Follow us


Six years on from the Basel Committee on Banking Supervision's (BCBS's) consultation on the implications of cloud computing and other technologies for banks and banking supervision, what we now refer to as operational resilience has matured into a more comprehensive regulatory policy covering business continuity, incident management, critical supplier management, and more, in many jurisdictions and across financial services. 

As well as developments in regulatory policy, the sources of likely disruption – from the profile of cyber threats to geopolitics – shift continuously. Firms must continue to look ahead. Insights into regulatory expectations and practical examples of what regulators focus on when things go wrong come from enforcement actions, which are therefore a useful source of lessons for the future.

In a nutshell:

As the pace of digitisation increases bringing more risk of technology disruption, operational resilience remains high on the agenda for regulators and firms across the globe. New regimes and ever higher expectations continue to be rolled out, including expectations on senior management accountability.

Firms facing enforcement action for operational resilience failures may get 'credit' if they co-operate with the regulator(s) and 'do the right thing' for affected consumers.

Operational resilience is not a 'once and done' process; firms' systems and controls must continue to evolve in response to technology developments, cyber security threats and maturing consumer expectations for data security.

embed image
Quote image

While regulatory regimes may be at different stages of maturity, maintaining operational resilience is firmly established as a strategic imperative for all boards.

Luke Hastings
Sydney

The UK

In the UK, where operational resilience rules for regulated financial services firms were finalised in March 2021 and firms have until 2025 to reach full compliance, recent enforcement outcomes offer some key lessons:

  • Firms must be on top of their outsourcing and similar arrangements with third party suppliers (and underlying fourth party sub-contractors), including and intra-group arrangements. Two significant UK cases involved intra-group arrangements where the enforcement notices highlight failures in governance and oversight. In one case, the FCA's final notice paints of picture of a business "in awe" of its parent company and failing to undertake even the most basic level of controls, including auditing arrangements. Intra-group governance structures, such as hard reporting lines from people in the firm up to the service provider, also prevented effective oversight.
  • Senior managers should expect to be in the crosshairs for enforcement action when an incident occurs. Technology and automation can distance staff from the actual workings of the business, but the regulators have been clear in both recent UK enforcement and in their statements on fintech, that individuals – particularly senior managers – remain accountable.
  • Like their peers, the UK regulators accept that disruption will happen. But how firms deal with disruption matters. One new FCA enforcement lead has emphasised the importance of co-operation and proactively taking action to redress consumer loss. 

In terms of further change in this jurisdiction, the development of a regime for critical third-party providers (CTPP) to the financial services sector over the course of 2024 will be one for regulated firms to watch. The practical impacts of the new CTPP regime remain to be seen… and, eventually, to be tested.

The development of regimes for critical third party service providers is something to watch. Whether these work will be judged by the outcomes following a disruption.

Clive Cunningham
London

Quote image

Hong Kong

Hong Kong financial regulators have, in recent years, enhanced their guidance on a wide range of operational resilience areas.

In 2022, the HKMA introduced significant enhancements to its Supervisory Policy Manual to implement BCBS principles, including a brand-new module OR-2 on operational resilience, as well as updates to module OR-1 on operational risk management and module TM-G-2 on business continuity planning.  

Module OR-2 provides guidance on developing a holistic operational resilience framework. It also highlights the HKMA's expectations on operational risk management, business continuity planning and testing, third-party dependency management, and information and communication technology (including cyber security). Banks had to develop their operational resilience frameworks and timeline by 31 May 2023, and they must become operationally resilient by 31 May 2026 at the latest. 

Although we have yet to see enforcement actions, operational resilience remains a top regulatory focus area in supervisory inspections and thematic reviews. For example, in September 2023, the SFC announced a cybersecurity review of selected firms, the findings of which would form the basis of further guidance to the industry. 

Like the UK regulators, the SFC and the HKMA have consistently emphasised that senior management remain accountable for operational resilience. The HKMA's new module OR-2 contains detailed guidance on the respective roles of the board and senior management. We expect the SFC and the HKMA to scrutinise the conduct of both the firm/bank and members of its senior management in future investigations.

Quote image

Cyber risk and resilience are a key part of the operational resilience picture – this isn't going to change any time soon.

Hywel Jenkins
London

Australia

Consistent with the global position, in the wake of two significant data breaches in late 2022, regulators in Australia are emphasising that operational and cyber resilience should be a key focus for companies and boards.

ASIC recently updated the market integrity rules for market operators and participants (and related ASIC guidance) to specifically address these issues. The refreshed rules cover issues including change management, outsourcing, information security and business continuity planning. ASIC is searching for a test case. Its Chair recently stated: "ASIC will be looking for the right case where company directors and boards failed to take reasonable steps, or make reasonable investments proportionate to the risks that their business poses… in the right case ASIC will commence proceedings." Meanwhile, the recent UK cases show what regulators may focus on when things go wrong.

In tandem, APRA recently finalised its new prudential standard on risk management, CPS 230 – which aims to assist APRA-regulated entities strengthen operational risk management, improve business continuity planning and enhance third-party risk management. Like the UK, APRA expects regulated entities to start preparation for the standard, which will be operative from 1 July 2025.

Conclusion

Regulators' expectations on what firms should be doing to ensure they comply with operational resilience rules will continue to develop as the threat and disruption landscape evolves. Looking to tertiary sources of insight, including enforcement actions by financial services regulators and how incidents are handled in other sectors, will provide firms with valuable insight to keep a step ahead of disruption and regulatory trouble. 

Key contacts

Hywel Jenkins photo

Hywel Jenkins

Partner, London

Hywel Jenkins
Luke Hastings photo

Luke Hastings

Partner, Sydney

Luke Hastings
Clive Cunningham photo

Clive Cunningham

Partner, London

Clive Cunningham
Cat Dankos photo

Cat Dankos

Regulatory Consultant, London

Cat Dankos
Valerie Tao photo

Valerie Tao

Professional Support Lawyer, Hong Kong

Valerie Tao
Hannah Cassidy photo

Hannah Cassidy

Partner, Head of Financial Services Regulatory, Asia, Hong Kong

Hannah Cassidy
Annabelle Green photo

Annabelle Green

Senior Associate, Sydney

Annabelle Green
Elise Galati photo

Elise Galati

Solicitor, Sydney

Elise Galati

Global Bank Review 2023

A rising bar – Why maintaining trust is getting harder for banks

Stay in the know

We’ll send you the latest insights and briefings tailored to your needs