UK regulators release final operational resilience policies

The end of March saw a flurry of activity on operational resilience as the UK regulators published final policy on operational resilience and, for the UK Prudential Regulation Authority (PRA), final rules on outsourcing and third party risk management while the Basel Committee on Banking Supervision (BCBS) issued its new Principles for Operational Resilience and revised Principles for the Sound Management of Operational Risk.

In this post, we revisit the background to development of operational resilience in the UK, review the publications issued by the Financial Conduct Authority (FCA), the PRA, and the Bank of England (the Bank) in March, and briefly discuss the wider context.

Key takeaways

• Covid-19 has had an impact on how the UK regulators and the industry approach operational resilience, but has not resulted in significant change to the direction of policy.
• The regulators have set out a phased implementation period, with initial requirements due by 31 March 2022. While firms are likely to have many of the elements already in place (or in plan), it is reasonable to assume that effort and resource will need to be deployed to fully meet regulatory expectations.
• In the UK, it is likely that implementation of the requirements, particularly in larger, complex firms, will require a cross-divisional project for which express accountability should be assigned to a Senior Manager.
• Finalisation of the UK rules is an important milestone, but the operational resilience landscape will continue to develop both at the domestic and international level. Firms operating cross-border should be mindful of requirements being introduced by other regulators to similar timescales which, while similar to the UK approach, do vary in scope and emphasis.

What is operational resilience?

Operational resilience is the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions. At the most basic level, a firm or sector which is operationally resilient can get back up after it has fallen over.

It is important that the definition acknowledges the potential for an entity or the whole sector to “fall over”. While there will always be great effort and resource put into preventing risks from crystallising, it is unrealistic to assume that firms and regulators can foresee and mitigate every eventuality.

Initially, regulators drove the focus on operational resilience – the debate in the UK was formally launched in 2018 – but the advent of Covid-19 has significantly accelerated industry engagement.

The UK Proposals

On 5 December 2019, the Bank, the PRA and the FCA released a number of publications on operational resilience, marking the launch of a consultation phase which will inform how the UK authorities seek to embed the consideration of operational resilience into the regulatory framework. The proposals covered firms and financial market infrastructures (FMIs) (which are central counterparties (CCPs), central securities depositories (CSDs), recognised payment system operators (RPSOs) and specified service providers (SSPs)).

The proposals in the consultation papers built on concepts advanced in the regulators’ joint July 2018 Discussion Paper 01/18 (DP01/18) Building the UK financial sector’s operational resilience. Importantly, the regulators’ starting point was that operational disruption would happen, and this was the starting point for the policy proposals.

The Bank, PRA and FCA proposed that firms and FMIs would be expected to:

• identify their important business services that if disrupted could cause harm to consumers or market integrity, threaten the viability of firms or cause instability in the financial system;
• set impact tolerances for each important business service, which would quantify the maximum tolerable level of disruption they would tolerate;
• identify and document the people, processes, technology, facilities and information that support their important business services; and
• take actions to be able to remain within their impact tolerances through a range of severe but plausible disruption scenarios.

Responses to the consultations were initially requested by April 2020, but the consultation phase was extended to October 2020 to accommodate firms’ and FMIs’ efforts to respond to Covid-19. (See our December 2019 briefing here.)

The March 2021 Policy and Final Rules

The joint covering document

The Bank, the PRA and the FCA have published a joint covering document: Operational Resilience: Impact tolerances for important business services which summarises the common responses received to the December 2019 consultations and provides an overview of the final policy. The joint covering document includes information on the implementation timescales, and discusses how the UK approach diverges from, for example, that adopted by the BCBS.

FCA policy statement (PS21/3)

In Policy Statement 21/3 Building Operational Resilience (PS21/3), the FCA sets out details of the feedback it received on the proposals it consulted on and its final policy.

In its own assessment, the FCA has largely implemented the proposals as consulted. Some changes were made to provide more time and flexibility to meet mapping and scenario testing requirements.

