Globally, Regulators Are Making It Clear: FinServ Firms Must Become Resilient

Over the past several years, organizations across all industries have faced numerous unprecedented disruptions, including a global pandemic, Russia’s invasion of Ukraine, ongoing supply chain bottlenecks, state-sponsored cyber attacks, climate-related events and natural disasters. 

The reality is that the frequency and severity of disruptions to business operations will only continue to increase. This is especially true for the financial services sector, which has also already seen the ransomware attack on ION Markets, the Capita cyberattack and multiple banking collapses just this year alone. 

These types of disruptions often have immediate and long-standing systemic effects on not just the firm itself but also its customers and the general economy.

The increasing number of disruptions and their effects have not gone unnoticed by regulators, who are continuing to enact new rules to ensure that organizations have the necessary proactive measures in place to reduce the impact of disruption. These evolving regulations primarily focus on the financial services sector and their critical third-party suppliers with the objective being to ensure that firms have a level of resilience that allows them to prevent widespread negative effects that could impact their customers and, ultimately, the global economy.

And speaking of third parties, several years ago, the Financial Stability Board highlighted that industry-wide dependence on a single systemically important third party could result in a ripple effect across the financial services industry that would rapidly have significant adverse impacts across the globe.

Operational resilience is becoming a top priority 

Over the past several decades, regulators have taken a heavier hand regarding legislation for the financial services sector. And as the scale of crises will continue to increase over time, so will the number of regulations being set to ensure that financial services firms are being held accountable for implementing the necessary best practices to become more resilient.

Traditionally, these regulations focused on liquidity and asset concentration risk to ensure that firms were adequately capitalized. However, with so many operational issues impacting organizations, such as the ones caused by the global pandemic, it has been proven that operational resilience is no longer just a “nice to have” for financial institutions but is rather a critical component of compliance that has widespread consequence if not adequately addressed and prioritized from the top down.

The UK specifically took the lead on financial services operational resilience requirements in 2021 following ongoing disruptions that began arising from the pandemic. The Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) established a framework to strengthen operational resilience within the UK financial services sector and to ensure that institutions could still deliver their core business services to customers despite disruption, helping to reduce stakeholder impact. The regulation set an initial March 2022 deadline for firms to identify, map and set impact tolerances for important business services. 

After the UK released its operational resilience guidelines, other jurisdictions also followed suit. The CBI (Central Bank of Ireland) released its “Cross Industry Guidance on Operational Resilience,” and the APRA (Australian Prudential Regulation Authority) released its “CPS 230.” These regulations set standards across business continuity, operational risk and third-party risk management to help financial firms achieve operational resilience and also hold them accountable for implementing widely accepted best practices.

Last year, the EU expanded on other regulators’ established frameworks and passed the Digital Operational Resilience Act (DORA). The act expanded the scope of existing regulations to highlight information and communication technology (ICT) risks. The DORA aims to harmonize and expand existing digital operational resilience frameworks across 21 covered entities and critical cloud-based and non-cloud-based technology and data service providers (TSPs). With the act now a legal reality, it is no longer enough for financial services firms to simply just strengthen their internal policies, as the regulation now also expands this expectation to third-party providers. Firms have until January 2025 to comply with the regulation as well as enhance their internal resilience posture and supply chain.

The Monetary Authority of Singapore (MAS) also issued updated business continuity guidelines for financial institutions. The revisions stem from the significant global disruptions over the past several years and help to future-proof financial services institutions. The MAS has also introduced new regulations for environmental scanning and threat monitoring to stay abreast of critical threats continuously.

Canada has also recently turned its focus to operational resilience, with the Office of the Superintendent of Financial Institutions (OSFI) passing new guidelines to manage third-party relationships. The guidelines aim to help financial firms implement more robust governance and risk management programs to strengthen supply chains. 

The global approach to compliance

Upcoming regulatory deadlines across the globe require financial services firms to act today and prioritize resilience. This is further complicated as financial services firms often operate across multiple jurisdictions; but approaching these regulations on a piecemeal basis by jurisdiction to simply “check a box” on reporting requirements is ineffective. It can also require higher resource allocation in the long run, especially as these regulations will only continue to evolve. 

Organizations still need to act locally, but they must also think globally and approach operational resilience from the top down, foster a culture of resilience across the enterprise and take all applicable local regulations into account.

Global policies, best practices and proactive risk mitigation strategies will strengthen a firm’s resilience posture, allow them to meet today’s regional regulations and expectations, and enable them to be well positioned to quickly shift and pivot as new regulations are enacted or as a disruption affects business operations. 

Breaking down organizational silos and fostering team collaboration and transparency is also a must to ensure a holistic approach. Historically, business continuity, risk management, cybersecurity, supply chain and information technology teams existed in silos with limited visibility into interconnected processes and requirements. This siloed approach, with disconnected data sets and management reporting lines, decreases visibility into the organization’s true risk posture and can often result in overlooked risks that can critically affect the organization. 

Ensuring operational resilience

Reactive approaches to risk management are not sufficient for firms to weather the evolving risk and compliance landscape. It is also important to remember that compliance is not the only goal — it is a baseline that firms should aim to exceed. Beyond compliance, robust operational resilience can help build customer trust by minimizing product and service delivery downtime. This also leads to market leadership, enabling firms to stand out among their competitors. A holistic approach to operational resilience that leverages proactive, real-time frameworks unites risks across traditionally siloed departments and can help strengthen the firm’s resilience and compliance posture.

There is also a significant hard-cost return on investment by aligning often disconnected data sets and disciplines like risk, business continuity, IT disaster recovery and third-party risk as this enables firms to retire legacy point solutions and spend less time collecting and deciphering data. This alignment of data under a uniformed operational resilience framework allows organizations to better understand their end-to-end core dependencies and their impacts on the organization so that they can make more confident data-driven decisions that will ultimately allow them to continue to fulfill their promise to customers — which, at the end of the day, is why organizations are in business.