UK regulators have issued their long-awaited rules on operational resilience. Nicholas Pratt examines the implications for asset managers and their partners.
On March 29, the UK’s main financial regulators – the Financial Conduct Authority, Prudential Regulatory Authority and Bank of England – issued a policy statement on operational resilience rules for UK financial services firms, including asset management companies.
Policy Statement PS21/3 – Building Operational Resilience was published with the objective of strengthening operational resilience and preparedness across the sector. These rules had long been in the pipeline but were delayed once the pandemic hit. While it proved to be the greatest possible test case for operational resilience, it did put a lot of regulatory initiatives on hold.
The rules have three main requirements for firms – identify their most important business services; set impact tolerances for the maximum tolerable disruption; and carry out mapping and testing to a level of suitable sophistication. Firms were given 12 months to complete these tasks with a deadline of March 31, 2022.
According to tech consultancy Capco, the rule change presents two main difficulties for firms – firstly, the one year deadline, given that many firms will have expected to have several years to comply.
The second issue is the broad and open-ended scope of the rules, designed to prevent operational resilience becoming a “tick-box exercise” and instead becoming a “discipline embedded within firms and demonstrably overseen and led by senior management”, says Will Packard, operational resilience lead at Capco.
“This is essentially an open-ended exercise, and firms will need to show real discipline and persistence to meet the spirit of the regulations,” he adds.
Consultant Sionic held a client forum meeting on March 30, the day after the regulators issued their policy statement, to discuss its own survey on operational resilience as well as the requirements of PS21/3. Unsurprisingly, Sionic found that Covid-19 had increased awareness of operational resilience among asset managers, with 64% ranking it as a top priority. Furthermore, it found that 70% have formalised programmes underway, the majority of which have already completed their impact assessments and key business process mapping.
Yet, Sionic partner James Hockley also has some concerns around the operational resilience rules themselves, as well as firms’ preparedness. “My fear is that firms are looking at this from the bottom up. I would rather they look at it from the top down, starting by identifying the harm that can be done from a systems failure or an outage,” says Hockley.
The potential harm should focus on three vectors – investors and beneficiaries; the market; and the investment manager’s own business.
It is also important that firms consider their whole operational ecosystem, including service providers and tech vendors, as part of their operational resilience plans.
“Most firms have outsourced some part of their operations, including technology and data,” says Hockley. “What kind of contingency plans do you and your partners have? This is great if you are working with a major asset servicer bank that has well-established contingency plans, but what if we are talking about an IT company or a small fintech?”
One issue that arises from the regulatory focus on resilience is the potential impact it could have on the move towards so-called operational ‘ecosystems’. Increasingly, asset servicers and large software vendors are looking to provide a number of web-based or cloud-based microservices within one operating environment, using APIs [application programming interfaces] to bring in fintechs. Although this approach may be more flexible and innovative than the traditional enterprise system, there may be resilience issues to consider.
“It begs the question – what are you relying on from that ecosystem and what harm could it do if any part of that system was to suffer an outage or a data breach or a cyber attack?” says Hockley.
Sionic’s research found cyber attacks were the main security risk, cited by 63% of respondents. But while the pandemic has helped to raise the profile of cyber security and operational resilience, not all parts of the risk industry have benefited from the move to home working. As Hockley says: “This is not going to be a positive time for those providing disaster recovery (DR) services”.
Three-quarters of the firms in the Sionic survey said that they plan to make significant changes to their DR site requirements, while 18% have already cancelled or plan to cancel their DR contracts.
Hockley also says that it is important that firms do not just associate operational resilience with technology and assume that the only potential harms involve data breaches. For example, a systems outage could lead to a lack of cash flow or a lack of liquidity for trading or an inability to issue redemptions. “These types of scenarios could affect end investors and the market itself, not just a single firm. There is not enough attention on this.”
Hockley’s final concern is that firms make the most of the time they have to meet the requirements. Firms have a year to complete the mapping and tolerance checks, but should not assume that they can wait a year before fixing any of the issues they identify, he says.
“And firms should realise that it is just good business practice to better understand your operating model and to make it more resilient and efficient.”
© 2021 fundsTech