Redefining firms' resilience

Regulators have long expected firms to manage operational risks and have in place business continuity and disaster recovery plans. In the new post-pandemic reality, operational resilience is viewed as more than this. When identifying potential disruptions to business, firms need to consider not if, but when.

Additional demands on systems and processes arising from prolonged and large-scale remote working, and an increasingly digital world, has increased the focus on firms' technological resilience. Outsourcing to third parties, cybersecurity and money laundering risks are not new, but regulatory focus is turning to the broader ICT1 risk environment. And some jurisdictions are introducing new capital requirements for investment managers, with the aim of better defining minimum financial resilience.

• Operational resilience
• Data resilience
• Outsourcing
• Cyber security
• ICT risk - taking a broader view
• Prevention of money laundering
• Re-calibrating financial resilience

Regulators are acutely aware that the threat of disruption to firms, and by extension to their customers, is heightened in times of stress. Technology-led business transformation, high-profile instances of disruption and recognition of the interconnectedness of the financial system have led to increased attention on operations and how things are done. Operational resilience is seen as the outcome of effective management of operational risk and is becoming a key driver of investment and business strategy. Regulators around the globe are focused on common themes:

• Greater accountability and ownership, with engagement from the top down
• Clear definition of a firm's key business activities
• Understanding the key dependencies required to deliver those activities
• Testing resilience under stress scenarios
• Defining meaningful metrics to quantify resilience and assess tolerances for disruption
• Ensuring timely and appropriate communications for investors 

In June 2020, in response to the pandemic, the Monetary Authority of Singapore (MAS) issued guidance to address operational, technology and cyber risks. In March 2021, this was expanded by a paper (PDF 1.2 MB) on "Risk Management and Operational Resilience in a Remote Working Environment", which highlighted possible risks to financial institutions in the areas of operations, technology and information security, fraud and staff misconduct, and legal and regulatory risks. It also examines the impact of remote working on people and a firm's culture. 

A broader approach to operational resilience - incorporating equally important components such as processes and people - is increasingly expected of firms. Regulators are highlighting the importance of identifying severe but plausible tailored scenarios, and of performing stress tests to reveal weaknesses in operating models. Firms need to consider not only what would happen if they were to experience disruption, but how they will respond when it happens. This requires firms to define the amount of disruption they would be willing to tolerate, to create metrics to monitor and measure their ability to remain within these tolerances, and to test for various scenarios against them.

The UK Financial Conduct Authority (FCA) has set out its new approach to operational resilience for investment managers with a three-year rolling average of GBP 50 billion or more assets under management. The policy aims to ensure that firms plan appropriately and deliver improvements to their operational resilience so that they can respond effectively to disruptions (including multiple concurrent disruptions) to their most important business services - those with the greatest potential to cause financial instability or customer detriment. Best practice will develop over time, but firms are encouraged to view the policy as a minimum standard and to develop an approach that is proportionate to their size, scale, and complexity. 

A three-year implementation period will start on 31 March 2022, by when firms will be expected to have identified and mapped their important business services, defined impact tolerances, and commenced a program of scenario testing. They should also have a prioritized plan setting out how they intend to comply with the requirements. Outsourcing arrangements entered into on or after 31 March 2021 should meet supervisory expectations by end-March 2022, and earlier agreements should be reviewed at the first appropriate contractual renewal or revision point.

The Central Bank of Ireland (CBI) is consulting (PDF 1.3 MB) until July 2021 on cross-sector guidance on operational resilience, which takes into account the EU proposals on digital operational resilience (see below). The draft guidance will require all regulated firms to review existing agreements with third-party service providers (and with those providers' service providers) to ensure they have "at least equivalent operational resilience" conditions in the event of another crisis. Firms will have to identify impact tolerances, carry out scenario testing and ensure that legally-binding written agreements are in place with third parties that detail how the critical or important services will be maintained during a disruption, including down the supply chain. In some instances, this could result in firms appointing new third-party service providers or taking the services in-house. For firms that rely on many third parties for the delivery of critical or important business services, there could be a greater cost impact if most of or all their service providers have to revise upwards their operational resilience conditions.

Regulators are attuned to data risks, as part of operational resilience. Firms need to ensure the integrity of exponentially expanding databases and that they have the expertise to store and analyze them, whether in-house or via outsourcing to third parties. They need both to protect customers' and market confidential data and to share them, to deliver services more efficiently and across borders. Effective controls are essential around internal processes, the storage and use of data, communications with customers and counterparties, and contractual arrangements with third parties. 

