The Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have published a joint discussion paper on an approach to improve the operational resilience of firms and financial market infrastructures.
The paper follows the payments chaos which followed a hardware failure at Visa that hit millions of transactions across Europe in June, and TSB’s IT upgrade which resulted in turmoil for the bank’s customers.
The FCA and PRA suggest that two days as an acceptable limit for disruption to a business service, under one scenario in the consultation paper. It envisages that boards and senior management can achieve better standards of operational resilience through increased focus on setting, monitoring and testing specific impact tolerances for key business services, which define the amount of disruption that could be tolerated.
The challenges for operational resilience have become even more demanding given a hostile cyber-environment and large-scale technological changes. As recent disruptive events illustrate, operational resilience is a vital part of protecting the UK’s financial system, institutions and consumers.
An operational disruption such as one caused by a cyber-attack failed outsourcing or technological change could impact financial stability by posing a risk to the supply of vital services on which the real economy depends, threaten the viability of individual firms and FMIs, and cause harm to consumers and other market participants in the financial system. This DP focuses on how the provision of these products and services can be maintained within reasonable tolerances regardless of the cause of the disruption. It reinforces the need for firms and FMIs to develop and improve response capabilities so that any wider impact of disruptive events is contained. The speed and effectiveness of communication with the people and institutions most affected, in particular customers, should be at the forefront of every firm’s response.
Motivating the approach are a number of important concepts, which include:
- focusing on the continuity of the most important business services as an essential component of managing operational resilience
- setting board-approved impact tolerances which quantify the level of disruption that could be tolerated
- planning on the assumption that disruption will occur as well as seeking to prevent it
The approach to operational resilience set out in this DP is consistent with the Financial Protection Committee’s (FPC) recent plans to establish its tolerance for disruption to financial services from cyber incidents, with both focusing on continuity of business services. The supervisory authorities may expect some firms and FMIs to consider the FPC’s impact tolerance when they set their own tolerances.
The supervisory authorities are encouraging responses to questions posed in the DP from all types of firms and FMIs, trade associations, consumer bodies, individuals and businesses as users of financial services, and especially those who have suffered harm from disruptive events.