Operational Resilience and Financial Market Infrastructure Firms

In the EU, FMIs are currently subject to a patchwork of operational requirements under the specific regulations that apply to their sector. For example, EMIR includes a specific article on business continuity for CCPs, a regulated market (i.e. trading venue) under MiFID II is expected to have 'effective business continuity arrangements to ensure continuity of its services if there is any failure of its trading systems.' And under the EU Benchmarks Regulation, benchmark administrators are expected to have a control framework that includes 'adequate and effective business continuity and disaster recovery plans'.

The EU Digital Operational Resilience Act (DORA), recently agreed by the European Parliament and Council, and likely to apply from late 2024 or early 2025, will be a significant step in harmonising the existing patchwork and introducing new requirements for all EU-regulated financial entities across: information and communications technology (ICT) risk management and incident reporting; digital operational resilience testing; information and intelligence sharing and third-party provider management.

UK regulators have rolled out a raft of operational resilience requirements across the whole financial sector. Central securities depositories and CCPs are required to implement Bank of England policy. The FCA's policy applies to regulated investment exchanges (i.e. trading venues) and enhanced scope SMCR firms (dependent upon certain criteria, including prudential and CASS status). Both policies required FMIs to have identified their important business services, set impact tolerances for maximum tolerable disruption to these services, carried out resource mapping and initiated a programme of scenario testing by end-March 2022. By end-March 2025, FMIs must have performed scenario testing and taken all reasonable actions to remediate vulnerabilities identified and to demonstrate that they are able to remain within impact tolerances for each important business service.

In the UK, although other types of FMIs are not formally subject to the above regulatory policies, the FCA is increasing and widening its supervisory focus on operational resilience — operational resilience is one of the five FCA supervisory priorities (PDF 216KB) for Benchmark administrators and one of three key risks (PDF 187KB) it identified in relation to data reporting services providers (DRSPs).

In both the UK and the EU, there is increasing focus and new requirements for critical third-party providers in financial services. The identification of a critical third party providers in the EU's DORA and in the UK Financial Services and Markets Bill are based on criteria such as the number and systemic nature of the services it provides to financial services entities. Therefore, some FMIs — such as data providers — may be classified as critical third parties in either or both jurisdictions when the legislation comes into force — at the earliest 2024. Under DORA, critical third parties will be required to have comprehensive arrangements to manage the ICT risk they pose to financial entities. In the UK, critical third parties are likely to be required to meet minimum resilience standards (including developing and testing financial sector continuity playbooks) and take part in targeted forms of resilience testing. Both jurisdictions will impose supervisory oversight on critical third parties by the financial regulators and will be able to impose penalties if there is a lack of compliance with obligations. DORA will also require third country (i.e. non-EU) critical third party providers to subsidiarise in the EU within 12 months of being designated as critical — which may require review of entity and governance structures of FMIs.

As described above, UK operational resilience policy requires financial services firms to identify and enhance resilience of their important business services. Increasingly FMI play a role in facilitating these important business services and so are now finding themselves subject to substantive information requests from their clients on their levels of operational resilience. They are also requested to participate in co-testing where they are third-party providers of the service, for example in order to validate the clients' impact tolerances set for the service and the ability to recover the service within impact tolerances. The requests often come in different formats from different firms, although the same underlying risks are being assessed, which places considerable challenges on FMIs to respond in a consistent, sustainable and cost effective manner.

Regulators are also focusing on specific areas of FMI service resilience. For example, both ESMA and the FCA have recently issued consultations on trading venue outages. They propose specific requirements on how trading venues should communicate in the event of an outage and expectations around alternative arrangements to provide closing reference prices if the primary venue is unable to.

FMIs face operational resilience demands from many different parties even if they are not formally required to implement operational resilience policies in all areas of their business. This growing focus requires strong governance and coordination, especially given the complex conglomerated structures of larger FMI firms who often provide many different services into the market. Operational resilience is much wider than just business continuity and disaster recovery plans and it is becoming a driver of investment to achieve broader business benefits, competitive advantage and develop scalable and sustainable operating models.

KPMG firms have been helping FMIs to manage this spider's web of operational resilience requirements from strategy through to implementation. While operational resilience regulations will continue to develop across the multiple jurisdictions, a focus on developing single consistent risks assessments of the key services and aligning strategic operational resilience capabilities will enable timely and cost effective regulatory compliance across DORA, Bank of England requirements and the broader regulatory landscape. An integrated approach can help drive immediate and longer term synergies and business benefits across programme and BAU activities.

KPMG firms have an established methodology and technology solution — KPMG Powered Resilience. This has been used with clients to implement and embed a robust and scalable, technology enabled Operational Resilience Operating Model. KPMG's Powered Resilience solution is designed to address business needs across major jurisdictions, including BoE/PRA/FCA and EU DORA obligations, and can help ensure that businesses approach requirements in a singular and consistent manner. Please contact us below to find out more about the services KPMG firms offer.