White Compliance Hub Compliance Insights text on black background

Bank of England: PS21/3 and Building Operational Resilience

PS21/3 is the Bank of England’s new policy for Financial Market Infrastructures (FMIs) to build their operational resilience. It aims to ensure an undisrupted service from the likes of payment systems like Visa and BACS, even while they face significant threats.

20 June 2024 8 mins read
By Jennie Clarke

In this guide, you’ll learn about what led to the implementation of this regulation, alongside the key requirements and timeline for compliance. Plus, find out how Global Relay is helping FMIs to meet their compliance demands and protect the operational resilience of their organizations.

Why are the regulators introducing new rules around operational resilience?

Operational resilience is integral in the financial markets because it ensures business continuity, even while companies react to stressful scenarios. Most importantly, its purpose is to ensure that consumers can access their funds without service disruption, no matter what is going on behind the scenes.

But in case you haven’t noticed, it’s not only the Bank of England who are interested in keeping the financial markets operating in the face of adversity. In fact, the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) have also released similar regulations in recent times.

Such a focus on operational resilience has largely resulted from disastrous past experiences.

In a March 2024 announcement from the Bank of England, the TSB Bank’s 2018 IT migration incident was referenced.

The Bank moved customer accounts from its original Lloyds systems to an independent program. All of the bank’s customers were affected by an initial outage, which meant that customers could not access their accounts, and therefore, their finances.

Even after this initial complication there were further challenges, with some customers able to access the information of other accounts, and seeing money disappearing. The incident highlighted the importance of maintaining core services even in the face of operational demands.

Moreover, the Bank of England’s Executive Director for FMIs, Sasha Mills, referenced the increased reliance on third party services as a reason for this new policy. And on FMIs specifically, Sasha said:

“FMIs provide the “pipes” and infrastructure which interconnect and underpin modern financial markets and the real economy. But when the underlying infrastructure provided by an FMI fails, this confidence can be damaged, and this puts financial stability and growth at risk – and that’s why the Bank of England (Bank) supervises key FMIs in the UK.”

What are the aims of PS21/3?

The regulation has four key aims:

  1. Protect the function of the markets for economic stability
  2. Ensure orderly return to trading if markets fail
  3. Involve relevant infrastructure providers when making decisions
  4. Facilitate market initiative to build resilience

It’s similar to the DORA regulation, which focuses on financial institutions working within the EU. We’ve written about five of the key challenges for third parties in the DORA regulation here, in case you’d like to learn more.

But the Bank of England made a point to separate the responsibilities of FMIs and their third parties, saying, “it is crucial to stress that FMIs are still responsible for their own operational resilience. The critical third parties regime in no way detracts from those responsibilities”.

As such, the framework for operational resilience of FMIs differs from other compliance certifications, such as ISO 27001.  

What are the requirements of PS21/3: building operational resilience?

The framework for the PS21/3 operational resilience regulation has four main requirements:

  1. Identify threats
  2. Measure impact tolerance
  3. Map dependencies
  4. Stress testing

1. Identify threats

Cyber-attacks are one of the most frequently cited risks to UK financial stability we see in our industry engagement, but we are also concerned about events like natural disasters or operational errors”, Sasha continues.

In fact, this regulation categorizes risks into three sources of origin; internal, third-party and external.

Internal threats

Internal incidents are those occurring through the firm’s own systems or employees. For example, a broken 2FA process that leaves genuine account-holders locked out of their finances.

Third party threats

Third-party incidents refer to issues with vendors and suppliers that can disrupt the core business services. A successful phishing attempt on a supplier that processes card transactions may render that supplier offline in an attempt to resolve things. This could prevent customers from using their cards altogether.

External threats

Finally, external threats originate from outside of the financial organization, and often affect the market as a whole. The Russia-Ukraine war was an external threat that led to Citigroup deciding to cease operations in the region. This meant that customers in Russia could no longer hold an account with the bank, and the institution lost out on approximately $3 billion due to the move.

2. Impact tolerance

Impact tolerance refers to the maximum level of disruption that an institution can withstand for business continuity.

It’s important because institutions need to know their limits, and create a calculated buffer to overcome stressful scenarios. One bank that failed in this aspect was Silicon Valley Bank (SVB), which collapsed in March 2023.

SVB announced a fundraise, which worried account holders, who subsequently began withdrawing their funds all at once. Since SVB were tied up in long-term investments, they didn’t have enough liquid cash on hand to rectify the situation, essentially ‘going bust’.

In this Bank of England operational resilience regulation, it’s up to FMIs to formulate their own impact tolerances for payments. However, the policymakers do encourage FMIs to lean on other longstanding frameworks.

“The Financial Policy Committee (FPC) has set an impact tolerance at the system level for payments recognising how important payments are to the economy and to trust in the financial system. FMIs that provide payments services should consider the FPC’s impact tolerance when formulating their own impact tolerances for payments.” FMIs must calculate impact tolerances for each external business service, but not including disruptions to services like payroll. They also note that the figures for one firm might be completely different to another. Factors such as recovery and response arrangements, the consideration of regulatory objectives and scenario testing all impact the tolerance levels.

3. Map dependencies

Dependency mapping refers to understanding the relationships between various employees, systems, processes and third parties that all impact service output. It will require FMIs to visualize all of the applications within a system, and consider how issues will affect the other components of the system.

For example, a third party providing email marketing services might get hacked. While it’s seemingly unrelated to financial security, the hackers may send out a mass email asking for customers to confirm their account numbers and online banking passwords, which could provide these bad actors with access to customer accounts.

Without mapping out dependencies, incidents with this third party example might have gone overlooked. Instead, dependency mapping will allow the FMI to identify its potential areas of exploitation, and support the third party to plug its areas of vulnerabilities.   

This lines up with the overall benefits of dependency mapping, which will enable FMIs to strengthen their overall risk management strategies.

4. Scenario testing

Scenario testing is the final part of the framework for the operational resilience of FMIs. The Bank of England specifically requests that firms test “extreme but plausible scenarios” to ensure that the maximum number of possibilities are considered and planned for.

Of course, it would be impossible for FMIs to anticipate all of the risks, especially as future technologies emerge. In fact, Sasha highlights “cloud services, artificial intelligence [and] distributed ledger technology” as three of the newer challenges to consider.

However, the purpose of stress testing is to establish prevention, detection and response plans to incidents, and drill best practices into employees. In fact, the Bank of England staff awareness and training as one of the key influences in an organization’s ability to operate securely.

Compliance timeline

While the Bank of England, FCA and PRA each implemented their regulations in 2022, firms have until 31st March 2025 to comply with the relevant policies. And they have been making progress, but Sasha notes that there are still a few gaps.

“Over the past few years, the Bank has been engaging with FMIs to understand their progress towards meeting this regulatory deadline. We are encouraged by some progress that has been made, however there is still considerable work to be done for many FMIs.” 

Plus, even those who have made efforts to comply will need to continually monitor and review their efforts after the deadline. The regulator encourages collaboration with the government and National Cyber Security Centre in order to share information about emerging threats.

And relying on a regulatory compliance solution can help your business be sure that there are no gaps. At Global Relay, we specialize in helping our clients to mitigate the risks and evolve their compliance strategies with fully integrated solutions. Having operated since 1999, we’ve served 22 of the top 25 global banks and aren’t stopping any time soon. Get in touch to book a Demo with Global Relay.

< Back to the hub

About Article

Published 20 June 2024

About Author

Share Article