UK regulators review financial firms’ operational resilience

The UK’s regulators are asking financial firms to implement what they call “impact tolerances”, as part of a new approach by the country’s financial regulators to operational resilience.

“The supervisory authorities are exploring a business services approach because it could be of value to organisations of all sizes as they manage their resilience in a dynamic environment,” says a discussion paper, published on July 5 by the Bank of England, Prudential Regulation Authority and Financial Conduct Authority.

The regulators have issued the paper to push boards and senior managers to take responsibility for operational resilience and plan for a system failure, as they are concerned that firms are currently placing too much emphasis on preventing disruption.

“Ten years on from the financial crisis, this discussion paper signals the third phase of regulatory focus,” says Simon Chard, IT risk partner at PwC.

The challenges for operational resilience have become “even more demanding” in recent years, say the regulators, as a result of “a hostile cyber environment” and large-scale technological evolution.

In 2018, there have already been two substantial disruptions to the UK financial system following cyber attacks. In April, commercial bank TSB had a major IT failure during a data transfer, which left its mobile and online banking services immobilised for more than a week. Two months later, payments provider Visa saw its systems go down across the UK for more than 12 hours. 

In the paper, the regulators have asked firms to set themselves “impact tolerances”, to ensure services – such as mortgage lending – and products can be maintained, should a disruption occur.

“Such metrics could include the maximum tolerable duration or volume of disruption, the criticality of ensuring data integrity or the number of customers affected,” says the document.

Firms would then test their ability to stay within their impact tolerances in what the regulators deem “severe but plausible” scenarios. They would use the results of the exercises to identify gaps in their operational risk frameworks and take action.

These tolerances, add the regulators, should be set out and justified within an “impact tolerance statement”.

“Above all, this paper firmly establishes the idea that disruptions will happen, and firms should be planning effectively for potential failures,” says Chard.

The regulators have said they will adapt their expectations depending on a firm’s size and systemic importance. But all firms will need to show they understand the impact an operational shock could have on their customers and their systems as a whole.

“This is another indication that the regulators are placing this issue on a par with financial resilience,” says Chard.

The regulators will look to set out a new approach to resilience regulation after October 5, which is the deadline for firms wishing to respond to the discussion paper.