The Bank of England (the Bank), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have today published a shared policy summary and co-ordinated consultation papers (CPs) on new requirements to strengthen operational resilience in the financial services sector.
Building the operational resilience of firms and Financial Market Infrastructures (FMIs) is a shared priority for the three supervisory authorities. The co-ordinated CPs build on the concepts set out in the operational resilience Discussion Paper published by the authorities last year, addressing many of the proposed policy changes based on the responses we received.
The policy proposals make it clear that firms and FMIs are expected to take ownership of their operational resilience and that they will need to prioritise plans and investment choices based on their impacts on the public interest. If disruption occurs firms are expected to communicate clearly, for example providing customers with advice about alternative means of accessing the service.
Under the proposals, firms and FMIs would be expected to:
- identify their important business services that if disrupted could cause harm to consumers or market integrity, threaten the viability of firms or cause instability in the financial system;
- set impact tolerances for each important business service, which quantify the maximum tolerable level of disruption they would tolerate;
- identify and document the people, processes, technology, facilities and information that support their important business services; and
- take actions to be able to remain within their impact tolerances through a range of severe but plausible disruption scenarios.
Andrew Bailey, FCA Chief Executive, said: ‘It is in the public interest that a resilient financial system is able to supply the most important services with minimal interruption even during severe operational events. The proposed new requirements are aimed at achieving this outcome.
Disruptive events can have a high impact on consumers and businesses so firms and FMIs need to know where the risks to their service delivery lie and to make sure that they are prepared for any service disruption by testing their planned response.’
Sam Woods, CEO of the PRA and Deputy Governor for Prudential Regulation, said: ‘Operational resilience is a vital part of firms’ safety and soundness, and has become an important priority for the PRA. This consultation marks the next stage of integrating operational resilience into our regulatory framework. Alongside this, our proposals on outsourcing and the cloud will steer firms to be resilient in their adoption of new technologies.’
Jon Cunliffe, Deputy Governor for Financial Stability, said: ‘FMIs, both wholesale and retail, lay at the heart of the financial sector. They are the plumbing that allow the financial system to operate. The safe and resilient operation of FMIs is therefore crucial to the Bank’s financial stability objective. FMIs need to consider not only what steps they need to take to minimise operational disruption, but also how quickly they can recover from any operational disruption.’
To complement the policy proposals on operational resilience, the PRA has published a CP on ‘Outsourcing and third-party risk management’. The objectives of this consultation are to deliver on the Bank’s commitment to ‘facilitate greater resilience and adoption of the cloud and other new technologies’, as set out in the Bank’s response to the Future of Finance report, and to support the proposals on operational resilience. It reinforces the PRA’s expectation that firms should ensure that their important business services are able remain within their impact tolerances even when they rely on outsourcing or third party providers. The FCA’s Consultation Paper on operational resilience also contains a chapter on outsourcing.
The consultation period closes on 3 April 2020.
Notes to editors
- See Operational Resilience: Impact tolerances for important business services for operational resilience consultation papers.
- PRA Consultation Paper 30/19 ‘Outsourcing and third party risk management’: December 2019
- See Operational Resilience: Impact tolerances for important business services for the Operational resilience discussion paper.
- The FCA and PRA have issued separate CPs so dual-regulated firms may wish to send separate responses to the FCA and the PRA mailboxes.
- On 1 April 2013, the FCA became responsible for the conduct supervision of all regulated financial firms and the prudential supervision of those not supervised by the PRA.
- The FCA has an overarching strategic objective of ensuring the relevant markets function well. To support this it has three operational objectives: to secure an appropriate degree of protection for consumers; to protect and enhance the integrity of the UK financial system; and to promote effective competition in the interests of consumers.
- Prudential regulation rules require financial firms to hold sufficient capital and have adequate risk controls in place. Close supervision of firms ensures that we have a comprehensive overview of their activities so that we can step in if they are not being run in a safe and sound way or, in the case of insurers, if they are not protecting policyholders adequately. The PRA at the Bank of England is responsible for this prudential regulation and supervision of around 1,500 banks, building societies, credit unions, insurers and major investment firms.
- The Bank of England supervises FMIs because financial markets rely on the continuity of the services they provide. Well-functioning FMIs improve the stability of markets and the wider financial system. The Bank supervises a range of different FMIs.