FIA submitted comments on 5 October to the Bank of England, Prudential Regulation Authority and Financial Conduct Authority on their discussion paper about building the UK financial systems operational resilience.
Executive Summary
- FIA supports the key objectives of the proposals in the Discussion Paper, namely to promote business continuity and to maintain confidence within the financial sector in the event of a disruption to services. FIA submits this on behalf of its clearing members that are critical providers within the overall clearing ecosystem. Any consideration of operational resilience should consider the integrated nature of the service providers within the clearing market infrastructure.
- Business services should not be considered in isolation; for example, where an emphasis may be placed on FMIs to continue providing clearing services, they can only do so when clearing members are also able to provide their services as well and supporting infrastructure such as payments systems remain resilient. Where an institution may provide multiple business services, services that are important to maintaining a portion of the financial sector should be prioritised even if they are relatively small parts of a global financial institution; this is a concept highlighted by the PRA’s approach to Critical Economic Functions (CEFs).
- Operational resilience responsibilities should be principles-based and encourage private/public partnership to allow processes to evolve as changes occur within the financial sector; public/private coordination is important for information sharing regarding innovation, threats and hazards, and key to the development of playbooks that can be utilized by both regulators and industry participants in the event of disruption.
- FIA encourages the UK supervisory authorities to engage closely with the industry to understand existing practices, including where they differ across firms and industries within the financial sector to ensure that the operational resilience requirements remain principles-based and appropriately proportionate to the size and type of firm.
- Proportionality is key to ensuring appropriate systems, resources and procedures are implemented; there should not be a one-size-fits-all approach that becomes a high barrier to compliance. As such, impact tolerances should be set according to a firm’s assessment of its own business services in the context of the broader industry.
- Cyber security and cyber resilience should not be treated separately from broader operational resilience since technology is at the heart of most business services within today’s interconnected markets.
- Increased outsourcing of both technology and services allows firms to maintain operational efficiency yet presents challenges for firms to comply with strict operational resilience requirements; as such, requirements should focus on the governance and risk management of outsourced technology and services rather than imposing strict compliance requirements.
- Continued evolution of technology presents both opportunities and challenges, with risk management key to ensuring resilience without stifling innovation, both for new technology (for example “fintech”), as well as changes to existing technology; as such we support the idea of principles-based minimum standards for new entrants to establish themselves within a market without compromising its integrity or resilience.
- Governance around operational resilience should be harmonised across regulatory regimes to avoid the creation of conflicting requirements and regulatory firewalls within global financial institutions that provide multiple business services, not just in the UK but also internationally. Harmonisation should include the adoption of standard lexicons of operational resilience terms and common understanding of operational resilience principles across major jurisdictions.
