International regulatory alignment on operational resilience - making steady progress

At a glance

• There has been significant regulatory activity around financial services operational resilience in the first few months of 2021. The finalisation of the UK supervisory framework and the BCBS Principles on operational resilience have been the most noteworthy developments.
• We see a growing degree of convergence between key financial services regulators and standard setters in the approach they are taking to operational resilience. This convergence is most noticeable in the concepts and principles that are being adopted in new consultations and guidance that has been released.
  
• Not all regulatory fragmentation will be eliminated and important differences between jurisdictions will still remain. In our view, however, these differences are becoming more manageable and there are now fewer barriers for firms to take a global group-wide approach to their operational resilience that adjusts for jurisdictional requirements where necessary.

2021 has so far been an active year in the development of regulatory policy on operational resilience for financial services firms. At the end of March, the UK’s regulators finalised their supervisory approach to operational resilience that they first proposed on in 2018, and a few days later the Basel Committee on Banking Supervision (BCBS) published its finalised Principles for operational resilience for banks. In the EU, political negotiations on the Digital Operational Resilience Act (DORA) continue to proceed in both the European Parliament and European Council and several EU financial supervisors have clarified their plans and expectations of firms.

Last year, we published a report, Resilience without borders, arguing that regulatory approaches to operational resilience in key financial services jurisdictions were showing growing alignment in their principles and direction. This is all the more remarkable at a time when regulatory divergence, instead of convergence, is the trend in many other areas of financial services policy. Our view then was that this alignment represented an opportunity for cross-border financial services firms to take a more joined-up, group-level, approach to their work to improve their operational resilience over the coming years.

Having seen major regulatory proposals published or finalised in the UK, EU, US and other jurisdictions since then, we wanted to take another look at whether the regulatory convergence story in operational resilience still holds and what it means for firms.
 

Final BCBS Principles promise significant regulatory convergence to come

What is most notable in the various regulatory publications over the course of the last few months is the degree of convergence around a set of relatively common principles of operational resilience in financial services. At least for the moment, however, this trend is more visible in the banking sector than other parts of financial services.

The final BCBS Principles set out an approach for banking regulators to reflect in their national or jurisdictional rules. Firms will ultimately have to comply with the rules of the country they operate in, but the BCBS Principles set a direction that we expect many major financial jurisdictions to follow (and, as discussed below, some have already done so). In our analysis, the BCBS Principles align closely to the framework first developed by UK regulators in 2018. The key components of the final BCBS standards that share strong similarities with the UK approach include:

• Assuming that disruptions to critical operations will occur: pushing banks to assume that disruptions to their “critical operations” are inevitable, thereby focusing efforts on how banks can deliver those operations and services through a disruption. As discussed further below, this approach, like the one taken by UK authorities, focuses work on a prioritised set of functions, but UK authorities are asking firms to instead identify “important business services”.
• Mapping interdependencies: underlining the need for internal and external interconnections and interdependencies of critical operations to be clearly understood by a bank to allow for the identification of vulnerabilities.
• Setting tolerances: using the term “tolerance for disruption” alongside risk appetite as the point of reference banks should use to understand the necessary level of resilience that they must achieve through investment and remediation. This is the same concept as “impact tolerance” in the UK framework.
• A testing-led approach: encouraging banks to carry out exercises to test their ability to continue to deliver critical operations in a wide range of disruptive scenarios. Importantly, the language describing the ambition of the scenarios to be used in this testing, “severe but plausible”, is the same as that used in the UK framework.
• A central role for board oversight: the principles dictate that a bank’s board of directors should have to review and approve their operational resilience strategy, as well as reviewing the identification of critical operations and the formulation of the tolerances for disruption that are set. It also underlines the implementation of the operational resilience approach and reporting to the board as key responsibilities for a bank’s senior management.

The BCBS Principles are not perfectly aligned to the UK operational resilience framework, as it also includes sections on third party dependency risk and ICT and cyber security management that broaden the focus of the international-level standard. Although these topics are implicitly covered by the UK framework, they do represent areas where regulators in other jurisdictions (particularly the EU and the US) will have more explicit rules for financial sector firms to follow. We nevertheless see the alignment between the UK and BCBS on key operational resilience principles as something that promises growing degree of comparability between the UK approach and rules that will be adopted elsewhere.

Indeed, in the wake of the BCBS’s August 2020 consultation on the Principles it has just finalised, other regulators consulted on standards or issued guidance that were largely based on the BCBS approach. This includes the Sound Practices to Strengthen Operational Resilience issued by the US Federal Reserve and other federal agencies in October 2020, and the Consultation on Cross-Industry Guidance on Operational Resilience issued by the Central Bank of Ireland in April 2021. The US and Irish consultations both introduced operational resilience planning as an activity based on setting impact tolerances for critical or important functions and ensuring their resilience in “severe but plausible” scenarios. And as we have noted before, the Monetary Authority of Singapore’s 2019 Consultation on Revised Guidelines on Business Continuity Management also put forward an approach that is relatively well aligned to the UK framework. These publications being based around a very similar set of principles, ones that push firms to pursue similar resilience outcomes, show momentum behind the convergence of global regulatory work on operational resilience in financial services.

