Financial institutions can expect regulators, such as the Financial Conduct Authority (FCA) in the UK, to communicate actively with them regarding their business continuity arrangements. They should prepare to make their plans available when requested to do so.
Firms should review their regulatory outsourcing requirements around business continuity and taken them into account when assessing the extent to which they can grant suppliers relief in performing their contractual obligations.
Managing supplier relationships
As part of the response to these challenging times, many businesses are carefully reviewing their outsourcing and third party contracts in order to understand whether, and the extent to which, they should be granting suppliers some form of relief from performance of contractual obligations.
Relief may be dependent on what the contract says about business continuity and force majeure, what is within a party's reasonable control and what may have been foreseeable. However, determining these points, and what are 'reasonable steps' to take in these unprecedented circumstances, are all matters open to interpretation.
Financial institutions must not only ensure that they are assessing these matters objectively, but also have a clear understanding of their own business continuity regulatory requirements.
The FCA's expectations
The FCA has dedicated webpages for both institutions and consumers in relation to the coronavirus crisis. The webpage for consumers complements the work the regulator is doing with regulated businesses, as well as with the government, the Bank of England and the Payment Systems Regulator during this uncertain time.
Firms should ensure they keep the need to deliver fair customer outcomes at front of mind while making and implementing plans in response to the coronavirus outbreak.
In respect of business continuity in particular, the FCA has said that it expects "all firms to have contingency plans in place to deal with major events". It has also said that it is "actively reviewing the contingency plans of a wide range of firms".
The FCA also has the power to ask financial institutions for comprehensive information regarding their business continuity frameworks. Financial institutions therefore should prepare to respond as effectively as possible and provide all information that is required during these challenging times.
The FCA may ask for:
- assessments of operational risks;
- information regarding the ability of firms to continue to operate effectively; and
- the steps firms are taking to serve and support their customers
In addition to providing regulators with the information they require, financial institutions should ensure that they are taking all necessary actions required when dealing with the impact disruption may have on their relationships with their outsourcing and other third party providers. The expectation is that firms will take "all reasonable steps" to meet their regulatory obligations.
Responding to European Banking Authority guidelines
The FCA will be informed by what it considers to be a 'reasonable step' to take by referring to guidelines developed by the European Banking Authority (EBA), notably the EBA guidelines on outsourcing arrangements and the EBA guidelines on ICT and security risk management. Those guidelines set out business continuity steps to be taken.
EBA guidelines provide that financial institutions should:
- establish sound business continuity processes to "maximise their abilities to provide services on an ongoing basis and to limit losses in the event of severe business disruption";
- be able to demonstrate their "ability to operate on an ongoing basis and to limit losses in the event of severe business disruption";
- establish business continuity plans that "take into account the possible event that the quality of the provision of the outsourced critical or important function deteriorates to an unacceptable level or fails";
- consider "that a failure of an internal service provider may have a material impact on their business activities";
- be able to "maintain [their] most important business activities if there is disruption to its ordinary business procedures."
Financial institutions should consider completing assessments based on the EBA guidelines on areas such as business impact assessment and analysis, business continuity planning, response and recovery plans, and crisis communications to understand which information regulators might request from them and to help them assess how best to mitigate business disruption caused by coronavirus, officially Covid-19.
Business impact assessment and analysis
EBA guidelines require financial institutions to assess and analyse their business continuity measures. Core questions to ask are:
- Have you conducted a business impact analysis (BIA)?
- If you have, did your BIA:
- analyse your exposure to severe business disruptions?
- assess potential impacts (including on confidentiality, integrity and availability), quantitatively and qualitatively?
- Can you demonstrate that your BIA:
- draws on internal and/or external data, whether proprietary or publicly available?
- includes scenario analyses? You should consider a range of different scenarios which Covid-19 could lead to, including extreme but plausible ones, and assess the potential impact that such scenarios might have?
- indicates that you have classified your business functions, supporting processes, third parties and information assets, and their interdependencies according to criticality?
- Can you demonstrate that your ICT systems and ICT services are designed and aligned with your BIA?
- Do you have redundancy for critical components to prevent disruptions impacting those components in place?
- Does this analysis cover all relevant business lines and internal units and take into account their interdependency?
Business continuity planning
The EBA guidelines also set out specific steps to take in relation to business continuity planning that builds on the analysis undertaken. These steps are:
- Have you prepared business continuity plans that are based on your BIA?
- Have these plans been documented and approved by the appropriate management body?
- Do these plans specifically consider risks that could adversely impact ICT systems and ICT services?
- Does the plan support objectives to protect and, if necessary, re-establish the confidentiality, integrity and availability of business functions, supporting processes and information assets?
- Can you demonstrate that you have coordinated amongst relevant internal stakeholders, as appropriate, during the establishment of these plans?
- Are all necessary recovery time objectives documented, clear and explicit?
- Do your BCPs set out how you are able to recover operations of critical business activities after disruptions within relevant recovery time objectives (RTO, the maximum time period within which a system or process must be restored after an incident)?
- Do your BCPs set out how you are able to recover operations of critical business activities after disruptions within a recovery point objective (RPO, the maximum time period during which it is acceptable for data to be lost in the event of an incident)?
- Do your plans describe how the continuity of ICT systems and services, as well as the financial institution’s information security, are ensured?
- Have your plans been stored on systems that are physically separated and readily accessible in case of contingency?
- Has appropriate training been provided?
Response and recovery plans
In addition to business continuity plans, financial institutions need to ask themselves a series of questions in relation to response to and recovery from events that disrupt business:
- Have you developed response and recovery plans?
- Do these plans specify:
- what conditions may prompt their activation?
- what actions should be taken to ensure the availability, continuity and recovery of, at least, financial institutions’ critical ICT systems and ICT services?
- how they are aimed at meeting the recovery objectives of your operations?
- both short-term and long-term recovery options?
- the recovery of the operations of critical business functions, supporting processes, information assets and their interdependencies to avoid adverse effects on the functioning of your business and the financial system?
- where relevant, how payment systems, payment service users and the execution of pending payment transactions are impacted?
- alternative options where recovery may not be feasible in the short term because of costs, risks, logistics or unforeseen circumstances?
- how you can implement continuity measures to mitigate failures of third party providers, which are of key importance for a financial institution’s ICT service continuity?
- Are these plans documented and available and readily accessible by business and support units in the event of an emergency?
Financial institutions must have clear crisis communications processes in place. It is important therefore that they determine whether they have effective crisis communication measures in place so that all of the following are informed in a timely and appropriate manner:
- Relevant internal stakeholders;
- Competent authorities when required by national regulations
- Group entities
- Outsourcing providers
- Other third party providers
- Other external stakeholders
The broader picture
Understanding what is required from a regulatory perspective is only a small part of the picture in dealing with the risks which the Covid-19 crisis presents. Broader issues concerning employees, health and safety, supply chain management and many others need to be addressed.