PRA confirms expectations on operational resilience

Yvonne Dunn of Pinsent Masons, who specialises in technology contracts in financial services, said the speech by Duncan Mackinnon of the Prudential Regulation Authority (PRA) confirms the PRA’s expectations around operational resilience for financial institutions and third party service providers.

“It is interesting to see the PRA focusing on ‘operational resilience by design’, i.e. financial institutions embedding operational resilience into their requirements from the outset,” Dunn said. “The PRA is also focusing on third party relationships and emphasising their importance to the operational resilience of financial institutions. It is clear that the PRA expects firms to pay close attention to operational resilience issues when contracting with third parties.”

The PRA, alongside the Financial Conduct Authority (FCA) and Bank of England (BoE), last year set new rules on operational resilience that began to take effect on 31 March 2022.

The regulators want firms to shift how they think about operational resilience away from considering the resilience of individual systems and operational resources to “the continuity of the services that [they] provide to their external end users, customers, or participants”. The rules are therefore focused on ensuring the operational resilience of firms’ ‘important business services’.

Firms must identify their own important business services. Though the regulators have set overarching definitions and provided guidance to help firms, there is freedom within the rules for firms to do this within the context of their own business models. The rules require firms to set ‘impact tolerances’ for their important business services within which they expect to be able continue delivering those services “in severe but plausible scenarios”.

The rules require mapping exercises to be carried to identify the resources firms require to deliver their important business services. The purpose of this is to identify where vulnerabilities lie and enable firms to test their ability to remain within the impact tolerances they set. Specific requirements around scenario testing aim to ensure firms assess operational resilience with appropriate rigour.

In his speech, Mackinnon, executive director for supervisory risk specialists, said it expects firms to “include all critical resources and consider internal and external dependencies” in their mapping exercises and for those exercises to “rapidly become more sophisticated, in line with firms’ potential impact”.

On scenario testing, Mackinnon said the scenarios firms use “should assume disruption has occurred” and “include data integrity scenarios and incorporate third party disruption” and “also consider factors beyond the firm’s control”. 

Mackinnon said firms may need to “build substitutability into the way services are delivered” in cases where they cannot remain within the impact tolerances they set. He said this might include, for example, building “an additional data centre or facility, such that when failures occur, services can be transferred and delivered to the same standard by different means”. In the context of outsourcing, it might mean reviewing and adapting arrangements to ensure that “if a third party supplier is disrupted, this does not lead to disruption of the service as a whole”.

Mackinnon said the PRA expects resilience “to be embedded in the way firms do business”.

He said: “We are well aware that not all of firms’ investment is driven by operational resilience. However, we expect for it to become a major consideration in their investment programmes. Designing services to be resilient is often easier than reverse engineering resilience into fragile services. And, in line with the policy requirements, this investment should reflect firms’ awareness of their role in the wider system.”

Alongside the operational resilience rules, the PRA also set new rules on outsourcing and third party risk that also took effect at the end of March. Mackinnon said that implementation of that policy “is fundamental to firms’ resilience” and described the two sets of requirements as “complementary”.

Mackinnon said: “We continue to assess outsourcing arrangements and an increasing number of proposals to move services to the cloud. As this work progresses we will have a particular focus on firms’ exit strategies and their contingency planning for temporary and prolonged outages.”

As reported recently, Out-Law understands that UK financial regulators are to get new powers to bring some cloud service providers and other technology suppliers within their direct scope of regulation in a move designed to safeguard against the increasing dependency on those providers within the sector. It is expected that the measures will focus on the regulation of businesses deemed to be ‘critical third parties’ (CTPs). UK regulators are expected to publish a joint discussion paper on CTPs in UK financial services later this year.

Mackinnon said the PRA is working with the FCA, Bank of England and Treasury “to develop measures to manage the systemic risks posed by critical third parties (CTP) to UK financial institutions – including but not limited to cloud service providers”. He said the discussion paper anticipated would “inform future regulatory proposals relating to CTPs, particularly on technically complex areas such as resilience testing” and also “examine potential ways to strengthen cross-border regulatory and supervisory cooperation in relation to CTPs”.

Mackinnon said: “Managing the systemic risks posed by CTPs is a key area of focus for financial regulators around the world. Examples which highlight this include the EU’s Digital Operational Resilience Act proposals and the FSB’s ongoing work in this area. The UK authorities are developing an approach that seeks to advance our objectives, fits with our existing policy and works for the UK. However, we are mindful of the need for global coordination.”