No financer of last resort for operational risk warns BoE

A senior Bank of England figure has said that he hopes the publication of its new rules in operational resilience will deliver “profound change”.

Lyndon Nelson, Deputy CEO & Executive Director, Regulatory Operations and Supervisory Risk Specialists at the Bank of England was speaking at the UK Finance Operational Resilience Webinar adding that the bank’s plans would be in line with international standards.

“I do believe that the publication of our operational resilience final policy paper on 29 March will provoke an equally profound change. If it does, we should congratulate ourselves that we made this change as part of a consultative policy making process and not in response to a crisis,” he said.

He acknowledged the BoE’s approach to operational risk policy has been quite different.

“Most significantly, it is principle and outcome based and also it is the first policy to have been created in coordination with the four main UK financial regulators in this space: The Financial Policy Committee (FPC), the Financial Conduct Authority (FCA), the Bank as the supervisor of Financial Market Infrastructure and the supervisory authority within the Bank, and the Prudential Regulation Authority (PRA),” explained Nelson. “We heard from, and agreed with, industry contacts that the explosion of operational resilience and cyber standards risked shifting the effort of firms towards regulatory compliance and away from risk management.

“Furthermore industry added to our to-do list with a request from more than one location for harmonised global standards not just of regulation but also supervision. At the moment I may park that under the heading of a stretch goal, but I do think when we look at the latest Basel operational resilience text, we are approaching a greater level of harmonisation than many thought was possible.”

He added the financial services regulators in the UK had the joint intention is to operate the same regime.

“There are not supposed to be any hidden nuances in this policy, nor there be any differences in implementation,” explained Nelson. “Work done for one regulator can and should be leveraged to meet the requirements of the other. Yes, we have had to use a different language, but only in order to fit in with the legal drafting norms of each regulator and to be sympathetic with the structure of their respective rulebooks.

“The one point of difference, of course, remains that the PRA and FCA have different objectives and firms should obviously focus on those different objectives. Disruptions that may impact safety and soundness or financial stability could be different from those that may cause customer harm. If firms have back-up systems that protect the objectives of PRA and FCA, then that’s great – but expect each regulator to ask firms to demonstrate this.”

He added the BoE acknowledged that there will be a number of challenges expected in the path ahead with the policy.

The first is impact tolerances and how these will play out between the different regulators,” said Nelson. “In truth it is too early to say because each regulator has yet to determine their final approach. The key for the PRA will be where the FPC and FCA decide to set their tolerances.

“For the FPC, it will raise the question to what extent PRA will need to interpolate the FPC’s tolerance so that the contribution PRA regulated firms make to that tolerance are consistent with the outcome the FPC is seeking. For example, if the FPC determines a tolerance on payments, it is reasonable that we will take an end-to-end approach. What is likely to follow is that the functions of the payment system itself would need to be restored first, before providing access to direct members and then to indirect members and customers.”

Another challenge is the shifting nature of business models. “The Covid-19 pandemic has been largely well handled by the financial sector,” he added. “It certainly has proved that a large number of business models can be resilient from the loss of premises and I know from the 4,000 branches of the Bank that suddenly appeared in March 2020 as our staff worked from home, that it is possible to be very effective.

“It certainly has not proved that the sector is immune to all shocks. Risks from the pandemic will follow a different cadence to other types of risk and particularly a cyber-risk. As we allow ourselves to think about a future living with the pandemic more under control, we can obviously think about the legacies good and bad from this terrible episode.”

Nelson added: “I am sure like us you are thinking how you change your ways of working for the new normal. For many this has meant an acceleration of some technological roll-outs. We have seen a substantial increase in firms informing us of plans to advance digitisation strategies.

“This is clearly understandable as customers have demanded more of these services from the financial sector. One real consequence of this change in pace is that plans to migrate functions to the Cloud that might have been stretched out over five years are now being spoken of in terms of a much shorter timeframe.”

Nelson concluded: “Operational resilience is a very different risk when compared to financial resilience. Not least because of the size of the regulatory and central bank toolbox to deal with problems.

“In financial resilience we have a developed tool kit that can be extensive. Clearly the existence of the toolkit is not the same as the willingness to deploy it – the risks of morale hazard are well known. This contrasts with operational resilience.

“There is no bail out option if your firm is unable to function because of an operational incident. There is no operator of last resort function in Threadneedle Street. So we must find other tools to use.

“First of all firms will seek to be self-reliant, but for many (perhaps all) there will, I hope, be an increasing realisation that investment in collective action is a better way forward for many of the challenges that they face.

“The work of authorities such as CMORG (Cross Market Operational Resilience Group), FSCCC (Finance Sector Cyber Collaboration Centre) and FS-ISAC (Financial Services Information Sharing and Analysis Centre) and other groups shows what can be done when the industry works together (often with the Authorities). As the co-chair of CMORG, I am perhaps a little biased, but I have been very pleased with the progress made and the work done so far.”