Timetable set for financial firms to bounce back from business disruption

Nearly three years in the making, the UK financial services regulators have put the final touches to their new set of rules on operational resilience. The regulators have given firms one year to get ready before the regime starts to apply.

What we now know

Since 2018 the Financial Conduct Authority, Prudential Regulation Authority and the Bank of England have worked together to develop a new regulatory framework on operational resilience. This work has culminated in a package of policy statements which set the final rules for certain types of financial institution and financial market infrastructure to apply, including the timeline for when the rules will take effect.

The final rules largely mirror the draft rules which were published in 2019. Firms must ensure that they stay within an acceptable level of disruption, known as their “impact tolerance”. To do so, firms are instructed to identify their “important” business services, map the resources they rely on and set themselves impact tolerance levels for each of those services. Additional rules prescribe how firms must approach scenario-testing, communication-planning and recordkeeping, among other things.

The regulators have updated the timetable for compliance. The consultation process was extended as a result of COVID-19 which has pushed back the original deadlines. Firms now have until 31 March 2022 to identify their important business services and set impact tolerances, as well as having an operational resilience strategy in place. Work on mapping and scenario-testing should also have begun by this date but the regulators acknowledge that the sophistication of these processes may need further time to develop. Regulators will apply these rules more strictly from 31 March 2025.

The policy statements also make some important changes and clarifications to the draft rules. For example, the FCA has made clear that their regime does not apply to overseas firms, branches outside the UK and EEA firms relying on temporary permissions post-Brexit. The regulators have also sought to align their approach in some areas. For example, there is now more consistency in how each regulator defines an “important business service”. Important differences remain, however, between the regimes to reflect each regulator’s objectives and supervisory focus.

C-suite focus

Senior management will be held to account for delivering operational resilience. The board will be required to approve and then regularly review the (potentially voluminous) documentation which records compliance with the regime. The FCA has said that responsibility for signing off operational resilience documents should not be delegated to someone that is not on the board.

The rules envisage a suite of written records to be kept and maintained. These include documenting the firm’s important business services and impact tolerance levels, details of scenario tests and lessons learned exercises, and any vulnerabilities that have been identified. These materials need to be retained, kept up to date and made available to the regulators on request. In several areas the rules require not only the documents themselves but also additional records justifying the approach or explaining the methodology that the firm has taken.

Ensuring that senior management have oversight of operational resilience arrangements is particularly important for those firms which are also subject to the Senior Managers Regime. Under the SMR, one or more individuals will be specifically accountable for the design of the firm’s resilience framework and their statement of responsibilities should reflect this. Even for firms not under the SMR, the regulators have emphasised that senior management should know what they are responsible for and have established clear delegation of responsibilities for managing operational resilience.

To meet the rising regulatory expectations, directors and other Senior Managers will need to receive more status updates on their institution’s resilience. This management information, including incident reports, should be timely and offering appropriate detail. Training and advice should be made available to ensure that they can engage with this information and oversee the real resilience of the business effectively.

International perspective

The UK regulators are leading the way on operational resilience. Like other jurisdictions, the UK already has well-established standards on related topics such as business continuity, cybersecurity and outsourcing. The new regime is, however, among the first attempts to bring together these diverse strands into a single outcomes-based resilience framework.

The EU is one of the jurisdictions next in line. Its proposal for a Digital Operational Resilience Act (known as DORA) goes beyond the UK framework by extending its reach to IT service providers. The draft legislation proposes designating some service providers, such as cloud providers, as being “critical” to the functioning of the financial sector and bringing them under the oversight of the European Supervisory Authorities.

At the international level, the Basel Committee on Banking Supervision is due to finalise its principles for operational resilience. The Committee consulted on these principles in 2020 in response to the growth of technology-related threats in recent years. The draft principles overlap with many of the areas covered by the UK and EU regimes, including governance considerations, business continuity exercises and mapping of interdependencies.

It is hoped that international standards will help to promote coordination between policymakers and help harmonise regimes. For firms with a global footprint, however, it is increasingly apparent that, even where objectives align, local implementation will differ in detail. Managing multiple regulatory regimes is another element to be factored into resiliency planning.

Simon Treacy is a professional support lawyer in the Financial Regulation Group at Linklaters.

This article (subscription only) was originally published by Thomson Reuters Regulatory Intelligence.

Visit our operational resilience webpage for more information and links to further resources, including our operational resilience podcast.