Operational resilience requirements are fast becoming a regulatory favorite for 2024 – as well as a growing compliance burden. From the EU’s Digital Operational Resilience Act (DORA) set for 2025, and the UK government’s Consultation on Critical third parties to the UK financial sector (CP26/23) closing for response on March 15, 2024, financial services are facing a barrage of resilience requirements designed to meet fast-evolving operational risks.
The U.S. Office of the Comptroller of the Currency (OCC) has pegged itself to be next in line to bear the gift of new regulation.
Speaking at the Institute of International Bankers, Acting Comptroller of the Currency Michael J. Hsu has said that the OCC’s current focus “is on exploring baseline operational resilience requirements for large banks with critical operations, including third-party service providers.” The suggestion being, of course, that regulation will soon come to enterprise banks in the U.S..
The OCC is embarking on its exploration of new standards to manage operational resilience and third-party risk by reason that:
“Both the probability of disruptions occurring and the potential impacts from those disruptions are increasing.”
Such “disruptions”, Hsu notes, can be caused by external events – such as natural disasters, malicious actors, or global conflicts. These risks are simultaneously made more prevalent as banking services increase their reliance on technological solutions and third-party service providers, especially those that provide “critical” third parties.
As well as operational risks, this growing third-party reliance can bring cyber risk in tow, as acknowledged by the Federal Reserve System’s Vice Chair for Supervision, Michael Barr, who recently noted that:
“Reliance by banks on third-party service providers has grown considerably in recent years, and with that reliance comes the potential for greater cyber risk. It is ultimately the responsibility of banks to manage their third-party risk”.
To contend with the increasing “threat surface” within critical banking services, Hsu suggests that the OCC will be looking to implement clear requirements for large banks.
Key steps to mitigate disruption to operational resilience
Unlike many traditional banking risks, Hsu notes the “disruptive events” that threaten operational resilience are not rooted in issues of finance or poor liquidity. As such, operational resilience cannot therefore be remedied by bolstering “capital or liquidity”. Hsu adds that the current provision of banking services “increasingly resembles global manufacturing supply chains, with their efficiencies, complexities, and vulnerabilities”.
The only way to ensure that financial services can withstand, or indeed recover from, disruptive events – and avoid vulnerabilities – is to implement:
- Good planning: Have you thought ahead about the obvious, and non-obvious, risks to your business – whether rooted in liquidity, geopolitics, or otherwise?
- Prudent investment: Have you invested in secure, robust systems that protect your business? Similarly, have you ensured that any investment in third-party solutions are robust so as to withstand unexpected disruption?
- Well-designed systems: Do you know how your systems have been built and implemented? Are you aware of their mechanics and able to explain how they operate? Similarly, do you know how your third-party vendors are delivering their technological solutions? Are they also relying on third parties to deliver?
- Regular testing: If you have planned ahead and invested in well-designed systems, are you sure that those systems are effective? Are you testing them periodically and ensuring that relevant staff are trained to ensure and review their effectiveness?
As well as outlining these four critical steps to mitigate operational risk, Hsu suggests five “baseline requirements” that will form the key focus for the OCC in its pursuit of new standards. These include:
- Establishing clear definitions for identifying critical activities and core business lines
- Defining tolerances for disruption
- Requiring testing and validation of resilience capabilities
- Incorporating third-party risk management expectations
- Stipulating clear communication expectations among stakeholders and counterparties
- Addressing expectations for critical service providers, with emphasis on governance and risk management expectations
It is likely that, prior to the formation of these requirements, the OCC will be looking for industry response, with Hsu adding that “gathering input from the industry and other stakeholders will be important.”
“Collaboration is key” – the OCC won’t go it alone
The OCC isn’t the first regulator to foray into the regulatory wilderness of operational resilience which, given the pace of technological advance, is becoming increasingly inhospitable. In fact, it is comparatively behind schedule in comparison to its EU counterparts – a point that doesn’t escape Hsu’s attention. In 2024 alone, several regulatory and legislative actions are already in motion:
| Name | Jurisdiction | Dates of interest |
|---|---|---|
| Digital Operational Resilience Act (DORA) | EU | Came into force January 16, 2023 Applies from January 17, 2025 |
| CP26/23 – Operational Resilience: Critical third parties to the UK financial sector | UK | Consultation closed March 15, 2024 – |
| ECB Cyber Resilience Stress Test | EU | 2024 – |
| Network and Information Systems Directive 2 (NIS2) | EU | Applies from October 17, 2024 – |
| Proposed Rule: Operational Resilience Framework for Futures Commission Merchants, Swap Dealers, and Major Swap Participants | US (CFTC) | Comment period closed on March 2, 2024 – |
| OSFI Integrity and Security Guideline (guidance around third-party solution risk) | Canada | In force January 31, 2024 – |
As well as adapting internal structures to ensure adherence with new regulatory standards, it is likely that firms operating on a global scale will simultaneously have to grapple with a web of comparative (or indeed contrasting) regulatory expectations. Given the relative belatedness of the OCC’s action on operational resilience, it will be interesting to see whether it turns to global equals to adopt similar definitions around “critical activities” or “tolerances for disruption”. Why reinvent the wheel, when the wheels are already in motion?
Is your third-party provider a weak link?
It is not revolutionary to suggest that technological advancement has been of dramatic benefit to financial services – from the way that consumers interact with investments, to the way that compliance teams are able to flag risky behavior. However, with such reward comes risk. As financial institutions expand their reliance on myriad technological solutions and multiple third-party vendors, the scope of resilience grows wider.
For example, using a third-party cloud provider will undoubtedly be the most secure, cost-effective solution for financial services to store data. But does your firm have a business continuity plan in the event that the third-party data center goes down due to fire or flood, as seen on multiple occasions in recent years? We need only look at the £48m fine paid by TSB in 2022 to understand the reputational and monetary damage that can result from poor due diligence.
If the provision of banking services is, as Hsu analogizes, like a chain, operational resilience is the critical art of looking at every link in that chain, and tugging each part to check that it can flex, but not break.
Before engaging with a third-party vendor, especially one that will conduct critical services for your firm, ask whether you have implemented sufficient due diligence and testing to ensure that, if disruption were to occur, your chain will stay strong.
