Global menu

Our global pages

Close
Operational Resiliency for Financial Institutions

Operational Resiliency for Financial Institutions

  • United Kingdom
  • Commercial and IT
  • Privacy, data protection and cybersecurity
  • Financial institutions

31-07-2019

The operational resilience of retail banks operating in the United Kingdom has come under increased scrutiny following a number of high-profile IT failures and cyber-attacks. Regulators have shown a willingness to impose significant penalties for IT and operational failures. 1 In May, a UK retail bank was fined nearly £2m by the FCA and PRA in connection with perceived weaknesses in the oversight of material outsourcing arrangements which the regulators felt impacted the continuity of key services and put customers at risk.2

In this briefing, we:

• explore the changing focus of regulators against the backdrop of rapidly evolving technologies;

• define what is meant by “Operational Resilience” and outline the importance, key objectives and challenges of meeting regulatory requirements; and

• set out some key considerations for regulated financial institutions when outsourcing critical functions or activities.

Background – The Evolving Regulatory Landscape

The recurrence of IT failures and the perceived risk to consumers (and the viability and stability of the financial system as a whole) triggered a systemic review by the FCA, PRA and Bank of England in July 2018.3 This was preceded by a report from the FCA following their survey on technology and cyber resilience4 and coincided with the introduction of a new set of requirements from the PRA which requires firms to demonstrate that they can continue to operate in the event of significant financial stress, or even collapse.5

At the same time the UK Parliament launched an inquiry into the causes and consequences of IT failures in the financial services sector; they also put the spotlight on the regulators themselves, assessing their ability to ensure firms are adequately protected against material service disruptions.6

In these reports, discussion papers and inquiries, we see a recurrence of some common themes - issues with outdated legacy IT infrastructure, failures in material outsourcing arrangements, the “concentration risk” arising from over-reliance on a small number of vendors7, the interconnectedness of market infrastructure, the challenges of complex IT migrations following acquisitions or disposals8 and the evolving cyber threat landscape.9 On top of that, regulators and policy-makers are increasingly focusing on risks arising from developing technologies: crypto-assets, crypto-exchanges and blockchain platforms; the move from on-premise IT to cloud infrastructure; services provided by early-stage FinTech businesses; and the use of AI or machine learning tools, Big Data, algo-trading and robo-advice platforms.

Of course this does not mean that banks should not continue to develop novel products and services; there is a recognition on the part of regulators10 of the importance of maintaining a competitive market-place for financial services, offering value-for-money, reduced risk of fraud, access to new and innovative services11 and a rich customer experience.

There is also a recognition that firms will be exposed to risks – it would not be realistic to assume that they can be eliminated in their entirety. What is important is that firms assess and plan for the events and incidents which may impact their businesses by reference to the perceived risk of customer detriment and the impact on the financial system as a whole. This requires firms to re-asses risk tolerances, to develop appropriate systems and controls, to define and implement appropriate oversight and governance structures, and to allocate adequate investment to manage and respond to those risks, both now and in the years to come.

What is “Operational Resilience”?

Operational resilience refers to the ability of an organisation (and the financial services sector as a whole) to prevent, respond to, recover and learn from operational disruptions.

“Operational disruptions to the products and services that firms and FMIs provide have the potential to cause harm to consumers and market participants, threaten the viability of firms and FMIs, and cause instability in the financial system.”12

Operational risk “is defined as the risk of losses stemming from inadequate or failed internal processes, people and systems or from external events. Operational risk includes legal risks but excludes reputational risk and is embedded in all banking products and activities.”13

Operational disruptions take many forms and are not just limited to cyber-attacks or IT failures, although these are often the most high-profile types of disruption. Even where it is an IT failure, the causes of these IT failures can be diverse. The below is an extract from FCA survey of technology outages in the UK published in November 2018.14

 

Why is Operational Resilience Important?

