UK regulators ramp up scrutiny of financial services' firms resilience plans
Another day, another bank outage. Yesterday HSBC’s mobile app was out of action for several hours, leaving thousands of customers without access to a critical business service, and their cash.
Operational Resilience is high on banking CIO agendas this year, as regulators ramp up the pressure in light of the growing technical complexity of the sector and mounting concerns that the volume of services hosted on the Big Three cloud providers creates additional, sector-wide vulnerabilities.
In March 2021 the UK’s Financial Conduct Authority (FCA) published their policy statement on operational resilience (PS21-3 or PRA PS6/21). Backed by the Bank of England’s Prudential Regulation Authority (PRA), these new rules are applicable to banks, building societies, insurers and investment firms.
The continued stability of the financial system is directly in the public interest as: “operational disruptions can cause wide reaching harm to consumers and pose a risk to market integrity, threaten the viability of firms and cause instability in the financial system”.
As of 31 March 2022, the 12 month implementation period allowed by the FCA will come to an end. By this date, regulated organisations must have:
- identified their important business services
- set impact tolerances for the maximum tolerable disruption
- carried out mapping and testing to a level of sophistication necessary to do so
- identified any vulnerabilities in their operational resilience.
This Phase 1 implementation period is to ensure that firms are on-track for the hard deadline of March 2025, by which time firms “must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances”.
All of this is going to take time and failure to comply in time can have serious consequences - so it’s important to get started now. The regulator is empowered not just to issue fines to firms who aren’t compliant, but also to take action against responsible individuals within those firms.
Resilience isn’t just a vendor issue
Whilst AWS’ three outages in December last year has exacerbated concerns over the concentration of economically critical services on a small number of cloud vendors (read more here), this is just one facet of the resilience challenge facing the financial services sector.
The regulator wants firms to identify their Important Business Services as a first step towards compliance. In modern, complex hybrid IT environments these Important Business Services are composed from elements which run across legacy systems to cloud native deployments, delivered by a complex web of proprietary builds, SaaS vendors and infrastructure partners.
The regulators, quite rightly, see the overall continuity of these Important Business Services as paramount - and it is your responsibility as a regulated firm to make sure they are available. When AWS or Azure or GCP fails again, what’s your recovery plan?
Are you ready?
These new regulations shift focus from the resilience of the individual components and systems to the resilience of the whole of your estate - recognising the interdependence (and fragility) of modern technology estates and the Important Business Services they provide to end-users.
At Cloudsoft we’ve worked with Tier 1 banking customers for years, helping them to achieve a 99% reduction in unplanned downtime and 75% efficiency savings by deploying Cloudsoft AMP. This has helped them move towards greater operational and organisational resilience.
Speak to us today about a Resilience Readiness Assessment for your organisation, and let’s get you ready for regulation.