Elisabeth Stheeman of the Financial Policy Committee outlined the new frameworks for building operational resilience against cyber risks and protection of payment chains.
On 9 September 2020, Elisabeth Stheeman, an External Member of the Financial Policy Committee (FPC) for the Bank of England (BoE) delivered a speech entitled, “The Financial ‘Plumbing’ Committee: from Plumbing to Policy” outlining the changes that financial services firms can expect in two priority areas — cyber and payments — in order to build operational resilience of the financial system.
Payments firms and technical service providers to the payments industry might expect increased scrutiny of existing models, increased regulatory reporting, and additional access to data from regulators, if their activities could pose a financial stability risk.
As evidenced by the 2008 financial crisis, the financial system “plumbing” i.e., the infrastructure that provides vital financial services, is, “largely invisible to us until it no longer works”. Following the 2008 crisis, the FPC was established with a mandate to oversee the stability of the financial system, which includes ensuring that, even in hard times, UK households and businesses have continued confidence in the plumbing that enables transactions to be completed, such as payment, settlement and clearing providers.
Building Operational Resilience
Ms. Stheeman defined operational resilience as, “the ability of firms and the system as a whole to prevent, respond to, recover and learn from operational disruptions” in order to protect the wider financial sector and UK economy. Ms. Stheeman emphasised that, in a modern digital economy, “it is critical to think about how firms are interconnected, and where there may be dependencies between firms” in order to build the operational resilience across the whole financial system.
Furthermore, when core firms and financial market infrastructures plan measures to bolster operational resilience, they need to consider both prevention and cure: “Firms should start from the premise that an operational incident will occur and cause disruption to vital services. It is not a question of if, but when. Regulatory authorities expect that firms should have robust and reliable arrangements in place to deal with this inevitable disruption”.
In striving to build greater operational resilience for the whole financial system, the FPC identified cyber and payments as its two priority areas.
The BoE has consistently named cyber risk as one of the top threats to the financial system and Ms. Stheeman highlighted estimates that cybercrime may have cost up to US$600 billion globally in 2017 alone. These threats range from those intended to cause short term service disruption to more insidious methods aimed at operating undetected and at corrupting data over time. Regardless of the type of cyber threat, all threats can impact public trust and confidence in the financial system.
To aid prevention, the FPC has recommended that core firms and financial market infrastructures leverage the CBEST penetration testing framework, and these firms must also adopt cyber resilience action plans to address a cure. According to Ms. Stheeman, the FPC’s primary concern is, “that incidents involving individual firms could escalate if they led to a broader shock to confidence among customers, or through interconnections in the financial system”. To address this concern, the FPC has set out the following framework for building operational resilience to augment their prevention/cure recommendations:
- The FPC requires clear baseline expectations for firms’ resilience, which should reflect the firms’ importance and the services they provide for the financial system.
- Firms should engage in regular testing to ensure that resilience keeps pace with the evolving nature of the risk.
- Regulators should identify firms that might be important for financial stability, but are not yet subject to relevant regulation.
- Firms should have clear and tested arrangements to respond to cyber incidents when they occur.
The FPC then intends to set expectations, which it calls “impact tolerances”, for how effectively critical financial companies should restore vital financial services following a cyber incident. Companies should expect to undertake regular stress testing to measure their abilities to meet these impact tolerances.
As discussed in an earlier blog post, there have been major innovations in the world of payments in recent years, and as society continues on an increasingly cashless trajectory, consumers have become more dependent on the integrity of payments technology. As Ms. Stheeman recognised, “if payments technology fails, even for just several hours, there are consequences for the real economy: wages, pensions and benefits, may not arrive on time, customers can’t pay for goods and services, business and household payments fail”.
Payment innovations have meant that areas previously under the remit of commercial banks, core payment systems and central banks are now being handled by new entrants such as small businesses and fintech start-ups as well as large technology companies. The FPC has identified two risks brought about by these changes:
- Systematically important activities are increasingly performed by non-banks; and
- The complexity of the payments chain is increasing which poses difficulties for a single regulator to holistically assess risks across the entire payments system.
As a result, the FPC has expressed that the current regulatory framework will need to adjust to accommodate payments innovation and has developed three principles for payments regulation and supervision that firms should expect (which the FPC has communicated to HM Treasury to be incorporated in the Treasury’s ongoing payments landscape review):
- Regulation should reflect the financial stability risk, rather than the legal form, of payments activities.
- Payments regulation should ensure end-to-end operational and financial resilience across payment chains that are critical for the smooth functioning of the economy.
- Sufficient information must be available to monitor payment activities so that emerging risks to financial stability can be identified and addressed appropriately.
Ms. Stheeman considered that “clear, transparent regulatory expectations such as these will ensure that innovation can progress safely, avoiding serious interruptions in payment and settlement services”.
Operational Resilience Open Consultation
The FPC’s plans for operational resilience are consistent with and built upon the coordinated efforts of the BoE, Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) in this area.
Stheeman noted that these authorities have “made strides” in setting out an approach to operational resilience in two papers published in 2018 and 2019. As a reminder, these papers set out proposals for improving operational resilience in order to protect the wider financial sector and the UK economy.
The authorities have published a shared policy summary and have proposed that firms:
- Identify their important business services that if disrupted could cause harm to their consumers (retail and wholesale) or market integrity.
- Set impact tolerances for each important business service (i.e. thresholds for maximum tolerable disruption to help achieve consumer protection and market integrity).
- Identify and document the people, processes, technology, facilities and information that support their important business services (mapping).
- Test their ability to remain within their impact tolerances through a range of severe but plausible disruption scenarios.
- Conduct lessons learnt exercises to identify, prioritise, and invest in their ability to respond and recover from disruptions as effectively as possible.
- Develop internal and external communications plans for when important business services are disrupted.
The shared policy anticipates that — in relation to cyber incidents — firms and financial market infrastructures (FMIs) will need to take into account any tolerances set by the FPC when setting their own impact tolerances.
This consultation affects banks, building societies, PRA-designated investment firms, Solvency II firms, Recognised Investment Exchanges, FCA Enhanced scope SM&CR firms, and entities authorised and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011. The policy does not apply to EEA firms.
Consultation closes on 1 October 2020 and it is planned that firms will need to meet requirements by the end of 2021.
Ms. Stheeman concluded by reiterating that, “the FPC — and through us the firms that provide these vital financial services — will never take operational resilience and financial stability for granted”. Accordingly, the FPC’s work plan aims to ensure serviceability of the plumbing, and will ultimately require firms to create suitable contingency plans or update existing plans to ensure their sections of the infrastructure are sufficiently robust.