The growth in available data requires expanded storage infrastructure and more efficient search and indexing protocols. One solution to address the rising cost of data storage is to make more use of cloud technology, but this has both advantages and challenges. Cloud service providers can offer geographically dispersed infrastructure and heavy investment in security, providing firms increased resilience and allowing them to scale more quickly and operate more flexibly. However, firms can encounter operational, governance and oversight issues (particularly in a cross-border context), provider concentration risk and increased cyber vulnerability.

In May 2020, the International Organization of Securities Commissions (IOSCO) consulted (PDF 444 KB) on new and expanded principles on outsourcing, noting that "operational resilience refers to the ability of regulated entities, other firms such as service providers, and the financial market as a whole to prevent, respond to, recover, and learn from operational disruptions". The revised principles comprise a set of fundamental precepts and a set of seven principles. The fundamental precepts cover issues such as the definition of outsourcing, assessment of materiality and criticality, application to affiliates, treatment of sub-contracting and outsourcing on a cross-border basis. The final principles are awaited. 

The European Securities and Markets Authority's (ESMA's) guidelines (PDF 386 KB) on outsourcing to cloud service providers will apply from July 2021 and EU firms should review their existing outsourcing arrangements against the new guidelines by end-2022. Firms must put in place a specific strategy for any cloud outsourcing services, including appropriate governance arrangements and more stringent cyber security measures. Pre-outsourcing analysis and due diligence should be undertaken before appointing a provider and contracts must typically include specific terms regarding access and audit rights and subcontracting. Exit strategies (including planning and testing how a firm would migrate to another provider) should be considered before appointing a provider. An updated outsourcing register must be maintained and shared with regulators as requested.

The guidelines around governance, oversight and documentation may be challenging for smaller IT departments. The need to complete a very specific cloud strategy may be outside the capability of some firms, which will need to seek external guidance. Also, the contractual rights required by IOSCO's principles, ESMA's guidelines and other regulatory requirements could be challenging for firms to negotiate and exercise, particularly in a multi-jurisdictional context. As part of its FinTech Action Plan, the European Commission intends to prescribe standard contractual clauses for such outsourcing agreements. 

The Central Bank of Ireland is consulting (PDF 275 KB) until end-July 2021 on cross-sectoral outsourcing guidance that reaffirms its adoption of relevant European Supervisory Authorities' guidelines on outsourcing to cloud service providers. The draft guidance should be read in conjunction with the draft guidance on operational resilience mentioned above. It includes the role of the board and senior management in outsourcing, linkages to operational resilience, expectations on intragroup arrangements and assessment of concentration risk. It emphasizes digital risks and outlines information to be provided to the CBI in relation to outsourcing (notification of critical or important outsourcing, adverse incidents and periodic outsourcing register returns). 

Meanwhile, as part of the implementation of the new Financial Institutions Act, the Swiss Financial Market Supervisory Authority (FINMA) has extended the scope of its outsourcing requirements, originally designed for banks and insurers, to selected financial institutions - fund management companies, managers of collective assets and self-managed investment companies with variable capital (SICAVs). A key point of debate is what constitutes a "significant function", the delegation of which is an outsourcing, according to the circular. 

Cyber resilience has long been viewed as the backbone of operational resilience programs and continues to be of critical importance. Cyber criminals are developing a growing understanding of business flows within the investment industry. They are adopting ever-more sophisticated approaches, such as attempts to hijack fund login credentials or to retrieve confidential data. 

The Financial Stability Board's (FSB's) final report on effective practices for cyber incident response and recovery sets out a toolkit of 49 practices across seven components: governance, planning and preparation, analysis, mitigation, restoration and recovery, co-ordination and communication, and improvement. The FSB is now exploring the scope for convergence in the regulatory reporting of cyber incidents. The European Commission's new cybersecurity strategy includes overhauling existing rules for critical sectors. Firms will need to pay closer attention to the cybersecurity of theIr software and hardware suppliers: supply chain security. 

The French Autorité des Marchés Financiers (AMF) has observed an increase in the volume and sophistication of cyber-attacks, following inspections of asset managers' cyber-security systems. It examined the systems and processes put in place by six firms to address the risk of malicious attacks on the availability, integrity, confidentiality and traceability of their information systems. The AMF notes that cyber-security risks are increasingly well factored into firms' governance and control systems, but "this has been achieved without sufficient prior research on the main risk areas to be protected, which helps maintain a false impression of security among the players inspected" 

The AMF cites good practices such as the appointment of a dedicated manager from the executive committee to handle cyber security topics, the implementation of regular awareness-raising campaigns for employees, and the inclusion of cyber risks into risk mapping and control plans. Faced with the raising volume and sophistication of cyber-attacks, the management and control of interactions between asset managers and their external ICT service providers "must remain a priority when defining security measures" 

The Division of Examinations of the US Securities and Exchanges Commission (SEC) is working with firms to identify and address information security risks, including cyber-attack related risks, and is encouraging market participants actively and effectively to engage regulators and law enforcement in this effort.

