Operational resilience: Regulation Around the World

Operational resilience remains one of the top supervisory priorities for regulators around the world. From a global perspective the Basel Committee on Banking Supervision issued in March last year Principles for Operational Resilience and then followed up some months later with updated Principles on Outsourcing. In places such as Hong Kong regulators have been implementing these new and updated principles. 

Regulators have also become more aware of how firms in the financial services sector have become increasingly dependent on technology and how any disruption to this technology could have serious repercussions from an operational resilience perspective.  In Europe, the proposed Regulation on Digital Operational Resilience, otherwise known as DORA, is close to being finalised. In the United Kingdom, draft legislation has been published allowing the financial services regulators to create rules for critical third parties. Elsewhere, a number of jurisdictions have focused on cyber resilience. For instance in both the United States and Canada reforms have been proposed on cyber security risk management.

Key risks include:

• Global – In March 2021 the Basel Committee issued Principles for Operational Resilience and then followed up some months later with updated Principles on Outsourcing. Outside of the banking sector IOSCO has published this summer a final report on the operational resilience of trading venues and market intermediaries during the COVID-19 pandemic and lessons for future disruptions.
• UK – New rules and guidance on operational resilience came into force on March 31, 2022. Firms within scope of the new rules must perform mapping and testing by March 31, 2025. The PRA has, so far, given soft guidance in the form of speeches setting out where it expects firms to focus on as they work towards the 2025 deadline. Further reforms in this area are on the horizon with the UK financial services authorities issuing a Discussion Paper on critical third parties.
• United States – Operational resilience remains a priority for regulators as illustrated by the most recent Exam Priorities issued by the SEC Division of Examinations. On the banking side, efforts were made in October last year by U.S banking regulators to consolidate materials into a single paper, Sound Practices to Strengthen Operational Resilience. Noting the importance of cyber resilience to operational resilience the paper contained an annex on managing cyber risk and the SEC has taken this a step forward by issuing a comprehensive set of proposed reforms to improve cyber security risk management.
• Canada – OFSI is expected to consult on proposals revising its consolidated guidance for operational risk management for federally regulated financial institutions (FRFIs). OFSI has also issued a consultation on revisions to its guidelines on third party risk management and issued guidelines for how FRFIs should manage technology and cyber risks.
• European Union – From an EU perspective, in terms of operational resilience, the regulatory spotlight has focussed over the last year or so on outsourcing and information communication technology (ICT). Significant new EU legislation is on the horizon with the Regulation on Digital Operational Resilience, otherwise known as DORA. 
• Netherlands – The Dutch regulators are supportive of DORA. DNB has previously issued a paper reminding institutions that not only will cloud service providers be subject to EU rules under DORA but they will also be subject to national supervision under the Network and Information Security Directive which is currently being revised.
• France – Both the AMF and the ACPR are supportive of DORA with political agreement being reached during the French Presidency of the Council of the EU. They both have been looking at firms’ cyber resilience through a wave of SPOT inspections. 
• Germany – Germany supported the development of DORA during its Presidency of the Council of the EU. Current BaFin requirements, such as MaRisk and BAIT, already contain numerous elements of DORA. Due to the increased likelihood of a distributed denial-of-service and other cyber-attacks and the increasing digitalization of the financial markets, BaFin has announced for 2022 that it will increase its efforts to counter cyber risks and that it will conduct more dedicated IT audits at institutions and companies.
• Luxembourg – Luxembourg is also supportive of DORA and in June last year CSSF Director General Claude Marx acknowledged that financial services providers are becoming increasingly more dependent on the internet and information technology. In April 2022 the CSSF issued Circular 22/806 which consolidates in one place its supervisory requirements on outsourcing arrangements related to ICT.
• Italy - In Italy operational resilience requirements are aligned with EU regulatory provisions. More recently the Bank of Italy has focussed on cyber security and has adopted a series of supervisory actions to closely monitor the ability of supervised entities to promptly deal with cyber events and crisis.  
• Australia – ASIC has issued new market integrity rules intended to promote technological and operational resilience of securities and futures markets operators and participants. APRA has released a discussion paper on a new prudential standard designed to strengthen the management of operational risks in the banking, insurance and superannuation industries.
• Hong Kong – HKMA has issued a new Supervisory Policy Manual (SPM) module on operational resilience together with a revised version of the SPM module on business continuity planning. HKMA is expecting authorised firms to develop operational resilience frameworks and determine the timeline by which it will become operationally resilient by May 31, 2023.
• Singapore – MAS has recently issued an information paper regarding operational risk management and the management of outsourcing and third parties. MAS expects banks to benchmark their practices against the information paper. It also encourages non-bank financial institutions to adopt the good practices in the information paper where relevant.
• Shanghai - The recent focus of the CBIRC has been on the impact of digital transformation.
• United Arab Emirates (DIFC) – The DFSA is maintaining its strong supervisory focus on the operational resilience of firms and this includes its ongoing focus on cyber-security risk.
• South Africa - With the issue of Directive 2021/10 (D2021/10), the following principles, as set out by the Basel Committee, are applicable to the banking industry in South Africa i.e.: governance; operational risk management; business continuity planning and testing; mapping of interconnections and interdependencies of critical operations; third-party dependency management; incident management; and resilient information and communication technology, including cyber security. All banks must comply with the respective requirements specified in D10/2021 by June 2023.
  
   

Download full updater

Want to hear more about international developments concerning operational resilience?

Our Regulation Tomorrow blog tracks regulatory developments in a number of jurisdictions including the UK, US, Europe, Hong Kong and Australia. Supplementing the blog is our Regulation Tomorrow podcast where our financial services partners look at some of the latest developments in the world of risk and regulation.