The Bank of England (the Bank), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have published a shared policy summary and co-ordinated consultation papers (CPs) on new requirements to strengthen operational resilience in the financial services sector.
We published a discussion paper on operational resilience in July 2018. We said that our aim is to increase firms’ investment in operational resilience where they provide important products and services, and that building operational resilience is in the public interest.
We are now consulting on new requirements on the firms we supervise to help strengthen operational resilience. We describe operational resilience as an outcome: the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.
We want firms to consider the impact of disruption which can come in many forms. For example, technology failures, cyber-related and other operational incidents, including those outside of a firm’s control, can all have an impact on the people and businesses (and financial markets) that rely on their products and business services.
Operational disruptions and the unavailability of important business services that firms provide, have the potential to cause wide-reaching harm to consumers and market integrity, threaten the viability of firms and cause instability in the financial system.
We propose firms:
Our proposals are not intended to conflict with or supersede existing requirements to manage operational risk or business continuity planning, but rather aim to set new requirements that enhance operational resilience.
Delivering operational resilience requires firms to take decisive and effective actions, for example by replacing outdated or weak infrastructure, increasing systems’ capacity or addressing key person dependencies.
By addressing resilience gaps, and building resilience, we believe firms will become more capable of supplying their most important business services even during severe operational disruption.
We are not proposing changes to the rules and guidance on outsourcing or third-party service provision. We reiterate our expectation that all firms remain responsible for the management of their outsourcing and third-party relationships. In an increasingly complex and fast changing business environment, we want the delivery of important business services by firms to be able to prevent, adapt, respond, recover and learn from disruptive operational incidents. To achieve this outcome, firms need to consider their dependency on services supplied by third-parties and the resilience of these third-party services. This includes those third-parties typically outside the regulatory perimeter, where firms retain responsibility for the delivery of their regulated services, including any dependency on the third-party service provider.
This consultation affects:
This CP does not apply to EEA firms.
We want to know what you think of our proposals. Please send your comments by 3 April 2020.
You can also:
We will consider all feedback and publish our finalised rules in a Policy Statement in the second half of 2020.