US federal banking regulators joins the growing regulatory response to operational resilience

As we envisaged in our recent earlier blog post, the US Federal Reserve, Office of the Comptroller of the Currency, and FDIC have announced final guidance entitled Sound Practices to Strengthen Operational Resilience. The area has recently come under regulators’ lenses across the globe, once again, as they look to learn from the disruption caused by the pandemic. 

The guidance takes immediate effect. Given the proliferation of rules in this area, the federal regulators aim to draw on existing regulations, statements, and common industry standards and avoid imposing new requirements on firms. It is expected that the guidance will inform regulatory authorities’ expectations with respect to enforcement action related to operational disruption. 

In summary, the seven areas of focus in the guidance are:

1. governance – boards should continually assess tolerance for disruption and oversee the implementation of systems and controls that identify critical operations and permit the firm to maintain those operations within defined tolerances;
2. operational risk management – firms should identify and mitigate exposures to risk to ensure firms can remain within appropriate levels of disruption (including by using internal and external audits with expert input);
3. business continuity planning – firms should implement and continually assess business continuity plans to withstand disruption;
4. third-party risk management – firms should address risks arising from outsourcing and third-party relationships including with contractual, testing and audit rights;
5. scenario analysis – firms should conduct lessons learned exercises to exam the ability to respond to disruption in response to a range of “severe but plausible” risks;
6. cyber security – firms should focus closely on cybersecurity, with the guidance paying special attention to this area.  The guidance offers cybersecurity-specific measures based on several sources including the Federal Financial Institution Examination Council (FFIEC)’s Cybersecurity Assessment Tool; and
7. surveillance and reporting – firms should implement systems to anticipate and detect “anomalous activity that could lead to a disruption” and address these developing sources of risks.  

Risks of fragmentation

The guidance sits alongside expected reforms that are subject to ongoing consultation and implementation in Europe and the UK. Taken together, the proliferation of guidelines and requirements represents a major compliance exercise – and poses a greater risk of regulatory intervention should affected firms experience disruption.

Due to the variety of standards that are now materializing concurrently, there is a risk of global fragmentation of operations and risk management frameworks, as well as uncoordinated and inconsistent regulatory interventions/recommendations.

There are, however, some reassuring signs of cross-border coordination by regulatory agencies in Europe, the UK, and the US. The Financial Stability Board (FSB) recently released a discussion paper accompanied by a consultation calling for views on cross-border management of outsourcing and other third-party relationships. Further, the European Central Bank and the Prudential Regulation Authority have recently released almost identically-worded statements recognizing “the global and interconnected nature of banks and the importance of supervisory coordination,” as well committing to working with US regulators “to ensure that supervisory approaches on operational resilience are well coordinated”. Nonetheless, efforts of coordination seem to be at an early stage and will not cover all jurisdictions where risks may arise. Moreover, a degree of divergence among regulators is inevitable, since different priorities and approaches will apply according to national requirements.

Addressing the risks

To respond to developments, firms should draw on the consistent expectations that are emerging across the international regulators’ proposals. Regulators consistently expect firms to:

• identify impact tolerances for critical/important business services;
• conduct preparation exercises to ensure operations remain within defined impact tolerances if there is disruption;
• adopt proportionate measures that allocate sufficient resources to the most significant risks based on the firms’ risk appetite;
• ensure senior management responsibility for operational resilience;
• exercise sufficient control over outsourcing and third-party relationships;
• prepare business continuity plans and stressed and planned exit plans to tackle disruption associated with reliance on outsourced services; and
• review and continue to test approaches to ensure impact tolerances remain informed of developments.

The following pointers may be useful to note when assessing how to implement these expectations in practice:

• Revaluate – return to previous control frameworks to reflect recent developments and, where feasible, aim to implement a single framework and approach across the group that includes necessary enhancements.
• Third-party focus – renew attention to third party service providers, as regulators are suggesting a broader range of outsourcing relationships will be subject to regulatory oversight. Material relationships should be subject to audits and contractual safeguards that are tested and overseen in accordance with regulatory expectations.
• Monitor – with multiple regulatory bodies engaging the importance of operational resilience, it will be important to remain watchful for new guidance and regulations in this area. 2021 is set to be the year where we begin to see the implementation of the guidance developed over the past few years.  The regulators are keen to be seen to be acting in response to the pandemic and increasing cyber-risk.
• Ongoing review – set and comply with clear timescales for reviewing frameworks used to maintain adequate operational resilience.
• Governance – senior management cannot be mere passive reviewers of guidance offered by teams overseeing operations; they need to ensure their understanding of critical services can respond to evolving risks and that the appropriate risk appetite for disruption is systematically applied across the firm.
• Culture – implement the regulators’ expectations on ensuring firms embed the principles of safety and soundness in the culture of the whole organisation. By setting a culture of compliance, a firm can more readily implement frameworks across the organisation and exhibit to regulators that the firm is fully engaging with developing requirements.