Resilience – now a key strategic focus for the FCA

Although operational resilience was addressed as “cross-cutting work’ in the Plan, resilience (operational and financial) is likely to assume far greater importance for firms over coming months. 

Stated FCA priorities

In April’s Business Plan, the FCA focused its regulatory activity over the next 1 to 3 years on four broad external strategic priorities, with a fifth relating to the way in which it works:

• Making payments safe and accessible (e.g. consumers transacting safely with payment firms (increased focus on firms’ systems and controls and data protection); payment firms meeting their regulatory responsibilities while competing on quality and value (Open Banking is expected to foster competition); and consumers and SMEs have access to a variety of payments services (including cash)).
• Delivering fair value in a digital age (e.g. products that meet consumers’ needs, at a suitable quality and price; digital innovation and competition supporting greater value for consumers; and vulnerable consumers are not exploited or targeted with poor value products and services and access to key products and services is fair (with firms expected to have robust policies on fair value for vulnerable consumers, and not target them with poor value products and services)).
• Enabling effective investment consumer decisions (e.g. appropriate investment products; consumers able to make effective decisions about their investments; and firms and individuals operating under high regulatory standards and acting in consumers’ interests).
• Ensuring consumer credit markets work well (e.g. consumers finding products that meet their needs; not becoming over-indebted by credit they cannot afford).

Since then, Megan Butler has summarised the 5 key drivers of the FCA response to coronavirus as ensuring:

• there is a good level of operational resilience;
• financial resilience so that firms can fail in an orderly manner;
• markets can function enabling price formation and orderly trading activity;
• customers are treated fairly; and
• customers are aware of the risk of, and protected from, scams.

Looking beyond the pandemic – FCA priorities in coming months

Drawing from Megan Butler’s speech, the Business Plan and how the virus has effected the delivery of financial services, resilience – operational and financial – is likely to predominate the regulatory agenda over coming months:

Operational resilience

The context

The importance of resilience across the economy has, of course, come into stark relief. In the context of financial services, operational resilience is taken by the regulators to refer to the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover, and learn from operational disruptions. 

The FCA announced early on in the crisis that it expected “all firms to have contingency plans in place to deal with major events”, and with the PRA, it is currently reviewing the contingency plans of a wide range of firms.  However, even before the virus, the FCA was ramping up regulation around operational resilience and, in December 2019, published  proposals (jointly with the PRA) that would significantly extend current business continuity requirements on firms to have contingency plans to deal with major events. Megan Butler described these proposals as now more relevant than ever. 

 Many factors in recent years have led to the current regulatory focus on operational resilience:

• increased reliance on IT generally and digital delivery channels, even more so since the pandemic;
• high profile issues with IT upgrades such as TSB’s hugely disruptive problems encountered in 2018 when a new IT system tried to migrate data;
• increased reliance on outsourcing in particular to the cloud; 
• increased incidence and sophistication of cyber attacks and hacking; and
• increased interconnectivity of firms, and hence exposure to risk, arising from APIs such as those developed to facilitate PSD2 and open banking.

Proposals

In response to these risks, the operational resilience consultation paper (CP19/32) (response extended to 1 October 2020) sets out proposals for firms to:

• identify, at least annually, their important business services that if disrupted could cause harm to consumers or market integrity;
  • while the FCA sets out relevant factors, it would be up to firms to make their own assessments as to their important business services;
• identify and document the people, processes, technology, facilities and information that support a firm’s important business services (mapping);
• set impact tolerances for each important business service
  • an “impact tolerance” is defined as “the maximum tolerable level of disruption to an important business service, as measured by a length of time and other relevant metrics, reflecting the point at which any further disruption to the important business service could pose intolerable harm to any one or more of the firm’s clients or intolerable risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets” (with reference to factors such as number of clients impacted, potential financial loss, loss of data / functionality, and reputational damage etc);
  • a firm must ensure that it can remain within its impact tolerance for each important business service in the event of a severe but plausible disruption to its operations;
• scenario test their ability to remain within their impact tolerances through a range of severe but plausible disruption scenarios;
• conduct lessons learned exercises to identify, prioritise and invest in their ability to respond and recover from disruptions as effectively as possible;
• develop internal and external communications plans for when important business services are disrupted; and
• create a self-assessment document of its compliance with the requirements.

The requirements apply regardless of any outsourcing arrangements or use of third parties.

Clearly, there is an important governance element to the proposals so board reporting and management information is aligned. The FCA provides that where firms do not have an individual performing the SMF24 Chief Operations Function under the SMCR, it will be for the firm to determine the most appropriate individual within the firm who is accountable for operational resilience.

The PRA in its accompanying CP29/19 considers the relationship of the proposals with business continuity planning requirements and states that, while closely linked, operational resilience policy focuses on a firm’s ability to deliver its important business services rather than single points of failure.

Importantly, the regulators allow that a firm’s processes and systems to enable compliance may be proportionate to the nature, scale and complexity of the firm’s activities.