“Operational resilience is a priority for supervisory authorities and is viewed as no less important than financial resilience. A lack of resilience represents a threat to the supervisory authorities’ specific objectives as well as their shared goal of maintaining financial stability.”15

In designing and delivering services, the regulators say the starting point for all firms should be the assumption that individual systems and processes that support business services will be disrupted. This assumption is not limited to technology infrastructure, but can include supply-chain risks, macro-economic events, natural disasters, pandemics, terrorism, and political upheaval. As such when designing crisis-management plans, financial institutions need to take a broad, end-to-end view of their systems and processes, rather than looking at them in isolation, to better understand the risk of disruption to a service or product or to business-critical activities and functions.

Therefore, it is a regulatory imperative that financial institutions have the ability to:

• absorb shocks rather than contribute to the;

• adapt and recover when things go wrong;

• communicate effectively with those directly or indirectly affected by the incident (including customers, employees and other market participants); and

• engage early (and maintain an ongoing dialogue) with regulators.16

It is also a commercial imperative: the way in which a financial institution responds to a major event can have a material impact on its reputation, people, customers and business.

Supervisory Authorities Objectives

The Bank of England has an objective to protect and enhance the stability of the UK’s financial system. Financial stability is the consistent supply of the vital services that the real economy demands from the financial system.

“Vital services” are those:

• providing the main mechanism for paying for goods, services and financial assets;

• intermediating between savers and borrowers, and channelling savings into investment, via debt and equity instruments; and

• insuring against and dispersing risk.17

The PRA’s and FCA’s objectives are defined in the Financial Services & Markets Act 2000 (FSMA) as amended by the Financial Services Act 2012). The PRA seeks to promote the safety and soundness of the firms it supervises, and contribute to securing an appropriate degree of protection for those who are or may become insurance policyholders. The PRA also has a secondary objective to maintain effective competition between market participants.

The FCA’s strategic objective is to ensure that financial markets work well and without disruption. To advance this objective, the FCA has three operational objectives:

• to protect consumers;

• to protect and enhance the integrity of the UK financial system; and

• to promote effective competition in the interests of consumers.

The FCA and PRA recognise that financial stability cannot be maintained without the operational resilience of firms which fall under their supervision.

Challenges to Operational Resilience

Building operational resilience has become an increasingly complex challenge, during a period of relentless technological change and against the backdrop of an increasingly hostile cyber environment.

Financial institutions are under pressure to keep up with technical innovations and make use of FinTech initiatives such as big data, artificial intelligence, machine learning and distributed ledger technology to ensure that both their internal processes and the products offered to customers are up to date, market leading, suitable and good-value. There can be specific operational resiliency issues with technologies such as distributed ledger technology, for example business continuity planning may require back-up blockchain infrastructure that comes into effect in the event of an incident, and firms that deal in cryptoassets as part of their business model need to understand the characteristics of the tokens being used so that they do incur unanticipated risk. Firms also need to ensure cryptoassets do not facilitate money laundering or other financial crime.

At the same time, changing behaviours of consumers can also be a challenge to operational resiliency, with customers demanding instant access, faster transactions and the ability to carry out transactions on-the-go using their smart phones, tablets and wearable devices, across a number of operating systems and multiple 3rd party integrations and apps. It can be a challenge for institutions to keep pace with these technical innovations and changing consumer behaviours, and ensure that they assess and manage all possible vulnerabilities.

There is also a recognised digital skills gap in the UK generally and particularly in the financial services sector, with the most skilled candidates often being lured to the leading technology companies rather than to financial institutions. The prolonged Brexit process has been cited18 as another challenge to the ability of UK firms to attract the best talent.

Operational Resilience and Outsourcing

One area in which we work closely with our financial services clients is on ensuring that the institution continues to meet its regulatory requirements around operational resiliency when outsourcing material or critical services.

When it comes to operational resiliency and outsourcing contracts, the key regulatory requirements are derived from MiFID II, Solvency II (in respect of insurers) and the EBA Outsourcing Guidelines.

Whilst we have called out below a few specific areas which can have a particular impact on operational resiliency, as a rule operational resiliency is a theme which runs through the entirety of the regulatory framework on outsourcing and most (if not all) of the requirements factor into operational resiliency to some extent.

