Service level standards set to be stipulated for UK banks

Lyndon Nelson, an executive director at the Bank of England, said it is likely that the Financial Policy Committee (FPC) at the Bank would "set a minimum level of service provision" as part of work aimed to address increasing risks to operational resilience in the financial services sector.

The standards are likely to apply in the context of "key economic functions" and to "key providers" only initially, he said.

Nelson said the FPC's work will establish a "common framework" from which the UK's financial regulators would "build their own tolerances, expectations and approaches".

"The setting of supervisory expectations would then be used as an input to guide firms’ actions in managing their own operational resilience," Nelson said in a speech on Wednesday. "My expectation is that these tolerances will use a combination of time, volume, market share and measures of interconnectedness."

He said firms are likely to be involved in defining "their own tolerances for key business services" under the new framework.

"These tolerances should be in the form of clear metrics indicating when a disruption would represent a threat to a firm, to consumers or to financial stability," Nelson said. "We will expect firms to test their tolerances and demonstrate to their supervisors that they have concrete measures in place to deliver resilient services."

"We will further expect firms’ boards to play a key role as they develop their operational and cyber resilience strategies. This will include: the setting and reviewing of tolerance; promoting the development of management information; overseeing resilience programmes; and promoting and overseeing investments in technology, systems and people," he said.

Firms will also need to show they can absorb and recover from "an operational shock" if it does arise, Nelson said.

He said: "Firms will need to clearly define and regularly test their approaches to incident management. These should also include good communication plans both internally and externally. And firms need to be able to recover from an operational incident. This requires viable, tested contingency plans for the resumption of critical functions."

However, Angus McFadyen, an expert in technology contracts in the financial services sector at Pinsent Masons, the law firm behind Out-Law.com, said: "The root cause of many of the problems we have been seeing does not sit with a lack of KPIs/service levels – all businesses have these internally and monitor them regularly, and the impact of a drop in availability will vary significantly across different product types."

"Some of the greatest interruptions we have seen have been due to significant change and migration programmes which have either been unlucky or, more likely, not been operated in a sufficiently controlled manner – it feels to me that the governance around change implementation should be a real area for focus as this will be relevant to all institutions, not just those that customers are reliant upon for day to day transactions," he said.

In his speech, Nelson said he believes operational resilience will in future "be seen to be on a par with financial resilience and a key part of a firm’s risk profile". The challenging of maintaining operational resilience is made more difficult by the growing cyber threat, however, he said.

"The cyber threat brings operational resilience into greater focus and requires organisations to understand themselves, their strengths and their weaknesses," Nelson said. "It becomes essential for firms to understand their most critical assets and their most critical functions. What defines critical? Well, several things: the importance to the customer; the importance to the integrity of the firm; and the importance to the sector and the wider economy. Armed with this information they can then allocate their finite resources in the most targeted way."

Nelson said that a review of incident management in the financial services sector was carried out by the Cross Markets Operational Resilience Group (CMORG) – a body chaired by the Bank and comprising representatives from major firms, the government, regulators and the National Cyber Security Centre. It found that there is "a need for greater coordination and more rapid information sharing during a cyber incident", he said. Nelson welcomed collaborative international action being taken to address the "lessons" from the review.

The deputy chief executive of the Prudential Regulation Authority also highlighted steps the Bank has been taking to update the "supervisory tools" at its disposal to "assess firms’ resilience against our expectations". He said the Bank has been trialling some "diagnostic tools" and plans further "threat-led penetration testing" of firms.