The global Pandemic put to the test operational resilience plans developed to deal with non-viral types of both natural (earthquakes, fire and flood) and unnatural (chiefly terrorist attacks) disasters. It quickly exposed the continuing reliance of many financial market institutions and infrastructures on face-to-face exchanges and manual processing, surveillance and authorisation procedures.
Employees struggled to access internal systems, private networks and data sources essential to business continuity. Secure laptops and bandwidth, even cameras for Zoom calls, were not available in sufficient quantities. Workarounds (such as WhatsApp instead of Bloomberg Chat) exposed confidential data and created opportunities for both illicit trading and financial crime.
The Pandemic also exposed the near-uselessness of that longstanding icon of disaster recovery and business continuity planning: the live or near-live physical back-up site. In fact, the Pandemic eventually proved that remote working, by replacing centralised back-up facilities with multiple, decentralised business continuity centres, could actually enhance operational resilience.
Unsurprisingly, digitisation of data and digitalisation of processes suddenly became an overwhelmingly important business priority. In fact, it is now a consulting cliché to argue that the Pandemic accelerated the digitisation of data and the digitalisation of business processes – especially, though not exclusively, in customer-facing functions – by years.
Regulation is now catching up, but not because it was behind. Even before the Pandemic took hold, regulators in all the major financial centres were drawing up plans to ensure that the operational resilience plans of financial institutions were adapted to digitisation and digitalisation. The growing impact of digital challengers on retail financial services had become a particular source of concern.
Consumer protection is one of the two principal raison d’êtres of every regulator. With retail banking increasingly digital rather than analogue, both theory and experience (such as the TSB platform migration debacle of 2018) had taught regulators that operational failures could cut consumers and businesses off from services as vital as paying for food and energy and meeting payroll.
The European Banking Authority (EBA) issued guidelines on operational resilience for firms taking advantage of Open Banking opportunities under the Payment Services Directive 2 (PSD2) as early as December 2017. In the United Kingdom, the Financial Conduct Authority (FCA) published the Building the UK Financial Sector’s Operational Resilience discussion paper in July 2018 (DP 18/04).
The FCA follow-up to that discussion paper, Building operational resilience: impact tolerances for important business services and feedback to DP18/04, was published in December 2019. Likewise, the Australian Securities and Investments Commission (ASIC) published its consultation paper, Market Integrity Rules for Technological and Operational Resilience, six months earlier in June 2019.
All this work was published before Covid 19 sparked the first lockdowns in the Spring of 2020. Initially, the Pandemic slowed the work down, as regulators gave regulated firms time to adapt to the emergency. But regulators did not wait long to resume the pressure once the first wave of the global Pandemic had passed.
The European Insurance and Occupational Pensions Authority (EIOPA) published its final Guidelines on outsourcing to cloud service providers for insurance and reinsurance companies in July 2020, when Covid 19 was at its height. The document laid down principles for identifying critical activities, and governing and contracting them, that are now familiar in all operational resilience policymaking.
The European Commission first published its proposal for a Digital Operational Resilience Act (DORA) in September 2020. In the United States, the Federal Reserve, the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) issued an inter-agency paper on Sound Practices to Strengthen Operational Resilience in October 2020.
The FCA published its final rules for operational resilience, Building operational resilience: Feedback to CP19/32 and final rules (PS 21/3) in March 2021. The Hong Kong Monetary Authority (HKMA) published a consultation paper on operational resilience in December 2021 and the Monetary Authority of Singapore (MAS) issued Guidelines on Business Continuity Management in June 2022.
So operational resilience has emerged from the Pandemic as a continuing, if somewhat altered, global regulatory priority. It is also one in which local priorities, objectives and timetables vary. This is bound to complicate compliance for global financial institutions, while putting them on a rolling implementation and enforcement schedule around the world that will last into at least 2025.
That implies costs to comply, in legal and consulting fees, technology investments and (under the Basel III capital adequacy regime) capital allocations. Since the Basel III capital adequacy regime came into force in 2014, the risk-weighted capital allocated by the three major stand-alone global custodian banks to operational risk has averaged a quarter to a third of total risk-weighted capital (see Chart).
At mid-2022 the risk-weighted capital allocated to operational risk by the three banks totalled US$129 billion. For global institutions, the already heavy costs of mitigating operational risk are increased by the lack of consistency between operational due diligence requirements in different jurisdictions. So operational resilience it is a material challenge for an industry under margin pressure already.
That implies costs to comply, in legal and consulting fees, technology investments and (under the Basel III capital adequacy regime) capital allocations. For global institutions, these costs are increased by the lack of consistency between operational due diligence requirements in different jurisdictions. So operational resilience it is a material challenge for an industry under margin pressure already.
In confronting it, regulated financial institutions have choices. Intelligent resistance is one. It can be argued that overly detailed, voluminous or prescriptive regulation not only over-burdens firms but crowds out private initiative and experiment in enhancing operational resilience, reducing the subject to a box-ticking compliance exercise, or even to a deliberate policy of cunctation.
Regulators are aware of this risk. Charles Randell, the then-chairman of the FCA, told the Treasury Committee of the House of Commons in 2019 that, “as a regulator, we need to have a level of intervention that ensures the management of a firm does not sit there saying, `This is such a nightmare; I will leave it to the next lot.’”