Business Continuity and Disaster Recovery (“BC/DR”)

Continuity of business services is an essential component of operational resilience and is a recurrent theme when FIs consider the regulatory requirements for outsourcing. The institution is required to impose upon the service provider an obligation to have in place a written plan which specifies the processes and procedures which it has in place to ensure continued provision of the outsourced services, which describes the steps it will take to restore service in the case of an outage or failure, and to maintain, update and periodically test that plan. Depending on the services, a requirement to have in place and maintain a BC/DR plan may also extend to sub-contractors - particularly those sub-contractors providing critical service components (for example where a service provider relies upon a hyperscale Cloud service provider to host critical components of the service).

For material outsourcings, the institution should consider imposing a requirement on the service provider to share the outcome of any resilience or vulnerability testing and promptly remediate any identified deficiencies.

Supplier Termination Rights

Termination rights can be an important factor in ensuring operational resiliency. Where a contract is for a material or complex service, it may take 18 months to successfully migrate the service back in-house or to a replacement service provider. As such, standard contractual provisions which entitle the service provider to terminate on short notice constitute a risk to an institution from an operational resiliency perspective.

Exit

A well planned and orderly exit is critical in ensuring operational resiliency and the outsourcing regulatory requirements (particularly the EBA Guidelines) go into some detail around the requirements for service providers to prepare and implement detailed exit plans.19 Similar to a business continuity plan, this should be a live document which is reviewed and updated regularly throughout the contract, particularly where there is a mid-term change to the services. At a minimum, the exit plan should govern how confidential information and data should be returned and impose obligations on the service provider to co-operate with the institution and any replacement provider in the transfer of the services. It should also clearly set out arrangements with regards to the treatment of key operational assets on expiry or termination of the agreement, for whatever reason.

Governance and Audit

Governance and audit are both important controls which enable firms to actively manage its service providers to both minimise the risk of any operational disruption and to be aware of and plan for any potential issues or disruptions at an early stage. Regular meetings, reporting obligations and the ability of the institution to verify the standards and controls put in place by the service provider can be helpful preventative tools in managing operational risk. In particular, information security audits can help institutions to obtain comfort that any data is handled, processed and stored in a secure manner and by reference to the firm’s defined security measures and internationally recognised standards.

It is important to note that governance arrangements must map against the firm’s own operational structures and satisfy the requirements under the Senior Managers and Certification Regime.20

Step-in Rights

While not appropriate or workable for every contract, it may be helpful to have step-in rights in certain outsourcing contracts for critical services to give the institution (or a third party acting on its behalf) the ability to “step-in” and ensure the continuity of services during any period of failure. While this right may be rarely exercised or relied upon in practice, it can also act as an incentive to encourage the service provider to remedy issues quickly before the step-in trigger is reached.

In practice a number of considerations may impact the ability of the firm to step-in and run the services themselves (for example where services are provided from a multi-tenant environment or off-shore location, where the firm does not have access to the source code required to maintain critical software applications, or where the firm does not have sufficient skills or experience in-house). These (and other) risks should be considered and included within the firm’s business continuity and crisis management plans.

Operational Continuity in Resolution

Finally, the rules on operational continuity in resolution (“OCIR”) apply to most UK banks, building societies or designated investment firms which meet the materiality threshold set out in the PRA Rulebook.21 The rules are designed to ensure the continuity of critical functions of firms through severe financial stress and resolution and to limit the adverse effect of a bank failure on customers, the UK financial system and the broader economy.22

It is important to note that the rules are not intended to operate as “too big to fail”23 provisions but rather to limit the risk of bank failures,24 to support the recovery of distressed banks and (if those options are exhausted) to ensure an orderly separation or wind-down of operations and the transfer of activities.25

To satisfy the OCIR rules, the firm will need to demonstrate that it has, without limitation, the following:

• a clear vision of how it will maintain critical services in the case of severe financial distress or the failure of all or part of the business;

• in place (and maintains) an appropriate recovery plan;

• developed a clear understanding (“mapping”) of its critical service providers (whether those services are provided by third parties or by other members of its group);

• a clear strategy for the transition of those critical services in the event the firm is wound-up or restructured; and

• clear provisions in its critical outsourcing agreements to ensure the continued provision of services in a recovery or resolution scenario and continued access to key operational assets (including data, intellectual property, premises, licences and leases).

