Operational Resilience – 7 steps to success and a helpful guide
Operational resilience is fast becoming a cornerstone of FCA compliance. In March 2021 the FCA published their rules and final guidance on operational resilience, which are requirements applying to Banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, Enhanced scope Senior Managers and Certification Regime firms, and entities authorised and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011.
RELATED ARTICLES:
RELATED RESOURCES:
The rules came into force on 31 March 2022. By this point firms needed to have:
Identified your important business services that, if disrupted, could cause intolerable harm to consumers of your firm or risk to market integrity, threaten the viability of firms or cause instability in the financial system.
Set impact tolerances for the maximum tolerable disruption to these services.
Carried out mapping and testing to a level of sophistication necessary to identify important business services, set impact tolerances and identify any vulnerabilities in your operational resilience.
Conducted lessons learnt exercises to identify, prioritise, and invest in your ability to respond and recover from disruptions as effectively as possible.
Developed internal and external communications plans for when important business services are disrupted.
Prepared self-assessment documentation.
A second deadline of March 2025 must be met. By this time firms must have:
Performed mapping and testing so that you can remain within impact tolerances for each important business service.
Made the necessary investments to enable you to operate consistently within your impact tolerance.
To assist we have now launched a roadmap document as well as a detailed guidance note, designed to help you meet the above requirements: Operational Resilience Resources | RB Compliance Consultancy
However, in the meantime it’s worth reflecting on the action the FCA is already taking in respect of a failure to meet the requirements. One example is TSB which attempted to migrate their IT services, however, due to several errors in the process, the migration failed. As a result, customers were unable to access their accounts which had knock-on effects and many customers were unable to make payments. As a result, the FCA have now fined TSB £29.75 million. You can see the full enforcement notice here: Final Notice 2022: TSB Bank plc (fca.org.uk).
The PRA has also taken action, more recently, against the former Chief Information Officer of TSB, Mr Carlos Abarca due to the operational resilience failure stemming from the failed migration. The PRA said:
The Prudential Regulation Authority (PRA) has fined Mr Carlos Abarca, the former Chief Information Officer (CIO) of TSB Bank plc (TSB), £81,620 for breaching PRA Senior Manager Conduct Rule 2 as he failed to take reasonable steps to ensure that TSB adequately managed and supervised appropriately its outsourcing arrangement in relation to its 2018 IT migration programme.
This follows on closely from the enforcement action taken in December 2022 against TSB for operational resilience failings, which resulted in a joint financial penalty of £48,650,000 imposed by the PRA and Financial Conduct Authority (FCA).
As CIO of TSB, Mr Abarca had responsibility for TSB complying with the PRA’s outsourcing rules. In particular, he was responsible for TSB’s key outsourcing relationship with its main third-party supplier for the IT migration programme. As part of this, he gave assurance to the TSB Board that the third party, as key supplier, was prepared for migration. However, he failed to ensure that TSB had itself obtained sufficient assurance from the third party before doing so.
Sam Woods, Deputy Governor for Prudential Regulation and Chief Executive Officer of the PRA, said:
“Senior managers have an essential role to play in ensuring that firms manage and supervise outsourcing effectively. In this case, the PRA has fined Mr Abarca because his management of a key outsourcing relationship fell below the standard we expect.”
Further information
In April 2018, TSB updated its IT systems and migrated the data for its corporate and customer services onto a new IT platform. While the data itself migrated successfully, the platform immediately experienced technical failures. This resulted in significant disruption to the continuity of TSB’s banking services, including branch, telephone, online and mobile banking.
All of TSB’s branches and a significant proportion of its 5.2 million customers were affected by the initial issues. Some customers continued to be affected by some issues and it took until December 2018 for TSB to return to business-as-usual. TSB has paid £32.7m in redress to customers who suffered detriment.
The PRA’s investigation found that Mr Abarca breached the PRA’s Senior Manager Conduct Rule 2 because he failed to take reasonable steps to ensure that TSB complied with the PRA Outsourcing Rules. In particular, Mr Abarca did not:
ensure that the third party’s ability and capacity were adequately reassessed on an ongoing basis;
ensure that TSB obtained sufficient assurance from the third party in relation to its readiness to operate the new IT platform; and
give sufficient consideration to whether further investigation was required before giving assurance to the TSB Board as to the third party’s readiness for migration.
Mr Abarca’s Senior Manager Conduct Rule 2 failing undermined TSB’s operational resilience and contributed to the significant disruption TSB experienced.
Mr Abarca agreed to resolve this matter with the PRA, and therefore qualified for a 30% reduction in the overall fine imposed by the PRA. Without this discount, the financial penalty would have been £116,600.
With the above in mind, it’s certainly important to ensure you’re on the right track with your operational resilience. Our helpful guide goes into more detail on each of the key areas and includes some useful hints and tips on how to implement a framework and ensure it stays firmly on the radar with the plethora of day-to-day pressures businesses are currently facing. Our guide can be found here: Operational Resilience Resources | RB Compliance Consultancy
Commentaires