Regulators do not have an unblemished record of success in their chief areas of responsibility – investor protection and financial stability – either. Nor have they yet made the threat of enforcement palpable. In the United Kingdom, for example, the first Chief Operations Officer (COO) to be sanctioned under the Senior Managers Regime for failings in operational resilience still awaits anointment.
It is questionable whether regulated firms are yet collecting the data on operational incidents that regulators need to identify serious failings in operational resilience. It is doubtful if regulators could aggregate and analyse it successfully even if they were. The alternative – naming and shaming firms judged to fall short – is fraught with risk, including sparking a bank run.
So regulated firms are not in a hopeless position to renegotiate the burden of operational resilience. Indeed, it presents an opportunity to restore a collaborative spirit with regulators, which has been absent since the re-regulation of the financial services industry began in 2009. After all, operational risk has changed considerably since regulators first identified it 15-20 years ago.
It was then called business continuity planning (disaster recovery was a sub-discipline); financial market infrastructures were being built; outsourcing and offshoring by financial services firms had just begun to take off; and the Cloud featured more on PowerPoint presentations than in reality. Financial institutions still tended to run their own data centres and build their own applications.
Today, outsourcing is universal. It has spawned a string of new operational risks, including the concentration of business with three major suppliers; loss of tacit operational knowledge and experience within firms; and lack of meaningful exit strategies from outsourcing relationships. Outsourcing and sub-outsourcing are now major sources of operational incidents.
In recognition of this, the International Organisation of Securities Commissions (IOSCO) updated its 2005 and 2009 principles on outsourcing in October 2021 to ensure their emphasis on due diligence on service providers; the materiality of services; procedures and controls; data protection; risk management; regulatory risk reporting; and exit strategies for contracts.
But even the updated IOSCO principles are not much use in managing the operational risks created by the ever-increasing use of Cloud services, in which financial institutions share networks, storage and applications. While the Cloud might reduce the number of operational incidents, the effects of those that do occur are multiplied by the number of dependent users and the associated interdependencies.
Cloud is booming because it enables firms to cut capital and operating costs, scale services rapidly, improve accessibility and adopt new technologies – notably, artificial intelligence (AI) and machine learning (ML) – more quickly. Yet more than half Cloud infrastructure is controlled by just three companies: AWS (34 per cent market share), Microsoft Azure (21 per cent) and Google (10 per cent).
Regulatory pressure to enhance operational resilience will not leave the Cloud providers untouched. They are already advertising their ability to help their customers comply, but the comfortable world in which they run the Cloud and their customers (and the customers of their customers) take responsibility for anything that goes wrong may not be sustainable.
An obvious step for regulators is to regulate the Cloud providers directly as a separate source of operational risk. The Cloud infrastructure providers could help to avert that possibility by measuring whether Cloud users outperformed non-Cloud users operationally in the Pandemic. They could also develop operational resilience principles of their own, if their margins could bear it.
Another target of the regulators is the nascent infrastructure of the digital payments and asset markets. Unlike conventional market infrastructures, which have since 2012 complied with the Principles for Financial Market Infrastructures (PFMIs) of IOSCO and the Committee on Payments and Market Infrastructures (CPMI), digital infrastructure has developed outside the regulatory perimeter.
True, digital asset payment systems, exchanges and custodians are now seeking regulatory licences but the regulatory status of intermediaries in the cryptocurrency and tokenised asset markets remains self-selecting and fragmented. And operational risk (especially poor controls) has led repeatedly to service outages and failures, high transaction costs and even losses of customer funds.
Despite such primitive shortcomings, the future of operational resilience may well lie with blockchain technology and tokenisation. Bitcoin has yet to be hacked, suggesting the technology is cyber-secure. Even diehard opponents of blockchain are familiar with the greater robustness of decentralised networks, with no single point of failure and widely distributed copies of crucial data.
And data, of course, is both the objective and the motor of the current drive towards digitisation and digitalisation throughout the financial services industry. Digital data is the source of innovation – most obviously in Open Banking – as well as efficiency, but it is also a new source of operational risk in conventional financial systems.
Ultimately, the most effective mitigant of operational risk is for the industry to move on to a new operating model. In the alternative model that is gaining most traction, assets and cash are no longer exchanged repeatedly along extended chains of inter-dependent intermediaries but moved between nodes on a blockchain-based network. Adopting it could be the cheapest form of compliance ever.
Register Below for the panel discussion on November the 17th
The panel discussion topics to be covered are:
- How do operational resilience requirements vary between the major financial centres?
- Which sectors represent the biggest operational resilience risk?
- What are the operational resilience lessons of the Pandemic?
- Are there too many fragmented and conflicting operational resilience requirements?
- Are regulators making the problem worse?
- How are operational resilience obligations being enforced?
- Is there enough collaboration between regulated firms and between regulated firms and the regulators?
- Has outsourcing risk changed its nature?
- Is the Cloud a new form of outsourced operational risk that needs regulation directly?
- How important are cyber-attacks in testing operational resilience?
- How engaged are senior managements with operational resilience?
- How much do financial market infrastructures matter as a source of operational risk?
- To what extent is technology (as technology) an operational risk?
- How well managed is the risk posed by data?
- What is operational risk compliance costing in terms of both capital and operating costs?
- Could many of the problems of operational resilience be solved by switching to a new operating model?
For more information contact Wendy Gallagher on firstname.lastname@example.org