Payments ecosystems are a distinctly critical business service. If disrupted, they could cause harm to consumers, threaten the viability of firms, and/or cause systemic instability in the financial system.
The ongoing COVID-19 pandemic has drastically exposed the need for assuring the Operational Resilience of these services. It has increased the pressure on Business Continuity plans, which are being tested to their limits, as well as on reputational and conduct risk profile for payments services. In this environment, the impetus to rise to the challenge comes not only from Financial Services organisations but from regulators too. So, what does this mean for banks, and how should they prepare their operational resilience response?
Operational Resilience was already showing signs of being the next big focus for regulators in a similar way that Financial Resilience has been since the 2008 Credit Crunch. The regulatory focus is also shifting from implementing new regulations to ongoing supervision, with specific focus on scrutiny of the Resilience of firms’ business models to the changing risk environment.
The Bank of England, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) are closely monitoring recent events and “are actively reviewing the contingency plans of a wide range of firms. This includes firms’ assessments of operational risks, the ability of firms to continue to operate effectively and the steps firms are taking to serve and support their customers.”
What does this mean for banks? There is clearly an urgent and continuing need for individuals and businesses to operate in a state of “permanent readiness” to achieve Operational Resilience. It also means that going forward, banks will need to review their business models and ensure that Operational Resilience is front and centre of their strategy. In some cases, demonstrating a clear, robust and well thought out Operational Resilience framework may become a competitive advantage too. Aspects such as transparency on third party risk management in your value chain, operational and conduct risk frameworks and the increased digitization of financial products and services all play a part in this.
Both the FCA and PRA had launched Consultation Papers on Operational Resilience and have extended the closure date for responses from 3rd April 2020 to 1st October 2020. This extended period will undoubtedly give firms more inputs into consultation responses from lessons learned in their application of Business Continuity and contingency plans during this crisis.
The proposals set out in the UK regulators’ consultation papers are wide-ranging and extensive, covering several areas of focus. While there is a lot of detail to consider, here are a few essential items to bear in mind for your payment operations:
1. Critical Business Services and Mapping
Conduct an assessment of your critical business services and map these accordingly. Focus on those services that, if disrupted, could cause harm to consumers or market integrity, threaten the viability of your firm and/or cause instability in the financial system. While doing so, take a strategic, systemic view and avoid the temptation to look at the resilience of individual systems and resources in silos. Remember that Operational Resilience is not just about Outsourcing and Third-Party Risk – those are critical components, however, consider your entire business model when assessing and mapping critical services.
2. Impact Tolerances and Testing
Set tolerances based on the maximum tolerable level of disruption the firm would accept. When setting impact tolerances, consider your ability to test and validate them using “severe but plausible” scenarios. The tests should focus on your ability to respond and recover, not prevent the scenario from happening. The regulatory focus will also be on your firm’s ability to meet impact tolerances; therefore, a proportionate approach to setting tolerances is advisable.
3. Assessment and Remediation
An annual self-assessment will be required by regulators. The current proposed deadline for compliance is H2 2021 and where gaps are found for tolerances, remediation by H2 2024.It remains to be seen whether there will be any significant changes to these timelines. And indeed, whether the final policies will be updated by the regulators as a result of the COVID-19 outbreak. In your remediation activities, take action to close tolerance gaps and remain within impact tolerances. While doing so, ensure that you take a practical and proportionate approach to remediation; the regulatory focus will be on the logic and pragmatic approach you have decided on the mapping of assets, services, dependencies as critical services.
4. Going Beyond Regulatory Compliance
It is tempting to look at Operational Resilience as another Business Continuity or Disaster Recovery exercise. However, thinking beyond regulations will be critical to maintaining a competitive advantage going forward. The areas of potential risk have now extended beyond the internal business processes that have been the traditional mainstay of response and recovery plans. Sources of risk are now increasingly exterior to business operations. Consider, for example, that with the advent of increased remote working, the reliance on residential internet providers has added an additional indirect layer into the supply chain. Organisations now need to factor remote working data link failures into their plans – this presents a new world that would be imprudent to ignore. Preparing for this new reality will be critical moving forward.
The effects of the COVID-19 pandemic may last for several months, possibly years. With the current spread of the virus in different countries, the impact will likely affect many businesses’ local and international operations at different times and in different ways. There is an indisputable clarion call to act now – engage with the subject of Operational Resilience, take advantage of the opportunity presented by the pandemic and test your business response and recovery plans. In the words of Theodore Roosevelt, “It is not often that a man can make opportunities for himself. But he can put himself in such shape that when or if the opportunities come, he is ready”.