Last April, the former Chief Information Officer of a British bank was fined £81,000 (approximately US$100,000) by a U.K. financial services regulator. The Prudential Regulation Authority (PRA) penalized the official for failing to take reasonable steps to manage a key outsourcing relationship and avoid an April 2018 IT meltdown that left almost two million of the bank’s customers unable to access accounts and banking services for days and, in some cases, months. This followed a fine of £48.65m (approx. US$61.3m) for operational resilience failings given by the regulators to the same bank in December 2022.

The Financial Conduct Authority (FCA) and the PRA fined the firm for operational risk management and governance failures, including management of outsourcing risks, relating to the bank’s IT upgrade program. The migration of financial records and live accounts from one system to another, which was supposed to last a weekend, left millions of customers locked out of their accounts and unable to make transactions for weeks. The bank only returned to business as usual in December 2018. The PRA stated that, “it expects firms to manage their operational resilience as well as their financial resilience. The disruption to continuity of service experienced by [this bank] during its IT migration fell below the standard we expect banks to meet.”

To mitigate the risk of other incidents like this affecting the day-to-day lives of millions of financial services customers, U.K. regulators issued new rules on operational resilience that came into force in March 2022. They describe operational resilience as “the ability of firms, and the financial sector as a whole, to absorb and adapt to shocks and disruptions, rather than contribute to them”. They explain that it extends beyond business continuity and disaster recovery. Financial firms and financial market infrastructure providers (FMIs) must have robust plans in place to deliver essential services, no matter what the cause of the disruption. This includes human-caused threats such as physical and cyberattacks, IT system outages, and third-party supplier failure. It also includes natural hazards such as fire, flood, severe weather, and pandemic.

By March 2022, banks, building societies, insurers, and other relevant firms had to:

a) Identify and prioritize important business services, i.e., services that, if disrupted, would impact regulatory objectives, including financial stability and the public interest in the U.K.

b) Set impact tolerances by stating to what extent they would be able to continue important business services following severe but plausible disruptions.

c) Map important business services and test their capacity to continue them to the agreed extent. Vulnerabilities in their operational resilience should have been identified.

After the initial deadline, firms have until March 2025 to perform mapping and testing so that they are able to remain within their impact tolerances for each important business service. It is also expected that they will have made the necessary investments in their operational resilience.

Cyber resilience

As described above, the scope of operational resilience is wide. It covers a threat that every organization is having to mitigate or deal with at the moment – cyberattacks.

We often hear cases of cyber attackers using spam and phishing campaigns to steal sensitive data like account logins, banking account details, and credit card information. Attacks are becoming more sophisticated and harder to spot, heightening cybersecurity risks. The new regulatory requirements include cyber resilience and the regulator developed a number of cyber assessment tools to help firms test their defenses, for example, CBEST which uses a simulated cyberattack to enable firms to explore how an attack on the people, processes and technology of a firm’s cybersecurity controls may be disrupted.

Third-party providers

The increasing role critical third-party providers, including cloud service providers, play in the financial services sector is also under the regulators’ scrutiny. The reliance of firms and FMIs on a small number of providers concentrates operational risks and creates single points of failure in the system. Critical third-party services could affect financial stability and cause harm to consumers if they fail or are disrupted.

In this context of potential systemic risks, the Bank of England, PRA, and FCA have consulted on potential measures to oversee these providers, including minimum resilience standards which would apply to services provided to firms and FMIs and a framework for testing the resilience of material services using a range of tools such as scenario testing, cyber resilience testing, and skilled persons reviews of critical third parties. A Third Party Survey to assist analysis into the costs and benefits of a potential critical third-party regime in the U.K. was conducted by the regulators recently. The next steps will be known in due course.

Like the Consumer Duty discussed in my previous article, these new operational resilience rules are a significant development in financial services regulation in the U.K. Regulators, focusing more on outcomes, want firms to pay more attention to operational risks and their potential impact on customers and markets so the issues and disruption that led to the multi-million pound fine described above do not repeat again. Good governance, effective risk management, and proper oversight of outsourced services can ensure the ongoing availability of financial services, essential for a well-functioning economy and society.

Rick Borges writes on regulation and related topics in financial services. With his extensive experience spanning the financial services and health care sectors, he acted as an advisor on professional standards and regulation to organizations in the U.K. and internationally.