The new rules and guidance will largely be contained in a new chapter of the Senior Management Arrangements, Systems and Controls (SYSC) module of the FCA Handbook, SYSC 15A. The FCA’s new rules affect banks, building societies, PRA-designated investment firms, insurers, recognised investment exchanges (RIEs), firms within the enhanced scope of the Senior Managers and Certification Regime (SMCR), and entities registered under the Payment Services Regulations 2017 (PSRs) or Electronic Money Regulations 2011 (EMRs).

The FCA has also revised its webpage on cyber resilience, renaming it "Operational Resilience" and incorporating earlier materials on cyber resilience within a summary of its broader operational resilience framework.

PRA policy statement (PS6//21)

In Policy Statement 6/21 Operational resilience: Impact tolerances for important business services (PS6/21), the PRA sets out the feedback it received on the proposals it consulted on and its final policy. PS6/21 is relevant to UK banks, building societies, and PRA-designated investment firms; and UK Solvency II firms, the Society of Lloyd’s and its managing agents.

The PRA comments that the feedback it received focused on implementation, proportionality, alignment with the FCA, alignment with international principles, and requests for further detail on PRA expectations.  In response to this feedback, the PRA has made a number of changes in its final policy, including:

• Revising its new Supervisory Statement (SS) to provide additional clarity about internal services (that is, services which are not customer or end-user facing) in the context of identifying important business services. In particular, the PRA has provided examples of internal services and the circumstances in which they would be determined as necessary for the delivery of important business services;
• Further aligning the definition of important business services with the FCA’s definitions of the same; specifically, the PRA makes clear that an important business service could be delivered wholly or in part by another person;
• Introducing a degree of proportionality, the PRA has excluded small and medium firms from the requirement to assess their potential impact on financial stability when identifying important business services and setting impact tolerances; and
• Explaining how the PRA differentiates between important business services in the context of its operational resilience policy and the broader concept of critical services which is used in the PRA’s proposed approach to operational continuity (when a firm is) in resolution (OCIR).

Appendices to PS6/21 set out the texts of the rules as they will appear in the PRA Rulebook, the SS and the Statement of Policy.

The Bank’s policy statements for FMIs

The Bank has published a policy statement and a supervisory statement for each group of FMIs – that is: (1) CCPs, (2) CSDs, and (3) RPSOs and SSPs.

For all three FMI types, in finalising its policy, the Bank has clarified its expectations on considering financial stability. The Bank explains its view that financial stability is more likely to be impacted by a mass outage affecting multiple important business services, rather than individual important business service outages. The drafting requiring the setting of an impact tolerance for each important business service may be interpreted narrowly such that focus is on the disruption of single important business services and there is a failure to consider impact tolerance if multiple important business services were disrupted simultaneously. In its finalised text, the Bank clarifies that it expects FMIs to consider the implications for their impact tolerances should more than one important business service be disrupted at the same time.

Implementation timescales

For the new operational resilience rules, there will be a one-year implementation period to 31 March 2022. This will be followed by a three-year transitional period ending on 31 March 2025.

The joint covering document sets out details of the authorities' expectations relating to these deadlines:

While firms are likely to have many of the elements already in place (or in plan), it is reasonable to assume that effort and resource will need to be deployed to fully meet regulatory expectations.

We expect that implementation of the UK regulatory requirements, particularly by larger, complex firms, will require a cross-divisional project for which express accountability should be assigned to a Senior Manager – an individual accountable under the UK Senior Manager Regime.

PRA outsourcing policy statement

Alongside the operational resilience papers, the PRA has also published its final policy on outsourcing and third party risk management (PS7/21) which summarises the feedback received to its original proposals and sets out final rules.

With regard to feedback received, the PRA noted a number of comments with regard to aligning its policy with those issued by the relevant European Supervisory Authorities (ESAs). The PRA comments that, in line with the Statement of Policy: “Interpretation of EU Guidelines and Recommendations: Bank of England and PRA approach after the UK’s withdrawal from the EU”, it it no longer expects PRA-regulated firms to make every effort to comply with any ESA Guidelines that came into effect after the end of the implementation period. However, the PRA considers that its expectations are not “materially divergent” from relevant ESA guidance.

