In my numerous discussions with operations teams over the last few months, a common theme has cropped up in chats with the European (and, yes, I’m including the UK in that group) contingent: firms are beginning to get more direct questions from regulators about operational risk and resilience.
Operational resilience is multi-faceted and covers everything from your business continuity planning (BCP) to your ability to switch from one vendor to another in a timely (and it’s that bit that is the challenge) manner. UK firms in particular have been receiving regular check-ins from the Financial Conduct Authority (FCA) about how they’re faring in the current environment – and when I say regular, I mean that some are receiving weekly calls. Other European regulators may be checking in at a slightly less regular cadence, but the European Securities and Markets Authority (ESMA) is keeping them and their competent authorities on their radar also.
The FCA published its consultation on operational resilience in December last year and it is definitely using this year as a means of learning some valuable lessons about how the industry is able to respond to various challenges during times of stress. ESMA also published its own consultation on the topic of operational resilience related to technology and cybersecurity in April last year and has since put out several key documents on the subject of operational risk assessment. This month, the Bank for International Settlements (BIS) joined the operational resilience assessment club when it put out its own paper on the subject. It seems that the finreg community is concerned about how much groundwork banks have put into being able to withstand significant market changes.
Some firms have fared better than others in terms of their recent operational strains and stresses, though everyone has faced some challenges and managed to address the majority of them. Larger firms with huge offshore operations faced the most disruption when teams were forced to work from home due to the lack of laptops for staff and patchy internet coverage and support in some of these locations. Smaller firms that had outsourced to some of these larger providers have indicated that responsiveness and support from their third-party provider was negatively impacted during the first month or so of lockdown, but operations have since improved. Third-party dependence assessment is something that regulators have already produced reams of consultations about over the last five years and will likely be an integral part of the operational resilience crackdown.
Smaller firms that have kept their functions in-house also faced some challenges due to lack of staff availability and the direct cost of addressing manual inefficiencies. I anticipate that one of the beneficiaries of the lockdown has been DocuSign, for example, as most firms have continued reliance on wet-ink signatures and paper-based processes. But also, the sales of printers and scanners across the globe must be booming, as not all signatures can be digitised – this is where the regulators need to step in to update legislation. The onus is also on national competent authorities to enable some of these operational risks to be minimised.
A proper operational resilience assessment exercise shouldn’t be the remit of the compliance or operations teams alone however. Every single line of business and every functional area is in scope – understanding cybersecurity weaknesses, for example, entails assessment of everything from your application programming interface (API) initiatives to your communication channels with your clients and counterparties. Regulators will likely want to see detailed assessments of these risks and lessons learned during this crisis that have actually been properly addressed. Whether that is ensuring that each of your staff has access to a working and secure laptop or regularly assessing the data security of your third-party service providers technology platforms.
We can all expect a lot more active regulatory investigation and paperwork over the next 12 months and beyond.