With the UK regulators’ operational resilience policy package finalised at the end of March, an early May speech from Lyndon Nelson, PRA Deputy CEO & Executive Director of Regulatory Operations and Supervisory Risk Specialists was well-timed. Mr Nelson’s authoritative voice has guided the evolution of operational resilience as a regulatory – or perhaps more particularly, a supervisory – concept for a number of years on both the UK and the global stages.
A testament to Mr Nelson’s expertise was his use of a simple, very quotable explanation for the regulatory focus on operational resilience:
“There is no bail out option if your firm is unable to function because of an operational incident. There is no operator of last resort function in Threadneedle Street.”
Quotable quotes aside, the speech provides some reassuringly sensible insights into the supervisory perspective on operational resilience. It was clear that he had spent some time reading commentary on the operational resilience policy package and wanted to allay any concerns that the difference in language used by the FCA and the PRA was indicative of divergent approaches. Mr Nelson stated:
“Our joint intention is to operate the same regime, there are not supposed to be any hidden nuances in this policy, nor there be any differences in implementation. Work done for one regulator can and should be leveraged to meet the requirements of the other.”
He acknowledged that the PRA’s safety and soundness objective versus the FCA’s objective focused on ensuring relevant markets worked well would be a point of differentiation in firms’ experiences of supervision and regulatory expectations. Operational disruption could, depending on the nature of the incident, impact on either of those objectives or both; firms which are subject to both the PRA and the FCA will need to consider both lenses in developing their approaches operational resilience. It is worthwhile noting that while such dual-regulated entities are significantly less in number than the FCA’s solo-regulated portfolio, the list of dual-regulated entities includes the most systemically significant financial services firms in the UK, some of which are also systemically significant at a global level.
With an eye to the global context, Mr Nelson summarised the Basel Committee Principles for Operational Resilience which were released hot on the heels of the UK package. He noted that both the UK and the Basel Committee approaches contain the same concepts, and was confident that the UK framework will deliver the Basel Committee Principles in the UK. It signals a broader hope for global consistency of both operational resilience frameworks, and – longer term and to a degree – of supervisory approach to emerge. There is already some evidence of that path to consistency as a number of jurisdictions are in addition to the UK are already in alignment with the Basel Committee, for example, the key concepts are present in the US federal banking agencies Sound Practices paper (October 2020) and the Central Bank of Ireland’s consultation paper (April 2021). We expect other jurisdictions to base their approaches on the Basel Committee Principles, notably the Hong Kong Monetary Authority (HKMA) is currently considering whether to issue guidance to facilitate implementation of the Principles in the jurisdiction. This is not to say we expect the eventuality of an homogenous regulatory and supervisory environment, but rather than the divergences between regime should dissipate over the longer term creating a less onerous compliance burden on firms that operate across borders.
On the timescales for delivering the UK package, Mr Nelson highlighted the use of the term “sophistication” in the various policy documents. While firms are being expected to do a lot over the next 11 months to 31 March 2022, the regulators appreciate that approaches will evolve and grown in sophistication over time. By the 2022 date, firms should be able to “set out a compelling gap analysis”, identifying shortcomings and areas for more work. It will be interesting to see how these March 2022 self-assessments align or do not align with regulatory assessments. For example, the FCA sends certain firms evaluation letters setting out the key risks which the firm poses to the FCA’s objectives and which also may set out specific risk mitigation actions that the firm is required to take.
Looking ahead to the continuing evolution of operational resilience, Mr Nelson discussed a number of forthcoming challenges:
- Dual impact tolerances
Mr Nelson acknowledged that there was uncertainty here as each regulator has yet to finalise its approach. Specifically for the PRA, it remains to be seen how it will interact with the Financial Policy Committee’s (FPC’s) tolerances – for example, if the FPC determines a tolerance on payments, the PRA could be expected to take an end-to-end approach. The likely follow on is that the functions of the payment system itself would need to be restored first, before providing access to direct members and then to indirect members and customers.
- Changing business models and cloud technology
Referring to the impact of Covid-19, Mr Nelson discussed how digitalisation is changing the risk landscape. With a particular focus on cloud utilisation, he discussed the PRA’s final policy on outsourcing and third party risk management which forms a critical part of the operational resilience package. Modernising its approach, the PRA has sought to address some specific nuances and challenges involved in cloud outsourcing. For example, there is a renewed emphasis on data security, the management of sub-contractors and the supply.
The PRA, said Mr Nelson, also recognises a range of proportionate assurance mechanisms, including the use of collective assurance actions such firms using “pooled audits” to assess the control environment of a common service provider. While the availability of such an option under the PRA’s approach is certainly welcome – and we note that the EU’s Digital Operational Resilience Act (DORA) contains similar provisions – we think that it will be important for regulators to provide specific guidance here, not least to mitigate the risk of an inadvertent breach of competition law. Such a concern could, of course, extend beyond the financial services sector. (For more on the PRA’s approach to outsourcing and third party risk management, see our recent blog here)
Back in 2018, the PRA’s Deputy CEO spoke about operational resilience saying he wanted to have every firm on a W-A-R footing, the acronym for Withstand, Absorb, Recover. The language has definitely moved on from 2018, while the principles and the elements of the framework have remained largely intact and as initially conceived. However, what firms can take from Lyndon Nelson’s latest remarks is comfort in the broad recognition at a senior supervisory level that operational resilience is understood very much as a journey, rather than a static destination.
Tracking operational resilience
Our Operational Resilience Hub helps to keep you up to date. The hub features an interactive timeline which currently covers operational resilience, cyber resilience, outsourcing, business continuity planning (BCP) and related material from the UK, EU, Hong Kong, Singapore, and global standard setters such as the Basel Committee.