As technology advances, the capacity for damaging operational failures increases, particularly as banks look to upgrade their legacy systems by migrating to new network infrastructure. Changing business models and increased outsourcing has also amplified the dependence of participants on others, giving rise to concentrations of risk and cyber security challenges.
Operational resilience in the financial services sector is now a priority for the supervisory authorities and is viewed as no less important than financial resilience. As well as the ability to prevent disruption, operational resilience refers to the ability to respond to, recover and learn from operational disruption. System disruption when it occurs impacts not just customers but overall confidence in the financial system. One of the most high profile examples was TSB's disastrous move of its customer accounts from Lloyds to a new banking platform but there have been many others including the service disruption of Visa Europe's authorisation system (VEAS) in June last year.
In July 2018 the Bank of EnglandĀ, PRA and FCA jointly issued a Discussion Paper ("Building the UK financial sector's operational resilience") which focused on the operational resilience of the financial system and the firms and financial market infrastructures (FMIs) within it. The purpose of the paper was to engage with the financial services industry and to share the supervisory authorities' thinking on how operational resilience in the sector could be enhanced. Responses to the paper will be used by the supervisory authorities to inform current supervisory activity and future policy making. The paper notes that "a resilient system is one that can absorb shocks rather than contribute to them" and managing operational resilience is seen as a key issue on which boards and senior management need to focus. The importance of concentrating on the continuity of business services, rather than on systems and processes, is seen as an essential component of operational resilience.
In November 2018 the Treasury Select Committee launched an inquiry to consider whether there should be more regulation in the financial services sector with the aim of improving operational resilience and protecting customers. As part of its inquiry the Committee sought information from various parties including Barclays, Cashplus, RBS and Visa following failures suffered by their IT systems. The deadline for submissions to the inquiry closed on 18 January 2019 and its conclusions are awaited.
The importance of operational resilience was also emphasised by the Bank of England in its supervision of financial market infrastructures annual report (14 February 2019). In particular, the report noted that a number of significant changes have been under way since 2018 to renew the infrastructure supporting payments in the UK. These changes are viewed as giving rise to both opportunities and risks: they provide an opportunity to ensure that the infrastructure supporting payments is able to remain robust, resilient and secure in a fast changing environment but they could also create risk if the programme of change is not well managed. The report stresses the importance of the payment system operator ensuring a robust approach to the migration to new infrastructure that minimises risk of discontinuity or degradation in service.
In our increasingly connected world operational resilience is just as important as financial resilience. So the importance of market participants having in place robust IT infrastructure cannot be underestimated. Quite apart from the significant financial and reputational fall-out that arises from systems failures, it is clear that there will be increased regulatory oversight and expectations with sanctions and penalties resulting where system failures occur.
Although the outcomes of the various consultations and discussion papers are awaited, the focus of the Regulators is already reasonably clear. In considering operational resilience planning and procedures businesses would therefore be wise to bear in mind the importance of the following:
