In-scope firms (which include banks, building societies and designated investment firms, as well as e-money and regulated payments businesses) were required to complete their operational resilience self-assessments by March 31, 2022.
Given the novelty of some of the concepts, many firms struggled to produce complete and thorough self-assessment documents.
Many took comfort, however, from the fact that both the UK Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) recognised that the implementation period does not end until March 2025 and that the quality of work would improve over time.
The significant phrase used by the regulators was "level of sophistication". In various public pronouncements during the period prior to implementation, both the PRA and FCA made it clear that they expected firms to make a decent good-faith attempt to identify their important business services and impact tolerances, but it was recognised that the "level of sophistication" of firms' approaches would develop during the next three years.
The industry was well-aware that the regulators would review firms' self-assessments either through thematic work or individual firm contact. The author is beginning to see the first inklings of what the regulators think of the work that has been undertaken.
David Bailey, executive director, UK deposit takers supervision at the Bank of England, gave a speech on April 28. The main elements are set out below; the author's takeaway is that there is a clear expectation that self-assessments will need to improve over time.
It is noted, however, that the PRA only assessed banks and building societies, and it is difficult to extrapolate from this what the implications might be for generally smaller and less well-resourced payments and e-money firms.
Important business services
- Positive progress has been made in identifying important business services, although a wide variety of approaches has been taken.
- The main difference seems to be in granularity, i.e., the extent to which a customer activity is treated as a single important business service or is broken down into constituent important business services. Some firms have taken "payments" as being a single important business service; others have treated payments by BACS, CHAPS, Faster Payments, etc., as separate important business services; still others have differentiated between credit card payments and debit card payments.
- Similar themes arose with lending. Some firms have identified "obtaining a loan" as an important business service, and have considered different types of loan that might be provided, for example, car loan, mortgage loan, business loan. Others have decided to split activities between pre- and post- trade execution.
- The PRA clearly expects granularity to increase in some areas. The lack of uniformity of approaches makes it difficult to make comparisons between impact tolerances across different firms.
- The PRA acknowledges that progress has been made, although it notes that setting impact tolerances has been more challenging.
- Some firms failed to provide impact tolerances for safety and soundness, or for financial stability. This is understandable — these are more nebulous concepts than customer harm and market integrity — but the PRA expects these gaps to be filled as a priority.
- The range of impact tolerances that have been submitted for payments-related important business services appears to the PRA to be surprisingly wide. The PRA will expect firms to justify their determinations, and detailed assessment work across peer groups will soon take place.
Mapping and testing
- The maturity of work in this area varies enormously. The PRA calls out that "significant further work" is needed in the next three years.
- The PRA notes that firms had often recycled existing tools and frameworks. It does not overtly criticise this approach, although it may be that mapping is one of the vital areas where improvement is expected.
The author would like to highlight the following:
- The regulators expect trade bodies to play a significant role in shaping what is suitable and sufficient, and in reducing variability among firms with similar business models and risks. It may, however, be inappropriate to expect trade bodies alone to reduce the variability among firms, and perhaps regulators need to do more to identify their expectations, in particular with respect to granularity.
- The regulators are likely to establish broad contact programmes designed to increase the maturity of self-assessment determinations: firm-specific contact, thematic work and industry roundtables. The expectation is that, having considered banks and building societies, regulators may focus some thematic effort on payments firms, insurance intermediaries and investment firms.
- Where self-assessments identify areas of operational vulnerability, which is the intention behind operational resilience, the regulators expect remediation to be undertaken. This may be a difficult topic for some firms, which may have been reluctant to view operational resilience as a key driver of their future investment priorities.
- Firms should look out for future programmes on "cyber stress testing" and on managing the risks presented by "critical third parties". With regard to the latter, HM Treasury has produced a proposal that may well require the quasi regulation of currently unregulated third-party IT suppliers, such as cloud infrastructure businesses.
This article was first published in Thomson Reuters Regulatory Intelligence in August 2022.