Stephen Jones, CEO, UK Finance
Since the global financial crisis regulators around the world have been focused on improving the financial resilience of banks. As a result, banks now hold on average about three times as much capital as they did before, along with more liquidity and they have also issued bail-in able bonds. These measures have substantially reduced the chances of an individual bank failure threatening the stability of the wider financial system. UK Finance very much supports this focus on improving the robustness of banks and the acknowledgment that no bank should be too big to fail.
Thursday’s joint discussion paper from the FCA, PRA and Bank of England marks a shift in attention from financial to operational resilience. In the face of rapid technological change, continuing cyber-attacks, greater use of outsourcing, including to the Cloud, and unplanned system outages, individual banks must be ready to respond rapidly to emerging operational events so that idiosyncratic issues do not escalate to become systemic problems, harming other market participants and their customers.
The starting point of this discussion paper is that an operational failure is inevitable. However hard banks try to repel cyber-invaders they should be prepared for the possibility of penetration and think forensically about how their systems would be affected, how long an outage could last before contaminating critical business services and how quickly those services could be restored. Central to this approach to operational resilience is the concept of impact tolerance to disruption, with the impact tolerance appetite calibrated by the maximum tolerable period of disruption, number of customers affected or the volume of disruption.
In the same way that banks’ financial resilience is subject to economic stress tests, we should expect that supervisors will also stress test individual banks’ operational resilience. Where they disagree with the bank’s own assessment, the supervisor may set alternative impact tolerances for the bank to meet in the future.
In my view, an important element of ensuring comprehensive operational resilience is the collective deployment of efforts to strengthen the resilience of our financial system. I am pleased to be co-chairing with Lyndon Nelson of the Bank of England’s Cross Market Operational Resilience Group (CMORG). CMORG’s job is to promote work that strengthens the resilience of the financial sector and its ability to respond to operational incidents. It does this in part by ensuring there is altruistic and rapid sharing of information as an event develops and then, after the fact, disseminating the learnings more widely.
UK Finance, as the trade association for banking and finance, is well placed to drive forward the collective action that ensures our industry takes advantage of the opportunities that new technologies create, while also being fully prepared to respond to the challenges and threats that they will inevitably bring.