By Guy Warren, CEO, ITRS Group
The pandemic has forced digital transformation to move at warp speed in order to allow businesses to keep up with rapidly changing norms and expectations. While most of us have enjoyed the fact that these essential service providers have finally met us in the 21st century, we may not have bargained for the increase in IT (information technology) meltdowns and cyberattacks that such a rapid shift has brought.
Rushed cloud migrations, automation of core processes, infrastructure upgrades and third-party outsourcing have all introduced new vulnerabilities to firms’ IT estates—vulnerabilities that may only be revealed when a system is under pressure, aka when it’s needed most.
Thankfully, in the United Kingdom, the wheels were already in motion for the introduction of new operational-resilience (OpRes) mandates pre-pandemic. The Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and Bank of England (BoE) released their first joint discussion paper (DP) (“Discussion paper: Building the UK financial sector’s operational resilience”) on the topic in July 2018, followed by consultation papers on operational resilience (“Bank of England Consultation papers: Operational Resilience of FMIs”) in December of the following year. By March 2025 at the latest, firms will have to demonstrate that they are meeting the policy outcomes laid out, including remaining within the impact tolerances, or service-level agreements (SLAs), they were required to set earlier this year.
Similarly, in Europe, the European Commission’s (EC’s) Digital Operational Resilience Act (DORA) is on the horizon. Once the guidelines are officially passed into law—likely before year-end—financial institutions will have two years to comply.
Across the pond, however, US regulators appear to be moving more slowly. This is despite US financial-services firms facing a similar if not greater existential threat from the risks posed by operational overwhelm, with a survey by ITRS Group1 earlier this year revealing that they are the most likely to experience more than two days of unplanned downtime per year compared with their European and APAC (Asia-Pacific) counterparts.
However, while the Federal Reserve (the Fed) may lag in operational resilience, US firms cannot afford to twiddle their thumbs, whilst UK- and Europe-based banks can’t assume that they can operate without fear stateside. Here’s why.
- Global banking means global exposure
With the current lack of specific operational-resilience requirements in the country, US firms may think it’s up to them if and how they decide to address operational risk—and in a country of exceptionalism, there’s a prevailing “It won’t happen to me” mindset. As a result, they might be willing to take the gamble—to wear the reputational and financial costs of downtime if and when their IT fails.
Yet, many aren’t aware that they’re not quite as in the clear when it comes to operational-resilience regulations as they may think. Given the global nature of banking, the majority of firms have some level of exposure to foreign jurisdictions, including the UK and the European Union (EU). In short, a bank might be running their team to the codes of US law, then unexpectedly get stung by a foreign regulator.
For this reason, UK firms also need to be extra diligent when operating on the same systems as their friends stateside, recognising that they likely won’t be as up-to-date on the latest operational-resilience requirements. In an evolving regulatory environment, personal responsibility is front and centre. There’s no longer any wiggle room to blame others.
- OpRes regulations are coming for everyone—it’s just a matter of time
Foreign exposure aside, every US financial-services firm will have to face the music regarding operational resilience sooner or later. It’s no longer a question of if but when new mandates arrive on their shores, particularly following the Fed’s own four-hour outage2 last year, which left systems that execute millions of transactions a day down and out.
And if the new requirements on their way are anything like the UK’s, they may have the scope to hold firms and individuals retrospectively accountable for their actions—meaning no one is safe, and waiting is not an option.
They are also likely to include similar obligations around SLAs—that is, mandating that businesses declare the levels of uptime to which they are prepared to commit and stick to it. This is another consideration about which firms should start thinking today, as it will require significant historical data to calculate and feed into predictive analysis accurately.
US firms have the unique advantage of being able to watch and learn from the UK and EU rollouts. They should be leveraging this to understand what to expect and what best practice does and doesn’t look like.
Whilst UK- and EU-based institutions are ahead, and regulations in the United States will likely be similar, we can’t assume they will be a perfect match—taking a one-size-fits-all approach to meeting operational-resilience regulations globally will result in shortfalls somewhere. As such, institutions must be aware of where the rules diverge and how they should tailor their operations accordingly.
- Benefits go well beyond compliance.
With the financial-services sector facing extreme pressure to improve margins, any regulations that do come in to compel firms to spend more on strengthening their operational resilience will most likely be complied with at minimum cost.
This is a classic dilemma: the danger of something becoming a regulatory question and then overshadowing all the very real reasons that firms should want to get things in order, regulations or not.
There are enormous benefits to be gleaned from improved operational resilience—well beyond box-ticking compliance. While it will require a certain level of initial investment, gaining the capacity for comprehensive oversight over the health of all IT systems will pay back in dividends over time through improved efficiencies and minimised downtime.
It has been widely reported3 that the majority of firms are unknowingly wasting approximately 35 percent of their cloud spending at any one time thanks to a lack of oversight over their increasingly complex cloud estates. This equates to $80 billion of total global cloud spending going down the drain every year. Improved IT monitoring will mean firms can pinpoint all the places where they are wasting money.
What does best practice look like?
What has become most clear in the last five years of discussion surrounding operational risk and resilience is the desperate need to break down communication barriers between business roles, functions, teams, jurisdictions, partners and vendors. The silver lining is that firms that are able to solve this will also reap significant rewards in terms of efficiency and cost savings.
Of course, no one is pretending it’ll be quick or necessarily easy. In an incredibly competitive, fast-paced market, US firms—even more so than their Europe- and UK-based counterparts—have been particularly big fans of the “grow as you go” approach to digital transformation in recent years, meaning there is a lot of quickly built, inflexible IT architecture out there.
But what customers want today aren’t new features and applications so much as minimal friction. They need to be able to transfer and receive funds, check balances and apply for loans at the click of a button.
The essential first steps firms can take today are to begin mapping their levels of operational risk in their ICT (information and communications technology) systems and critical vendors, determining whether their current recovery strategies align with the standards evolving in the UK and EU, and putting plans in place to improve them where needed.
For some institutions, particularly smaller ones or those on tighter budgets, the solution may lie in core banking systems and consolidated platform vendors, which can provide and manage channel integration and comprehensive monitoring across the IT estate. This is a low-touch, cost-effective way to ensure problems are identified and mitigated before they occur, while those that do slip through are quickly picked up and resolved.
Regulators can and should help the process along by producing clear guidelines and standardising the information they demand from the financial-services sector. But at the end of the day, firms cannot depend on regulatory guidance to force them into meeting good operational standards; banks themselves, regardless of their global footprints, need to take responsibility when it comes to maintaining safe and secure operating systems—not just for their customers but their own safety, too.
References
1 ITRS Group: “Financial institutions forgo critical IT spend: A global survey on operational resilience”.
2 Bloomberg: “Fed Outage Raises Questions on Wall Street as Services Restored,” Matthew Boesler and Jennifer Surane, February 24, 2021.
3 ITRS Group: “ITRS Group to save firms 35% on cloud spend with new solution,” June 9, 2020.