Firms and senior management must keep up with rising regulatory expectations, be ready to co-operate and be prepared to proactively offer redress where appropriate

1422376b.jpg

Six years on from the Basel Committee on Banking Supervision's (BCBS's) consultation on the implications of cloud computing and other technologies for banks and banking supervision, what we now refer to as operational resilience has matured into a more comprehensive regulatory policy covering business continuity, incident management, critical supplier management, and more, in many jurisdictions and across financial services.

As well as developments in regulatory policy, the sources of likely disruption – from the profile of cyber threats to geopolitics – shift continuously. Firms must continue to look ahead. Insights into regulatory expectations and practical examples of what regulators focus on when things go wrong come from enforcement actions, which are therefore a useful source of lessons for the future.

"While regulatory regimes may be at different stages of maturity, maintaining operational resilience is firmly established as a strategic imperative for all boards.

Luke Hastings
Sydney

The UK

In the UK, where operational resilience rules for regulated financial services firms were finalised in March 2021 and firms have until 2025 to reach full compliance, recent enforcement outcomes offer some key lessons:

  • Firms must be on top of their outsourcing and similar arrangements with third party suppliers (and underlying fourth party sub-contractors), including and intra-group arrangements. Two significant UK cases involved intra-group arrangements where the enforcement notices highlight failures in governance and oversight. In one case, the FCA's final notice paints of picture of a business "in awe" of its parent company and failing to undertake even the most basic level of controls, including auditing arrangements. Intra-group governance structures, such as hard reporting lines from people in the firm up to the service provider, also prevented effective oversight.
  • Senior managers should expect to be in the crosshairs for enforcement action when an incident occurs. Technology and automation can distance staff from the actual workings of the business, but the regulators have been clear in both recent UK enforcement and in their statements on fintech, that individuals – particularly senior managers – remain accountable.
  • Like their peers, the UK regulators accept that disruption will happen. But how firms deal with disruption matters. One new FCA enforcement lead has emphasised the importance of co-operation and proactively taking action to redress consumer loss.

In terms of further change in this jurisdiction, the development of a regime for critical third-party providers (CTPP) to the financial services sector over the course of 2024 will be one for regulated firms to watch. The practical impacts of the new CTPP regime remain to be seen... and, eventually, to be tested.

"The development of regimes for critical third party service providers is something to watch. Whether these work will be judged by the outcomes following a disruption.

Clive Cunningham
London

Hong Kong

Hong Kong financial regulators have, in recent years, enhanced their guidance on a wide range of operational resilience areas.

In 2022, the HKMA introduced significant enhancements to its Supervisory Policy Manual to implement BCBS principles, including a brand-new module OR-2 on operational resilience, as well as updates to module OR-1 on operational risk management and module TM-G-2 on business continuity planning.

Module OR-2 provides guidance on developing a holistic operational resilience framework. It also highlights the HKMA's expectations on operational risk management, business continuity planning and testing, third-party dependency management, and information and communication technology (including cyber security). Banks had to develop their operational resilience frameworks and timeline by 31 May 2023, and they must become operationally resilient by 31 May 2026 at the latest.

Although we have yet to see enforcement actions, operational resilience remains a top regulatory focus area in supervisory inspections and thematic reviews. For example, in September 2023, the SFC announced a cybersecurity review of selected firms, the findings of which would form the basis of further guidance to the industry.

Like the UK regulators, the SFC and the HKMA have consistently emphasised that senior management remain accountable for operational resilience. The HKMA's new module OR-2 contains detailed guidance on the respective roles of the board and senior management. We expect the SFC and the HKMA to scrutinise the conduct of both the firm/bank and members of its senior management in future investigations.

"Cyber risk and resilience are a key part of the operational resilience picture – this isn't going to change any time soon.

Hywel Jenkins
London

Australia

Consistent with the global position, in the wake of two significant data breaches in late 2022, regulators in Australia are emphasising that operational and cyber resilience should be a key focus for companies and boards.

ASIC recently updated the market integrity rules for market operators and participants (and related ASIC guidance) to specifically address these issues. The refreshed rules cover issues including change management, outsourcing, information security and business continuity planning. ASIC is searching for a test case. Its Chair recently stated: "ASIC will be looking for the right case where company directors and boards failed to take reasonable steps, or make reasonable investments proportionate to the risks that their business poses... in the right case ASIC will commence proceedings." Meanwhile, the recent UK cases show what regulators may focus on when things go wrong.

In tandem, APRA recently finalised its new prudential standard on risk management, CPS 230 – which aims to assist APRA-regulated entities strengthen operational risk management, improve business continuity planning and enhance third-party risk management. Like the UK, APRA expects regulated entities to start preparation for the standard, which will be operative from 1 July 2025.

Conclusion

Regulators' expectations on what firms should be doing to ensure they comply with operational resilience rules will continue to develop as the threat and disruption landscape evolves. Looking to tertiary sources of insight, including enforcement actions by financial services regulators and how incidents are handled in other sectors, will provide firms with valuable insight to keep a step ahead of disruption and regulatory trouble.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.