Scope

Up to now, regulation related to operational resilience has derived from the general business continuity rules in SYSC; prescriptive Operational Continuity in Resolution rules to protect the continued provision of ‘critical functions’ by certain larger banks, building societies and investment firms; and a recent emboldening of the provisions on outsourcing. The new rules would apply to:

• circa 1,050 banks, building societies, PRA designated investment firms, Solvency II firms, Recognised Investment Exchanges and Enhanced scope Senior Managers & Certification Regime (SMCR) firms; and
• circa 1,100 Payment Institutions, Registered Account Information Service Providers and Electronic Money Institutions.

Given the virus and increasing cyber threats, few would dispute the need for maintaining a focus around continuity and resilience. However, the scope of the new proposals does raise questions. Core and Limited scope SMCR firms, the vast majority of FCA firms, would be excluded from the new requirements, while they would be applied to (often small) payments firms, albeit subject to considerations of proportionality. The FCA’s explanation is that “even small payments firms can be highly impactful in terms of harm arising from operational disruptions as disruptions can quickly lead to consumers not having access to their money. Smaller payments firms are also more likely to be technology dependent in comparison to smaller FSMA-authorised firms”. The regulators will need to consider whether this is sufficient justification for onerous requirements that could have a potentially negative impact on one of the most dynamic sectors of UK financial services.

Risks related to home working

One of the most astonishing features of the response to the lockdown has been the ability of financial services firms to adapt immediately to working from home. In this context, the FCA stated that it is happy for firms able to meet its regulatory standards to undertake activities from backup sites and/or with staff working from home. The trend to increased working from home, which started before the pandemic, is likely to continue. However, some particular regulatory challenges related to operational resilience can arise from home working, for example:

• the efficacy of compliance monitoring given the lack of control over the work environment e.g. unsupervised use of home phone lines and encrypted message apps; 
• IT resilience and cyber security – the need to ensure business continuation as well as protect IT with firewalls etc; and 
• general data protection issues and the physical security of hardware in homes.

Notably, the Information Commissioner’s Office said that it would continue to hold firms to its usual standards for data security notwithstanding the extraordinary circumstances. The FCA will expect firms to be managing any increased risk that arises from home working.

Role for analogue in a digital world?

More broadly, the response to the virus has further entrenched the role of technology, for example, displacing on-line the London Metal Exchange’s “Ring”, suspended for the first time since the Second World War, and the activities of Lloyd’s underwriting room. But to what extent does an analogue alternative still need to be maintained as a contingency against technological failure – consider Travelex’s complete reversion to using pen and paper to keep money moving at bureau de changes when all of its online activity was recently suspended as a result of a cyber attack.

Financial resilience

Megan Butler notes that the FCA is already beginning to see that the coronavirus is putting significant downward pressure on many firms’ revenues such that otherwise financially sound firms may become vulnerable – her responsibility is for the wealth management sector. Although, the FCA is not, first and foremost, a prudential regulator, we will see more activism in this area. To this end, Megan Butler announced that the FCA is to survey around 13,000 firms to obtain a more accurate view of their financial resilience in light of the pandemic.

Given the risk that these firms may exit from the market altogether, the FCA is particularly concerned, where relevant, to minimise any delay in the return of client money and custody assets, and prevent shortfalls. Notably, and contrary to the practice of many firms, she also states that in the context of increasing client money balances, the FCA expects firms to return to clients balances which are unlikely to be reinvested in the short term. 

Not forgetting Payments

While resilience will take the regulatory limelight in the near future, other areas retain their focus, and payments, in particular, deserves a mention given the impact of the pandemic on this sector.

The virus has significantly speeded the trend towards cashless payments. As new modes of cashless payment have proliferated so has regulatory interest. From a time as little as 10 years ago when payments firms were barely supervised, “making payments safe and accessible” is now a strategic priority of the FCA. 

The UK is a preeminent global fintech centre so one hopes that more regulatory focus will not result in more onerous regulation especially as the FCA has, up to now, been such a champion of fintech development. Additional policy and procedural requirements derived from PSD2 and the European Banking Authority authorisation guidelines have already added barriers to entry (e.g. procedure for monitoring, handling and following up security incidents; a process for filing, monitoring, tracking and restricting access to sensitive payments data; procedures for collecting statistical data on fraud; and a security policy).

The future of regulation

Megan Butler confirms that the FCA is reviewing what the future of regulation itself should look like. She speculates on a further move from a focus on rules to ultimate outcomes for users of financial services. It remains to be seen what this would look like in practice as firms also need a level of certainty, which they get in having complied with a rule as opposed to being assessed against a nebulous outcome expectation which can be judged with the benefit of regulatory hindsight. There is an argument for shrinking the FCA Handbook but not at the cost of certainty for firms.

In summary, while we have hopefully seen the worst of the health effects of the pandemic, the economic fallout and broader impact will be felt for some time. Firms have shown themselves to be agile in responding to the pandemic – they will need to remain so in anticipating further change from wherever it arises.