Operational Resilience in Finance: The U.S. Experience and Outlook

The U.S. Regulatory Approach

Unlike the EU, UK, and APAC, however, an OR regime or standards development is less prescriptive in the U.S. To date, efforts at OR have manifested in the guise of advisories or interagency coordination but not rules and regulations. It has specifically come from the Cybersecurity & Infrastructure Security Agency (CISA), Federal Financial Institutions Examination Council (FFIEC), and the National Cybersecurity Strategy (NCS) of the White House.

CISA is an agency within the Department of Homeland Security and operates with responsibilities encompassing risk assessment, reduction of vulnerability, detection of threats, response to incidents, and coordination of recovery efforts with state and local government, other federal agencies, and the private sector. CISA’s emphasis is on voluntary collaboration among all “critical infrastructures” within the U.S.
FFIEC has a far wider and even more general mandate than CISA. FFIEC is an interagency entity made up of the heads of the five federal banking agencies: the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Consumer Financial Protection Bureau. Generally, their function is coordination and advisory, not regulation in the strict sense.
NCS from the White House came out during the spring of 2023. Its sweeping mandate goes beyond fiscal markets to encompass sectors like energy infrastructure and healthcare systems. Similar to almost all initiatives within the U.S., the NCS is more dependent on coordination than regulation, and as a Government Accountability Office (GAO) report noted, in order to implement the strategy, the Administration must define specific goals and performance measures, resource needs, and roles and responsibilities.¹
Financial service companies that conduct business exclusively within the U.S. are usually not subject to strict OR principles or regulations but that probably isn’t where the saga finishes. To start with, most financial institutions have some, or even major, operations outside the U.S., subjecting them to the stricter rules that are found elsewhere. And precedent in the past also indicates that regulation of OR will become increasingly standardized and uniform in the future. While the U.S. potentially has a liberal regime now that cannot be expected to endure. Actually, as per a recent statement by the Acting Comptroller of the Currency, the federal banking agencies are considering revisions to the U.S. operational resilience model to capture the reality that “the sheer magnitude of what can be disrupted has increased significantly—a trend likely to continue for the foreseeable future.”²

Finally, the international regulatory impetus to enhance operational and cyber resilience supervision is reacting to very real concerns, trends, and threats. Plain and simple, it is prudent to stay ahead of OR issues and policies at your organization instead of waiting until it is an issue.

 

 

Common Threads 

Around the world and in the United States, regulators are aiming to make sure financial services firms substantially beef up the time and effort they devote to operational resilience. With an eye on all of these efforts collectively, several themes recur:

Transition from prevention to response: Traditionally, the guidelines for cybersecurity have tended to focus on prevention as the primary action to undertake. Today, with the transition to a focus on resilience, and the realization that it’s impossible to prevent all disruptive occurrences, the focus is on developing plans to respond to out-of-the-box but possible events. In the coming years, OR plans will be more dynamic and inclusive, calling for more dynamic action, collective attention, and dedicated resources.
Board or management involvement: In almost every instance, regulators are opining about the levels of responsibility and involvement that must be borne by management in relation to OR. The prescriptions and the penalties at this stage are vaguely outlined, but they’re probably going to become more clearly defined with the passing of time. The management mandate can also be a source of civil suits in the event of an accident, so there is more legal risk for the companies and their managers. Third-party inclusion: Legacy security models stopped at the “four walls” of the enterprise, but new regimes extend the focus to the entire ecosystem, including third-party service providers.
Partly, it is an acknowledgement of the sector’s reliance on hyperscalers such as AWS and Azure, but it extends to software vendors and other service providers with disproportionate presence and impact. For instance, in March 2024, the Federal Reserve Board issued revised risk management standards for systemically important financial market utilities (FMUs) that offer key clearing, payment, and other fundamental services. The revisions center on four operational risk management areas of operation: incident management and notification; business continuity management and planning; third-party risk management; and review and testing of operational risk management controls.³ Audit and reporting: Although U.S. OR regulatory programs presently do not have “teeth” (fines and penalties for non-compliance), they do entail having certain requirements for auditing and reporting of planning and incidents. Over time, “teeth” are likely to develop and change while, at present, non-compliance with requirements or non-adherence to recommended best practices can result in exposure in civil lawsuits or other legal proceedings as well as potential reputational harm.
Training: Another requirement of the majority of OR regulation is that training be comprehensive and continuous. With the technical sophistication of the contemporary enterprise, such training will probably be complex and somewhat costly.

United Kingdom
In the United Kingdom, the Bank of England (BoE), the Financial Conduct Authority (FCA), and the Prudential Regulation Authority (PRA) issued the final policy on operational resilience, FCA policy statement (PS21/3) and PRA policy statement (PS6/21) in 2021.

 

 

 

Organizations need to implement the measures and processes necessary to be compliant with the new regulations by 31 March 2025. The Policy Statements 21/3 and 6/21, Building Operational Resilience and Operational Resilience: Impact tolerances for key business services respectively, mandate that organizations:

Identify key business services

Establish impact tolerances for key business service
Map and test to be within impact tolerances for a key business service
Aligning dependencies and resources with key business services
Scenario testing
Governance
Self-testing to validate the capacity to provide key business services
PS21/3 is made to banks, building societies, insurers, PRA-designated investment firms, Recognised Investment Exchanges (RIEs), entities in the extended scope of the Senior Managers and Certification Regime (SMCR), and authorised and registered entities under the Electronic Money Regulations 2011 or Payment Services Regulations 2017. PS6/21 is made to UK banks, building societies, and PRA-designated investment firms; and UK Solvency II firms, the Society of Lloyd’s and its managing agents.

The supervisory authorities are also developing new requirements to help ensure the operational resilience of the UK financial services firms when handling critical third parties (CTPs).

The United States’ Central Bank, the Federal Reserve in August 2021 has published a paper aimed to assist community banks in evaluating threats while considering relationships with financial technology (fintech) firms.

This paper arose as a result of the European Central Bank and UK Prudential Regulatory Authority publishing regulations regarding operational resilience in early 2021. The Federal Reserve knew the interconnectivity and global nature of banks and the value in supervisory coordination among banks.

The financial services geography is transforming the manner in which the services and products are provided to the consumers. Community Banks are considering business potential growth through entering into arrangement with the fintech firms.

However, similar to any other third-party affiliation, arrangement with the fintech firms involves risks as well. An evaluation of the advantages and risks involved with these affiliations is essential to a community bank’s due diligence.

What is Due Diligence?

Due diligence is a critical component of a successful third- party risk management process, as highlighted in the individual guidance of federal banking agencies”.

While performing due diligence, a community bank gathers and reviews information to determine if third- party partnerships would further its strategic & financial objectives and if the partnership can be implemented in a safe and Well-Based manner, consistent with relevant legal and regulatory standards.

The extent and level of due diligence undertaken by a community bank will be a function of the risk to the bank posed by the nature and importance of the proposed activity. Banks would also elect to complement or enhance their due diligence works with other materials as deemed fit, e.g., utilization of diligence utilities or institutions specializing in third-party monitoring.

The manual addresses six important areas of due diligence which community banks may take into account when considering arrangements with fintech firms’ business experience and qualifications, financial health, legal and regulatory compliance, risk management and control procedures, information security, and operational resilience. The objective of this write-up is to attempt understanding the sixth area i.e. operational resilience in depth.