The PRA has responded to feedback, including:

• With regard to outsourcing and third party risk, the PRA has removed the expectation that arrangements performed or provided in a prudential context fall within the definition of outsourcing, instead retaining the reference to the existing PRA Rulebook definition. It has also made explicit reference to relevant ESA guidance.
• In the SS, the PRA confirms that firms should assess the materiality and risks of all third party arrangements, irrespective of whether they fall within the definition of outsourcing. Where non-outsourcing, third party arrangements are deemed to be material or high risk, the PRA expects firms to implement effective, risk-based controls.
• With regard to intragroup arrangements, the SS clarifies the PRA’s expectations on intragroup arrangements, including on the application of proportionality. The PRA also provides additional examples of proportionality in intragroup arrangements. Similarly, the PRA has provided some examples of how third-country branches may apply certain expectations in the SS proportionately.
• The PRA plans to consult on proposals for an online portal for firms to submit information on their outsourcing and third party arrangements.
• With regard to agreements, the PRA expects that should a third party service provider in a material outsourcing (or other third party) arrangement be unable or unwilling to include certain terms within the contract that reflect the firm's obligations, that firm should inform the PRA.
• The PRA has clarified that none of the expectations in the SS should be interpreted as explicitly or implicitly favouring or imposing restrictive data localisation requirements. However, the PRA expects firms to adopt a risk-based approach to the location of data that allows them to leverage the operational resilience advantages of outsourced data being stored in multiple locations while managing relevant risks.
• Additional guidance has been added about the conduct of on-site audits. The SS acknowledges that certain types of onsite audit create may an unmanageable risk for the environment of the provider and/or another client of the same provider, for instance by impacting the provider’s service levels or the confidentiality, integrity, and availability of data. In such cases, the firm and the service provider should agree on alternative ways to provide an equivalent level of assurance. Firms should retain their underlying right to conduct an onsite audit. For material outsourcing arrangements, the PRA expects firms to inform their supervisor if alternative means of assurance have been agreed.

Outsourcing arrangements entered into on or after Wednesday 31 March 2021 should meet the expectations by Thursday 31 March 2022. Firms should seek to review and update legacy outsourcing agreements entered into before Wednesday 31 March 2021 at the first appropriate contractual renewal or revision point as soon as possible on or after Thursday 31 March 2022.

It is clear that the PRA’s final rules will impact on how regulated firms engage and contract with third parties; we will cover this aspect in greater detail in a later post.

The wider context of operational resilience

While the finalisation of the UK rules is a significant milestone, there is a wider context in which operational resilience policy and thinking is developing – at both domestic and international level. Firms operating cross-border should be mindful of requirements being introduced by other regulators to similar timescales which, while similar to the UK approach, do vary in scope and emphasis.

For example, on 1 April 2021, the BCBS published its principles for operational resilience which aim to increase banks' capacity to withstand disruptions due to potentially severe adverse events. The operational resilience principles focus on governance, operational risk management, business continuity planning (BCP) and testing, mapping interconnections and interdependencies, third party dependency management, incident management and resilient cyber security, and information and communication technology (ICT).

They are largely derived and adapted from existing guidance on outsourcing, BCP and risk management-related guidance previously issued by the BCBS or national supervisors over a number of years. They also build on the BCBS principles for the sound management of operational risk (PSMOR). The BCBS has taken this approach in order to avoid duplication and ensure that the resulting framework is coherent. A similar approach was taken in the US, where the federal bank regulatory agencies released a paper entitled "Sound Practices to Strengthen Operational Resilience" which draws together relevant material from existing regulations, guidance, statements, and common industry standards in October 2020.

Alongside the operational resilience principles, the BCBS has published a revised version of the PSMOR. It has made a limited number of technical revisions to:

• Align the PSMOR with the recently finalised Basel III operational risk framework;
• Update the guidance where needed in the areas of change management and ICT; and
• Improve the overall clarity of the principles document.

Keeping up with operational resilience

Our Operational Resilience Hub helps to keep you up to date on the upcoming regulatory expectations. The hub features an interactive timeline which currently covers the UK, EU, Hong Kong and Singapore, and output from global standard setters such as the BCBS, the Financial Stability Board (FSB), and the International Organisation of Securities Commissions (IOSCO). The content includes operational resilience, cyber resilience, outsourcing, BCP and more. We are adding more major financial services centres and we are regularly updating the timeline to provide a “one stop shop”.