The Financial Conduct Authority (FCA) has called on authorised firms to examine their ‘operational resilience’ and to make changes and improvements to their procedures where necessary.
The FCA says the main considerations should be:
- Identifying the firm’s business services that, if the service was to be interrupted, could cause:
- Damage to the firm’s viability
- Detrimental outcomes for the firm’s customers
- Damage to market integrity
- Instability in the wider financial sector
- Setting ‘impact tolerances’ for each important business service, which set out the maximum tolerable level of disruption the firm is prepared to accept
- Identifying the people, processes, technology, facilities and information that support the firm’s important business services
- Making contingency plans to ensure the firm remains within its impact tolerances through a range of severe but plausible disruption scenarios
- Ensuring the firm’s contingency plans include a communications strategy which should ensure customers are kept updated during a disruptive event, for example a firm’s customers may need to know about alternative means of accessing the firm’s services
- Operating a ‘lessons learnt’ approach should a disruptive event occur so that the firm is better placed to respond to emergency events in the future
The FCA says firms should carry out an assessment of the above issues annually.
Strictly speaking, the new FCA consultation on operational resilience only applies to the following categories of firm:
- Building societies
- Investment firms who are also regulated by the Prudential Regulation Authority
- Solvency II firms
- Recognised Investment Exchanges
- FCA firms who are subject to the Enhanced Senior Managers & Certification Regime
- Entities authorised and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011
However, all firms need to be prepared for disruptive incidents, especially as the cyber threat continues to increase. Every FCA authorised firm needs to have a risk management strategy and every firm should have a documented Business Continuity Plan or similar, explaining how the firm will respond to an incident and how the interests of staff, customers and other stakeholders will be protected.
Other than cyber incidents, disruptive events a firm might experience include:
- Other IT failures – for example there have been many examples of bank customers being unable to access services for a period after the bank’s antiquated computer systems failed
- Data loss – again this is an issue where there have been many high-profile examples
- Loss of power, telecommunications or water
- Any incident that makes it very difficult or impossible to access the firm’s premises, such as weather events or fire damage
The FCA invites responses to its Consultation Paper – the deadline for submissions is April 3 2020.
In a speech on December 5, FCA director Megan Butler explained the regulator’s definition of operational resilience as “the ability of firms and [Financial Market Infrastructures] and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.”
Ms Butler went on to give an example of unacceptable customer harm when she said:
“We will not accept operational failures that – but for a lack of sufficient contingency planning – see consumers stuck on the phone for hours trying to speak to their bank, unable to complete a house sale or purchase or facing uncertainty over whether they will be able to pay their rent on time because they cannot transfer their money.”
Andrew Bailey, FCA Chief Executive, said:
“It is in the public interest that a resilient financial system is able to supply the most important services with minimal interruption even during severe operational events. The proposed new requirements are aimed at achieving this outcome.
“Disruptive events can have a high impact on consumers and businesses so firms and [Financial Market Infrastructures] need to know where the risks to their service delivery lie and to make sure that they are prepared for any service disruption by testing their planned response.”
The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article