinated consultation papers (CPs) on new requirements to strengthen operational resilience in the financial services sector.
Why we are consulting
We published a discussion paper on operational resilience in July 2018.(link is external) We said that our aim is to increase firms’ investment in operational resilience where they provide important products and services, and that building operational resilience is in the public interest.
We are now consulting on new requirements on the firms we supervise to help strengthen operational resilience. We describe operational resilience as an outcome: the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.
We want firms to consider the impact of disruption which can come in many forms. For example, technology failures, cyber-related and other operational incidents, including those outside of a firm’s control, can all have an impact on the people and businesses (and financial markets) that rely on their products and business services.
Operational disruptions and the unavailability of important business services that firms provide, have the potential to cause wide-reaching harm to consumers and market integrity, threaten the viability of firms and cause instability in the financial system.
What we are proposing
We propose firms:
- identify their important business services that if disrupted could cause harm to their consumers (retail and wholesale) or market integrity
- set impact tolerances for each important business service (i.e. thresholds for maximum tolerable disruption to help achieve consumer protection and market integrity)
- identify and document the people, processes, technology, facilities and information that support their important business services (mapping)
- test their ability to remain within their impact tolerances through a range of severe but plausible disruption scenarios
- conduct lessons learnt exercises to identify, prioritise, and invest in their ability to respond and recover from disruptions as effectively as possible
- develop internal and external communications plans for when important business services are disrupted
Our proposals are not intended to conflict with or supersede existing requirements to manage operational risk or business continuity planning, but rather aim to set new requirements that enhance operational resilience.
Delivering operational resilience requires firms to take decisive and effective actions, for example by replacing outdated or weak infrastructure, increasing systems’ capacity or addressing key person dependencies.
By addressing resilience gaps, and building resilience, we believe firms will become more capable of supplying their most important business services even during severe operational disruption.
We are not proposing changes to the rules and guidance on outsourcing or third-party service provision. We reiterate our expectation that all firms remain responsible for the management of their outsourcing and third-party relationships. In an increasingly complex and fast changing business environment, we want the delivery of important business services by firms to be able to prevent, adapt, respond, recover and learn from disruptive operational incidents. To achieve this outcome, firms need to consider their dependency on services supplied by third-parties and the resilience of these third-party services. This includes those third-parties typically outside the regulatory perimeter, where firms retain responsibility for the delivery of their regulated services, including any dependency on the third-party service provider.
Who this applies to
This consultation affects:
- building societies
- PRA-designated investment firms
- Solvency II firms
- Recognised Investment Exchanges
- FCA Enhanced scope SM&CR firms
- entities authorised and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011
This CP does not apply to EEA firms.