The EU’s Digital Operational Resilience Act takes a different approach

The EU’s DORA legislation approaches operational resilience from a different perspective than the UK does. The DORA places more emphasis on ICT risk management requirements and is more prescriptive about the processes, controls and procedures that firms will need to have in place in order to prevent disruptions and maintain operations when a disruption nevertheless occurs. The DORA also looks likely to institute some unique regulatory requirements for firms that outsource to ICT third party providers that will be designated as “critical”.

As we wrote in more detail last year, this is an important difference in emphasis between the EU and UK approaches, but it is not one that makes the two frameworks incompatible for a firm operating in both jurisdictions. The UK framework’s focus on maintaining important business services through an assumed disruption does not reduce the need for firms to still have strong ICT risk management controls in place.

It is also important to remember that the DORA is primary legislation and not a supervisory framework like the other approaches discussed here. When the DORA is finalised at the political level, it will fall to EU financial authorities to design their approach to supervising the implementation of the DORA’s ICT risk management and reporting requirements. It will be these supervisory decisions that will, to a large extent, determine just how compatible the two frameworks are for a cross-border firm.

With this in mind, the European Central Bank’s Single Supervisory Mechanism released a coordinated statement last year along with similar statements from the PRA and US Fed addressing supervisory cooperation on operational resilience. All three authorities recognised the shared interest between financial supervisors in this area and committed to closely coordinate with each other in how they carry out their work.

This shared interest goes beyond simply making compliance easier for cross-border-firms. A broadly common global approach supports a more operationally resilient financial sector where operational disruptions are less likely to become systemic risks and many regulators have been clear that this is a point they accept and are taking seriously.

Manageable differences between national frameworks will still remain

No amount of regulatory convergence will erase all differences between the rules and guidance in place in key financial services jurisdictions. Even between the BCBS Principles and the UK’s final framework, differences remain that have the potential to be more than just cosmetic. The identification of what is important in a firm, for instance, is one such area. The UK framework places great weight on its focus on “important business services” as services a firm delivers to external stakeholders, while the BCBS uses the term “critical operations” which is more in line with the terminology used in the US and in the EU’s DORA. In practice, this will likely mean that regulators in the UK will emphasise the harm to customers of operational disruptions while other jurisdictions might focus more narrowly on how a disruption could threaten financial and market stability. This could result in firms having a longer list of important business services identified for their UK operations than in other jurisdictions.

These differences are likely to persist and may well mean that firms need to identify and prioritise different functions in different geographies. This may end up being more costly or time consuming, but it does not detract from the logic of a globally joined-up approach in financial services groups. In finalising their framework, the UK authorities made a short statement on international regulatory alignment accepting this point of view and stating that “it is reasonable that different jurisdictions will have different views on what they consider critical or important. But as long as the principles are aligned … firms and their supervisors should be able to work effectively across borders.

”From our recent work in the sector, we have seen several global banks choose to adopt the UK approach to operational resilience on a group-wide basis. The advantage of this approach is that it will help them understand and improve the resilience of their important services or functions, irrespective of their location. Although they will need to adjust for specific regulatory requirements in each jurisdiction, this group-wide activity will likely play a key role in showing all of a firm’s supervisors that it has done the work necessary to meet many of their emerging expectations for operational resilience.

In our view, many if not most financial supervisors are likely to take a flexible approach to applying their operational resilience frameworks; one that gives firms enough autonomy to achieve the resilience outcomes that they expect to see in such a way that makes sense for their geographical structure. If this is the case, then some regulatory fragmentation does not necessarily need to become a significant driver of costs and complexity for firms.

What firms should take from recent regulatory developments

We continue to hold the view first set out in our Resilience without borders paper last year that cross-border financial services firms will do best when they adopt a consistent approach to operational resilience group-wide, and that differences between jurisdictional frameworks are not an insurmountable problem.

Reflecting on the developments seen since last year, the finalisation of policy, as well as the consultations, communications or guidance issued in jurisdictions that had previously not addressed operational resilience, we see even more momentum behind a widespread shift in mindset being made by regulators. This means that financial services firms are increasingly likely to be expected by their supervisors to show that they have thought about their operational resilience and developed a plan to identify and address its shortcomings.

All this has been happening as financial services firms continue to face operational strains from the COVID-19 pandemic. As we have said before, COVID-19 has focused the minds of regulators on the topic of operational resilience, but the relatively good functioning of the financial sector in the last year has not necessarily satisfied them that the industry’s resilience is already where it needs to be. In our experience, financial regulators are thinking about what they can do to prepare the sector for even more severe operational threats than COVID-19 has brought. Regulators putting in place global leading practice is likely to be a core part of the response.