Operational resilience has become an area of priority for the FCA and was included in their 2019/20 Business Plan. They issued a Consultation Paper on 5 December 2019 and within the mortgage intermediation sector it will apply to SM&CR enhanced firms. However, all firms ought to review the contents of the paper with their directors and senior management as there is useful information for all to consider.
The definition of operational resilience is “the ability of firms and FMIs (Financial Market Infrastructures) and the financial sector to prevent, adapt, respond to, recover and learn from operational disruptions”.
There have been many high-profile examples of poor operational resilience in financial services, such as IT failures or cyber-attacks which have led to consumer harm and threatened market integrity. A notable example would be the complications following TSB’s technology migration failure in 2018. As technology becomes more prevalent as a way for firms to deliver products and services and consumers’ and businesses’ reliance on such technology grows, it is important to ensure firms are robust and are able to “absorb and adapt to shocks, rather than contribute to them”.
The emphasis is on how firms need to shift their thinking from disruptions that ‘might’ happen to disruptions that ‘will’ happen. Also, the FCA is not expecting firms to stop all disruptions from happening, as they acknowledge that this is not realistic. Instead, firms need to prioritise areas of operational resilience. Currently, many firms focus on the recovery of systems, but instead they should focus more on the continuity of supply and provision of services to limit the wider impact on consumers.
Important business services are defined as “a service that a firm provides to an external end user or participant. Business services deliver a specific outcome or service and should be distinguished from lines of business, e.g. retail and commercial mortgages, which are a collection of services and activities”. It will be down to an individual firm to determine what their important business services are, as these will not be prescribed by the FCA. Firms will also need to consider the chain that makes up these services.
The second stage is to carry out ‘mapping’, where firms identify and document the resources that deliver and support their important business services, providing a clearer picture to identify any vulnerabilities and to remedy them. The mapping will need to be proportionate to a firm’s role and size (i.e. less complex firms will have simpler and fewer important business services to map) and includes those outsourced and third-party services over which the firm may not have direct control.
The next stage is for firms to set impact tolerances, which are defined as a firm’s “maximum tolerable level of disruption to an important business service” and assumes that disruption to the systems and processes supporting that service will occur. The FCA proposes that firms should have a clear, timely and relevant communication process should operational disruption occur, so that meaningful information can be relayed to internal and external parties such as the regulator and consumers.
The FCA will allow time for firms to implement any proposals but states that “firms must be able to remain within their impact tolerances as soon as reasonably practicable, but no later than 3 years, after the rules comes into effect”. The definition of “reasonably practicable” does depend on factors such as the scale of the firm and its importance to the wider financial sector yet all firms still need to demonstrate the actions they are taking during the transitional period within their self-assessment document. AMI will provide detailed guidance to member firms during 2020.
Chief Executive, AMI