Cyber risk is among the most prominent concerns facing the financial services industry today. Following high-profile events like the Equifax leak and the WannaCry ransomware outbreak, G20 finance ministers and central bank governors recognised in March 2017 that cyber risk could potentially disrupt the financial system on a global scale.
As a response, authorities focused on how cybersecurity affects operational resilience. A working group on operational resilience was established by the Basel Committee on Banking Supervision in 2018 with the ultimate aim of “contributing, among other things, to the worldwide effort linked to cyber-risk management.”
The U.K. Financial Conduct Authority (FCA) launched a consultation on several ideas in December 2019, intending to enhance operational resilience within the U.K. finance industry. A couple of months after, the COVID-19 pandemic struck, putting operational resilience under unprecedented stress as cybercrimes in the financial industry rose by 238%.
On March 31, 2022, new FCA rules on operational resilience finally went into effect after a protracted period of consultation, input, and writing. The decision was made at the perfect time, given the growing risk that the cyber threat poses. But it didn’t seem to receive much attention from industry experts, which suggests that many businesses might still be unprepared for the transition.
Now, what does this new regulation cover, and what are the steps that businesses can take to comply with it?
WHAT IS OPERATIONAL RESILIENCE
The new Operational Resilience Framework covers banks, investment firms, insurers, building societies, Electronic Money License, Small Electronic Money Institutions, Payment Institutions, Small Payment Institutions, Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) in the United Kingdom.
As per this regulatory framework, businesses must have finished several tasks, such as identifying “important business services,” establishing “impact tolerances for the maximum tolerable disruption to these services,” and performing “mapping and testing to a level of sophistication necessary to identify important business services, set impact tolerances, and identify any vulnerabilities in its operational resilience” before March 31, 2022. They have three years from that point to guarantee they will always stay within their impact tolerances. After this date, companies seeking authorisation should be prepared with the FCA Operational Resilience Framework Assessment. The deadline for ensuring they stay within their impact limits is March 31, 2025.
In order to build a compliant framework and conduct a resilience assessment, you can follow below simple steps outlined by breaking down the FCA operational resilience framework requirements.
STEP #1. Identify Key Business Services To Ensure Operational Resilience
Regulated companies must recognise crucial business services in the context of their business models per the operational resilience framework FCA criteria. To accomplish this, establish a list of all your services and mark those that must never be interrupted because doing so could affect your clients in intolerable ways or even the U.K. financial system as a whole.
You should consider what might happen to your customers in the short term if the service is unavailable in order to comprehend the levels of harm to consumers that you cannot allow.
For instance, if you offer e-money services to customers who rely on your company as their major provider of payment services, their agony may be greater if the company’s payment card is unavailable than if the currency exchange service is unavailable. It’s crucial to determine whether a particular customer base is more vulnerable than the other, so you should consider this when assessing your customer base. Similarly, you should consider which services may be disrupted and whether doing so could endanger the U.K. financial system’s soundness, stability, or resilience or the efficient functioning of the financial markets.
STEP #2. Recognize How Business Services Can Fail
When a consumer cannot access it or utilise it properly, it is not operational (i.e., it fails). You should make a list of all the processes and potential failure areas that apply to a particular service in order to understand better how it can go wrong. In order for the service to be operational, you also need to determine the human, financial, informational, and technological resources required.
For instance, you have determined that the business service of making payment transfers—e.g. GBP transfers through Faster Payments—causes consumers unacceptable damage if it fails. This service could fail in a variety of ways, some of which are within your control and others of which are not. You might, for example, lose access to a PSP’s API that gives you access to Faster Payments. Another scenario is when your customers cannot access their payment accounts to place a payment order if you solely offer digital payment services. If you only have a smartphone application, it’s possible that your service won’t function if the software (which might be an Android or Apple app) is unavailable because it acts as a single point of failure. However, if your web app is active, it might imply that your payment transfer service is still functional.
STEP #3. Set Impact Tolerance Level
You should pinpoint the stage at which a significant service failure would negatively impact customers in a way that could not be modified or impair the integrity of the U.K. financial industry. As a result, you should know how long you can put up with the service being unavailable.
For instance, a PSP that does not offer a payment card service may believe that if its payment processing service is unavailable for longer than six hours, the harm to its clients is unacceptable, whereas a non-bank PSP that provides a payment card service may believe that if its money transfer service is unavailable for longer than 24 hours, the damage to customers is significant.
Consider the quantity and types (such as vulnerable clients) of your customers who are impacted, their monetary damage, consequences for their lives, their information impacted, your monetary and reputational losses, as well as your impact tolerance when determining what constitutes intolerable damage to customers (critical if your losses might 9impact your ability to provide services or negatively affect the U.K. financial market).
STEP #4. Maintain A List of Methods That Should Be Followed to Prevent, Adapt, And Handle Business Interruptions
After considering numerous failure scenarios for your critical business service, you must decide what steps to prevent each one from occurring. Consider the steps you may take to correct the failure and adjust to it as well. To repair them, you must recognise the human, financial, informational, and technological resources required.
Remember to check that your response and recovery scenarios match reality. Note that the only company that can successfully manage service interruptions is prepared in advance. In principle, you could accept payment instructions over the phone if your money-transfer software isn’t working. However, in reality, if you do not even equip your staff on how to take payment instructions over the phone, they won’t be able to do it in case of a service interruption.
Ensure that your company can always stay within the impact tolerance limit by completing the FCA Operational Resilience Framework Assessment. If the FCA audits your company and the tolerance level for money transfer service is six hours, you must demonstrate to the FCA how you plan to ensure that, in the event of an outage, customers won’t be impacted for longer than six hours.
As a result, you or a hired third party should test out circumstances as well as your preventative, adaptability, and problem-solving strategies. As stated in the FCA Operation Resilience Framework policy statement, remember that your resilience must be demonstrated in actuality, not only in concept. Real-world simulations frequently reveal residual hazards and resilience gaps that you may solve.
Important to note that you are entirely accountable for any third parties you use to deliver your services (such as an EMD Agent) and that your operational resilience planning must consider this. Dependent on your interactions with these third parties, you can need them to carry out their own FCA Operational Resilience Framework Assessment or to be considered for inclusion in your firm’s assessment.
STEP #5. Establish Communication Strategies
To lessen the damage inflicted by critical business service failures, you must have internal and external communication methods that can be implemented swiftly and efficiently. You must be prepared to contact the appropriate parties and use the appropriate channels during operational disruption. A thorough escalation procedure and a call tree should also be in place. The FCA also advises considering vulnerable consumers in advance and determining whether you need unique communication techniques to meet their needs.
STEP #6. Develop A Procedure That Enables You to Gain Knowledge From Mistakes And Enhance Your FCA Operational Resilience Framework
In addition to testing your FCA Operational Resilience Framework, a procedure should be in place to ensure that after an operational risk materialises, you would assess your FCA Operational Resilience Framework, taking into account how your company was able to respond to disruption and update the framework.
STEP #7. Do Your Own Research and Review the FCA Operational Resilience Framework
You should review the operational resilience framework you developed at least once a year to see if anything was missed and to take into account any changes to your business model, such as the addition of new services, the use of new software or any other third parties to whom you may outsource specific tasks, the substantial modification of your current service, or alterations to the characteristics of your clientele (e.g., during the last year you could onboard more vulnerable customers).
How can COREDO help you?
If you are in need of professional advice in developing businesses and ensuring regulatory requirements compliance, we have the appropriate consultants for you who can help. You may view the services that we can offer through this link: https://coredo.eu.