A Regulatory and Compliance Perspective in the UK Financial Services Sector
In an era marked by technological advancements, regulatory scrutiny, and increasing market volatility, the concept of operational resilience has taken centre stage within the UK financial services sector. For those responsible for regulatory compliance, the pressing need to cultivate a robust operational framework cannot be overstated. This article delves into the regulatory expectations surrounding operational resilience, the risks associated with insufficient preparations, and practical steps firms can take to ensure they are well-equipped for the operational challenges they will face.
Regulatory Expectations: A Radical Shift for Operational Resilience
The UK’s regulatory landscape has evolved significantly, especially following high-profile incidents, such as the CrowdStrike outage in July 2024 that exposed vulnerabilities in the financial system. The Financial Conduct Authority (FCA) and Bank of England have set forth stringent guidelines aimed at ensuring that financial institutions can withstand operational disruptions to their most important business services and the implementation date is no later than 31 March 2025. This necessitates not only the existence of robust operational resilience frameworks but for firms to know their vulnerabilities through thorough testing and setting the maximum tolerable disruption level to those important business services they have identified.
Business continuity plans are not a 'tick-box' exercise; they must be dynamic documents that reflect an institution's ability to respond to a myriad of disruptions, from cyberattacks to more traditional operational failures. The FCA and the Prudential Regulation Authority (PRA) expect firms to regularly conduct these assessments and stress tests to reassess their resilience in light of evolving risks. A robust operational risk framework must include a clear understanding of the potential impact of third-party outages and the critical dependencies that exist within the supply chain.
The Increased Dependence on Technology
As financial firms have accelerated their digital transformation efforts, their reliance on technology has surged. While technology can enhance efficiency, it also heightens operational risk, especially when companies depend heavily on a small number of technology and cloud service providers.
An example of this concentration risk was the major cyber event in July 2024 where a faulty software update from cybersecurity firm CrowdStrike triggered a massive global IT outage, leaving its mark on businesses and critical infrastructures around the world. The incident affected approximately 8.5 million Windows machines, crippling operations for airlines, hospitals, and other essential services. Wholesale markets faced severe disruptions as auto pricing engines failed, exposing a lack of true liquidity and revealing how participants typically aggregate and repackage other liquidity. The fallout was immense, costing Fortune 500 companies an estimated $5.4 billion in losses.
The interconnectedness of firms and their technology providers can lead to major disruptions, particularly when system outages occur. Firms must confront the reality that operational failures can cascade through the financial ecosystem, impacting clients and counterparties alike.
To mitigate the risk associated with interconnectedness, financial institutions should consider diversification strategies in their technology infrastructure. Establishing relationships with multiple providers can help cushion the blow during systemic disruptions. Moreover, firms can bolster operational risk management through enhanced monitoring capabilities and regularly testing contingency plans, ensuring they can pivot quickly in times of stress. It is important to note that operational risk failures can have a major impact on the financial soundness of a firm. Loss of customer confidence in an institution could result in outflows of deposits for a bank or an investment firm seeing customers requesting their funds to be moved to other providers.
Responses and Planning: Establishing Best Practices
Operational resilience demands proactive responses and meticulous planning. The financial services sector has witnessed the emergence of best practices for incident response that can serve as guiding principles. Firms should create an Incident Response Plan and have a dedicated team to oversee the execution plan and to coordinate Incident response testing on a regular basis.
Another critical component of enhancing operational resilience involves the thorough assessment of third-party risks. Engaging in due diligence and establishing criteria for selecting technology and service providers is paramount. Firms must assess not only the immediate functionality of their third-party solutions but also their ability to withstand outages and maintain service continuity. In essence, firms must assess the resilience of their third-party providers.
Regular testing and updates to business continuity plans are equally essential and mandatory for FCA regulated firms. Simulated operational disruptions can be invaluable in understanding how well a firm performs under stress. Conducting tabletop exercises that replicate various scenarios helps organisations identify weaknesses and enables them to refine their response strategies effectively.
Regulatory Focus: Operational Resilience as Market Stability
The increasing regulatory focus on operational resilience stems from a clear understanding that market stability hinges upon firms' abilities to withstand operational shocks. Recent FCA regulations have heightened expectations concerning third-party risks, compelling firms to prioritise the resilience of their service providers. Regulatory bodies now expect comprehensive assessments that gauge not only the current capacities of third parties but also their preparedness for extended outages.
Furthermore, there is a global push for standardised best practices concerning operational resilience, emphasising preventative measures and critical assessments. International regulatory frameworks are beginning to converge, encouraging consistency in expectations surrounding operational continuity.
Preparing for Future Events: Leveraging Technology and Scenario Planning
Looking beyond the regulatory deadlines of PS21/13, financial institutions must prepare for an increasingly unpredictable future. The integration of artificial intelligence and machine learning presents potentially unprecedented opportunities for predicting potential disruptions before they occur. Data-driven insights can transform approaches to risk management, allowing firms to adapt their strategies proactively.
Scenario planning and stress testing remain indispensable tools for assessing a firm's preparedness for extreme conditions or black-swan events. By simulating a wide range of potential operational disruptions, firms can gain invaluable insights into their vulnerabilities, enabling them to devise strategies to mitigate risks before they materialise.
Investment in cybersecurity and system redundancy is essential to fortifying operational resilience against the spectre of cyber threats. Layered defences safeguard critical systems and data while ensuring that, in the event of an attack, firms can quickly pivot and resume operations.
Operational resilience is no longer merely a regulatory requirement; it is imperative for sustained competitiveness and trust in the financial services sector. As regulatory expectations grow increasingly stringent, firms must adopt a proactive approach to resilience planning. By embracing technological innovation, diversifying dependencies, and implementing best practices for incident response, the financial services sector can foster a robust environment that not only withstands disruptions but also thrives in an ever-changing landscape. Building a culture of resilience will not only protect individual firms but will also contribute to the overall stability and integrity of the financial system.
For support and guidance on any items covered in this article from training to fully managing your operational resilience, get in touch today with the team at Leaman Crellin for a chat.
Comments