The regulatory focus on cyber security is evolving into consideration of the broader ICT risk environment: "digital operational resilience". Regulators are emphasizing that increased use of technology requires firms to revisit their governance arrangements and controls to ensure they have the right level of expertise and understanding at senior management levels in order to govern well and to identify emerging and heightened risks. Use of artificial intelligence and machine learning are attracting special regulatory attention in this regard, as outlined in chapter 3. 

Equally, technology can help firms to govern their businesses, manage risks and improve customer outcomes. Firms are using technological applications - RegTech - to ensure they have a full understanding of the rules to which they are subject and to check or validate their compliance with those requirements. Technological applications can challenge traditional governance arrangements and controls and increase the divide between the tech savvy and technophobes. The positions of Chief Technology Officer and Chief Data or Information Officer, in addition to Chief Operating Officer, are being created, in part to help bridge this divide at senior management level. 

The European Commission has published (1.3 MB) a wide-ranging draft regulation on digital operational resilience for the financial sector (DORA). DORA will establish a comprehensive EU framework with rules for all regulated financial institutions, with only minor concessions to proportionality. It will: 

1. Streamline and upgrade existing financial legislation (including fund and asset management rules), by: 

• Better aligning firms' business strategies and the conduct of ICT risk management, to improve overall management of ICT risks, and ensure firms can assess the effectiveness of their preventive and resilience measures and identify ICT vulnerabilities -- Applying testing requirements proportionate to a firm's size, business and risk profile 
• Strengthening firms' oversight and ensuring sound monitoring of third-party ICT 
• Raising awareness of ICT risk and minimizing its spread through information-sharing, including allowing firms to exchange cyber threat information and intelligence 

2. Create more coherent and consistent incident reporting mechanisms, to reduce administrative burdens for firms and strengthen supervisory efficiency, by: 

• Harmonizing and streamlining the reporting of ICT-related incidents 
• Increasing supervisors' knowledge of threats and incidents by enabling them to access relevant information 

Proposals for ICT risk management, including the management of third-party risk, will be complex to implement and the reporting of major incidents and enforcement processes requires further clarification. Detailed rules and guidance yet to be issued may provide some clarity but are unlikely to mitigate all the challenges.

New provisions in Saudi Arabia around anti-money laundering (AML) and systems and policies will require fund managers to upscale their systems, controls and processes in order to comply with the regulations and enable enhanced risk assessments and mitigations. New AML requirements are also in force in Canada, covering due diligence, record keeping and identity checks. 

The Division of Examinations of the US SEC continues to prioritize examinations of broker-dealers and registered investment companies for compliance with their AML obligations and whether firms have adequate policies and procedures in place that are reasonably designed to identify suspicious activity and illegal money-laundering activities. The SEC is assessing whether firms have established appropriate customer identification programs and whether they are satisfying their filing obligations, conducting due diligence on customers, complying with beneficial ownership requirements, and conducting robust and timely independent tests of their AML programs.

The CBI has issued (PDF 313 KB) a Dear CEO Letter, reminding Irish "Schedule 2" firms of their obligations and outlining the findings of its 2020 review. Failings related to board oversight and governance, risk assessments, policies and procedures, customer due diligence, adherence to sanctions, suspicious transaction reporting and staff training. The European Commission is expected soon to issue a proposal for a stand-alone EU AML agency that would have supervisory powers over financial and some non-financial companies.

The capital requirements for EU and UK investment managers are changing. They will no longer be subject to rules that were predominantly designed for banks. The EU Investment Firms Directive and Regulation are due to come into effect in June 2021, and the UK rules, which are broadly aligned with the EU rules, will apply from January 2022. Both will introduce simplifications to current rules, but all firms will need to re-assess their capital requirements and change their reporting systems. 

Investment managers will fall into two broad categories: "small and non-interconnected" (SNI) or not. A firm's minimum capital requirement will be based on three measures: 

• The "permanent minimum capital requirement" (PMR) will be EUR/GBP 75,000 for investment managers that do not hold client assets and EUR/GBP 150,000 for those that do 
• The fixed overheads requirement (FOR) - one quarter of the previous year's fixed overheads 
• The "K-factors" requirement, which is essentially a mixture of activity- and exposure-based measures 

The capital requirement for SNIs will be the higher of their PMR and FOR. Non-SNIs will need to have capital that is the higher of their PMR, FOR and K-factors. In January 2021 the CBI outlined its expectations on how Irish firms should be preparing for the new prudential regime, "Firms should complete a comprehensive analysis of all relevant aspects of the IFR/IFD and identify how it will impact the respective firm's business model."