FS Programme Briefing | Operational Resilience from a macroprudential perspective

Contrary to the day-to-day micro-policy-making involved within the DP3/22 discussion papers, it is useful to observe operational resilience via a ‘helicopter lens’ to understand the wider complexities of firms adapting and contributing feedback to the ongoing changes within the financial-technological prudential space. This insight will examine the FSI’s Briefing, acknowledging the paper’s 2 key takeaways and its implications on the wider debate of operational resilience regulatory policy. 
 

1. Analysis of trending international and national regulatory policy-making environments, and noticeable differences in macro-objectives and institutional targeting
    
   • Basel Committee on Banking Supervision’s (BCBS) ‘Principles for operational resilience’, US’s ‘Sound practices to strengthen operational resilience’ and EU’s ‘Digital Operational Resilience Act’ (DORA)  

Both BCBS and the US’s guidelines focus on ‘critical business operations’ within banks, as opposed to the UK regulatory institutions’ attention on ‘important’ financial services firms[1]. Naturally, the international/transnational guidelines focus on operational resilience’s role within tackling and preventing systemic risks in the sector. This is particularly note-worthy within areas including ‘third-party (TP) management’, ‘mapping interconnections and interdependencies’ and ‘testing’. For example, BCBS’s guidelines target when/where testing should occur within the context of specific threats, and their exact responsive procedures and processes.

DORA covers a different range of operational resilience issues and procedures comparatively with BCBS/US and UK national regulatory institutions. The legislative proposal specifically focuses upon possible Information and Communications Technology (ICT) threats across financial institutions and firms. Importantly, the proposals include the requirement of financial institutions and firms to ‘harmonise’ their operational resilience strategies and relevant communications with national, international, and transnational regulatory institutions.

• UK’s HM Treasury’s cross-regulatory institutional regime proposals and the Bank of England’s (BoE) Prudential Regulatory Authority (PRA) and Financial Conduct Authority’s (FCA) DP3/22 Discussion Papers following the Government’s Financial Services and Markets Bill

As techUK’s Market Briefing with both the PRA and FCA included, contrary to the international/transnational proposals, the UK’s proposed regime would retain significant individual responsibility and autonomy for firms and financial institutions to identify risks most important to their customer’s most used services. Outlining how operations, communications, and testing’s focus upon these areas of disruption.  
 

2. Analysis of macro-trends within system-level operational resilience
    
   • System-level operational resilience between national and international regulatory coordination

With the growing prevalence of global challenges and crises significantly affecting the day-to-day ongoings of the financial sector, indeed, the national and international economic system in general - it would be no surprise governments, financial institutions and firms are seeking to advance coordination within the key area of operational resilience. However, as the sector has already discussed, greater coordination across proposals has emphasised the different areas of regulatory focus. As discussed above, firms/institutions’ focus areas will determine upon different interpretations of ‘systemic’ – whether the focus should be on individual services and customer experiences, or the stability of the financial system in general. 

• Separated/combined policy approaches within regulatory institutions

The paper points towards individual and sectoral wide use of ‘critical technology services’ including ‘cloud computing services (CCS)’ which, considering the diversity of regulatory and firm-priority focuses, presents with numerous system-level resolutions including:

• Financial services firms and institutions to take accountability for on-boarding and processing third-party providers

The FSI suggests skepticism around institutions and firms conducting individual assessments, presenting gaps and un-standarised and inefficient procedures within auditing processes across the sector.

• Financial services firms to use a ‘multi-provider’ process, ensuring the use of multiple suppliers within specific areas of service

Due to the increased complexity of this proposal – auditing and cloud configuration processes would take longer and become more inefficient due to the cross-supplier nature of operations.  

• Removing both SIFIs and FMIs upon relying on third-party providers, resulting in financial institutions becoming ‘self-sufficient’ within their ICT solutions

As the paper amplifiers, this is certainly the most controversial proposal outline within the Brief, requiring the sector to completely re-think its ICT usage. Although this part of the paper cannot be perceived as a serious proposal, it serves as a useful thought exercise in appreciating the significance of third-party providers and their contribution to developing efficiency, governance and system-wide standardization within the sector.

Operational resilience remains a hot topic within the financial-technology space. With regulatory institutions, financial institutions, and firms deep within the complexities of micro-prudential policy-debates, the FSI’s Brief suggests the importance of understanding the regulatory policy environment from a wider view, for two important reasons:

• Observing where/when/why trends within focuses and objectives occur
   
• Challenges and threats within multiple individual institutions and firms should be resolved at the systemic level

Following this insight’s short analysis of the FSI’s Brief paper, it is clear the rapidly developing regulatory policy-making of operational resilience is already ironing out possible differences in focus of regulation. However, it is important for firms and their relationship to regulatory institutions that these differences are made clear, of which their ‘front-line’ experiences of operational resilience remain central to future developments in policy-making internationally, transnationally and nationally.

As techUK’s interview with the NCC Group’s Regulatory Compliance Solutions Lead suggests, with multiple global challenges both inside and outside the financial services sector, regulatory policy-makers and firms must avoid a path towards policy-making ‘lock-in’, ensuring necessary thought-leadership spaces for critical macro-systemic thinking around financial-technological challenges including operational resilience can take place.

Andy Thornley

Head of Financial Services, techUK

×

Andy Thornley

Head of Financial Services, techUK

Andy joined techUK in August 2022 as Head of Programme – Financial Services. His role includes leading techUK’s work in building a greater understanding of the 'technological art of the possible' in order to apply it to the reform and evolution of financial systems.

Before joining techUK, Andy worked for a number of other bodies in the financial services sector, including the British Insurance Brokers’ Association, where in addition to owning policy and public affairs, he was also responsible for fostering InsurTech in the sector.

Andy has a degree in Human Biology and holds a Certificate in Insurance (Cert CII) qualification from the Chartered Insurance Institute. Outside of work, Andy is an avid cyclist and races competitively both on the road as well as the velodrome.

Email:

[email protected]

Twitter:

@AndrewThornley

LinkedIn:

https://www.linkedin.com/in/mr-andy-thornley/

 

---

[1] Although, still covering SIFI’s including banks.