Out-Law News 3 min. read
02 May 2024, 4:06 pm
Operators of financial markets infrastructure (FMIs), such as payment systems, have been advised to anticipate – and undertake robust testing around – “extreme but plausible” scenarios that could cause disruption to services, ahead of new rules on operational resilience taking effect in the UK next year.
The recommendation was made by Sasha Mills, executive director, financial markets infrastructure, at the Bank of England (BoE). In a speech given at the London Institute of Banking and Finance on Tuesday, Mills said the “loss of an important third party provider, or a severe cyber attack impacting multiple data centres at once” were examples of the ‘extreme by plausible’ scenarios FMIs should prepare for.
“Testing for these kinds of scenarios helps ensure FMIs are thoroughly testing their response and recovery capabilities,” Mills said. “It also means FMIs are challenging assumptions they may be making about the suitability of their response and recovery plans, especially over what will happen over longer timeframes or within heightened impact scenarios.”
From 2025, a new operational resilience regime will come into full effect in the UK financial services market. The BoE, in tandem with the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA), have set similar but different rules, reflecting their different regulatory remits. The BoE’s rules apply to different types of FMIs.
In brief, the rules require FMIs to identify their important business services, establish an ‘impact tolerance’ for these services and identify and map their dependencies, and use scenario testing to establish whether they can stay within their impact tolerances.
The rules began to take effect on 31 March 2022, but the regulators gave firms a hard deadline of 31 March 2025 to achieve full compliance.
Yvonne Dunn
Partner
This is a timely reminder that FMIs and payment providers are key to overall resilience and need to be ready for these new rules through the setting of impact tolerances and testing against extreme but plausible scenarios
Mills said the BoE expects to see FMIs “accelerating their efforts to ensure that they have calibrated their tolerance for negative impacts on their important business services, and mapped the key people, processes, technology, facilities, and information needed to deliver these services”. She said the FMIs should then be “fully testing their ability to remain within impact tolerances for ‘extreme but plausible’ scenarios – ensuring that response plans and capabilities are robust, and where not, that strategic investment is being made”. She described this as a “key requirement”.
According to Mills, there is room for improvement in the way FMIs have engaged with the market to inform the setting of impact tolerances. She highlighted how disruption to FMI services have the potential to “cause contagion and additional risks to crystallise”.
Mills also said “significant work” is needed to improve how disruption scenarios are tested by FMIs.
Mills said: “FMIs should be asking themselves the following questions: Are the scenarios extreme enough? How many scenarios are sufficient to ensure the risk has been looked at from several angles? Do the scenarios ‘think the unthinkable’? We need to see FMIs prevent incidents where they can, but we also need to know they know what to do when things do go wrong and ‘the worst’ – so to speak – does indeed happen.”
“Mature scenario testing requires depth and consistency of approach across scenarios and the design needs to be really clear: the cause of the disruption (for instance is it a cyber-attack or an internal system issue?), the scale of the disruption (how many important business services, participants or transactions are impacted and for how long) and the key risk factors and vulnerabilities that are being tested are clearly set out,” she added.
The BoE also expects to see FMIs ensure ‘extreme but plausible’ scenarios planned for “directly link to the risks and vulnerabilities they face and have mapped”, according to Mills, who added that approaches to testing also need to become more sophisticated and move beyond so-called tabletop and desktop exercises.
Mills confirmed, however, that the BoE does not expect disruption to services never to occur. She said the regulator assumes “that some operational disruptions will happen” – even when FMIs have “excellent incident prevention mechanisms” in place. She added that the regulator will not prescribe how FMIs should achieve operational resilience but rather will focus on “financial stability outcomes”.
Mills also highlighted how FMI services that are “systemically important” to the UK financial sector are often provided by UK subsidiaries of larger international companies. She said the parent companies “need to ensure that appropriate investment and resources are being directed, within the group, to the UK ‘FMI’ subsidiary” so that the subsidiary can meet the regulator’s expectations on operational resilience.
Beyond March 2025, Mills said the BoE will expect FMIs to “continue to monitor and improve their operational resilience as risks and technologies evolve”. In this regard, she cited the changing cyber threats that are posed to operators in the financial services sector as well as risks arising from new technology such as AI.
Yvonne Dunn of Pinsent Masons, who specialises in technology contracts in the financial services sector, said: “Operational resilience is a key financial services regulatory priority in the UK and elsewhere in the world. UK banks and insurers have been focusing on operational resilience for some time, but this is a timely reminder that FMIs and payment providers are also key to overall resilience and need to be ready for these new rules through the setting of impact tolerances and testing against extreme but plausible scenarios.”
Out-Law Analysis
02 Apr 2024
Out-Law Analysis
16 Nov 2022