It is important to note that the OCIR requirements apply in addition to (and not instead of) the requirements around operational resiliency more generally as discussed above.


  1. The FCA and PRA fined RBS, NatWest and Ulster Bank a total of £54m for an IT outage in 2012 which affected 6.5 million customers in the UK.
  2. https://www.bankofengland.co.uk/news/2019/may/fca-and-pra-jointly-fine-raphaels-bank-1-89m-for-outsourcing-failings
  3. July 2018: https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-%09sectors-operational-resilience-discussion-paper
  4. FCA Report – Cyber and Technology Resilience: Themes from cross-sector survey 2017/2018, published in November 2018
  5. PRA Rulebook Part: Operational Continuity effective from 1 January 2019
  6. https://www.parliament.uk/business/committees/committees-a-z/commons-select/treasury-committee/news-%09parliament-2017/it-failures-in-the-financial-services-inquiry-launch-17-19/
  7. ibid. endnote 2
  8. Letter from FCA Chief Executive Andrew Bailey to Nicky Morgan dated 30 May 2018 regarding its intention to initiate a formal investigation of TSB following problems experienced in the bank’s IT migration in April 2018
  9. Eversheds Sutherland – Financial Markets – the Next Generation of Cyber Threat: https://www.eversheds-sutherland.com/global/en/what/articles/index.page?ArticleID=en/Financial_institutions/cyber_threat_article
  10. See for example the “FCA Innovate” programme
  11. See FCA Business Plan 2018/19
  12. ibid. endnote 3
  13. ibid. endnote 3
  14. Financial Conduct Authority, ‘Cyber and technology resilience: themes from cross-sector survey 2017-2018’ – November 2018
  15. ibid. endnote 3
  16. Including, in the UK, the Information Commissioner, and regulators in all other relevant jurisdictions
  17. ibid. endnote 3
  18. https://www.forbes.com/sites/vishalmarria/2018/10/09/will-brexit-make-the-digital-skills-gap-worse-for-british-%09banks/#3c40bf3a3f01
  19. paragraphs 106-108 of https://eba.europa.eu/documents/10180/2551996/EBA+revised+Guidelines+on+outsourcing+arrangements
  20. For further guidance please refer to our SMR/SMCR hub: https://www.eversheds- sutherland.com/global/en/what/publications/smcr/index.page
  21. This briefing contains a summary of the legal and regulatory requirements and is not intended to be exhaustive or to be relied upon as legal advice; please contact your usual contact at Eversheds Sutherland if you are unsure as to whether or not your firm falls within the remit of the OCIR rules or any other legal or regulatory requirement referred to in this briefing. You may need to take specific advice if your firm is a non-EEA firm operating in the United Kingdom through a branch or is a UK subsidiary of non-EEA firm but which is authorised by the PRA.
  22. For further background and interpretation of OCIR, please refer to Supervisory Statement SS9/16 (ensuring operational continuity in resolution) dated July 2016 and Policy Statement PS 21/16 (ensuring operational continuity in resolution) dated July 2016 which provided feedback on responses received to the PRA consultation paper CP38/15
  23. Please see the Bank Resolution and Recovery Directive (Directive 2014/59/EU of 15 May 2014 implemented in the UK by Statutory Instrument 2014 No. 3329 (the Bank Recovery and Resolution Order 2014) and Statutory Instrument 2014 No. 3348 (the Bank Recovery and Resolution (No. 2) Order 2014)
  24. Please refer to CRR (Capital Requirements Regulation (EU) No. 575/2013)
  25. Please refer to SS9/16, PS21/16 and CP38/15

For more information contact

< Go back

Print Friendly and PDF
Subscribe to e-briefings