Operational Resilience in the Financial Sector

Written by Sam Williamson and Vivian Valbuena

In the wake of a global epidemic, climate-related emergencies, and spiking cyber and fraud attacks, regulators and banks worldwide are focusing on how to maintain essential customer and business services throughout severe disruptions. Concurrently, business reliance on third parties is greater than ever before, given their potentially significant strategic and cost benefits. This article considers some of the key regulatory mandates and guidance relating to third- and fourth-party risk and their impact on operational resilience.

USA

The United States was one of the first to review its inter-agency guidance [1] on third-party relationships in 2021. The guidance highlighted the many benefits to using third parties, such as access to new technologies, human capital, delivery channels, products, services, and markets. It also highlighted that banks have less direct control over their outsourced functions and activities, which could lead to financial loss and operational disruption unless the banks appropriately manage the risks associated with third- and fourth-parties.

UK

In the United Kingdom, an increased focus on operational resilience has gone hand in hand with a heightened prudential emphasis on consumer outcomes. [2] Good risk governance processes are key to ensuring quality consumer outcomes, as the ability to assess, prevent, or correct potential system and process failures – including outsourced functions – can help firms avoid negative impacts.

Australia and New Zealand

Meanwhile, in Australia and New Zealand, regulators are also strengthening operational resilience regulations and guidance. Most notably, in July 2023, Australia introduced the CPS 230 Prudential Standard on Operational Risk Management, highlighting the need for banks and financial service providers to identify their critical processes and material third- and fourth-parties. The mandate also includes updating contracts to ensure businesses can obtain the relevant information and data necessary to manage third- and fourth-party risk appropriately. [3] APRA’s CPS 230 was written to align with CPS 234 Information Security. Together, they comprise a comprehensive approach to operational resilience.

In New Zealand, the RBNZ published BS11: The Outsourcing Policy for Banks in 2017 (pre-COVID). As the country’s four largest banks are subsidiaries of an Australian parent, [4] the aim was to ensure that NZ banks have the legal and practical ability to control and execute on its outsourced functions, thereby mitigating negative impacts on the economy should a NZ bank separate from its parent, or if a large service provider were to fail. Capital adequacy requirements were updated in 2022.

Most recently, New Zealand’s FMA released a Standard Condition on Business Continuity and Technology Systems (“Standard Condition”) for consultation in July 2023, with the view that the certain licensees in the financial services sector must meet minimum business continuity and technology standards, owing to heightened technology risks. The new obligations commence 1 July 2024.

Like CPS 230, the Standard Condition emphasises the requirement for an entity’s ability to continuously provide essential services to consumers. Like APRA, the FMA requires notification within 72 hours if an operational risk event materially impacts the operational resilience of a critical technology system. [5] However, CPS 230 imposes a tighter 24-hour notification when an entity has suffered a disruption to a critical operation.

Australia and New Zealand: CPS 230, BS11 and BCPs

While the regulatory requirements of Australia’s CPS 230 may not apply directly in New Zealand, it seems likely that the Australian parents of New Zealand’s four major banks will implement group policies to facilitate Australia’s compliance with CPS 230 as well as reporting and consistency of risk systems and practices.

Therefore, the operational flow-through impacts on their NZ subsidiaries may be significant. These changes closely follow the completion of a complex and costly evaluation of New Zealand banks’ compliance with BS11, only achieved in December 2023. [6]  Moreover, if the subsidiary is designated as a Material Service Provider (MSP) to the parent, or vice versa, additional requirements will need to be met. All of this could result in a “CPS 230 light” being applied by default by the major banks in New Zealand irrespective of what the domestic regulations require.

Australia CPS 230

In Australia, banks, foreign and domestic deposit takers, general insurers, superannuation providers and life insurers are in scope for CPS 230 and CPS 234. The objectives are manifold. First, they look to ensure risk management processes are sufficiently adequate end-to-end in order to maintain customer’s critical services throughout a severe disruption. They also prohibit material reliance on third- and fourth-party providers unless the entities can demonstrate that they are managing the associated risks effectively. CPS 230 splits operational risk management into four principal areas:

1. effective management of operational risks;
2. maintenance of critical operations;
3. risk management of material service providers [7]; and
4. corporate accountability.

Per CPS 230, operational risk management includes legal, regulatory, compliance, conduct, technology, data, and change risk. Key risk practices must include, but are not limited to, the following:

• Business and strategic planning: The impact of potential decisions on the company’s operational risk profile and operational resilience must be assessed and considered during the planning stage (e.g. new products, services, geographies, technologies etc);
• Internal controls: Sufficiently robust controls that are designed, implemented, embedded and monitored to ensure control objectives are met and risks are managed within risk appetite;
• Incidents / near misses: When an incident occurs that likely will have a material impact [8], the incident (or near miss) must be identified, escalated, recorded and addressed in a timely manner; and
• Process Mapping: The operational risk management framework is updated regularly, including end-to-end mapping of all internal and material service provider critical processes.

APRA requires that the relevant firms maintain registers of critical operations and through effective risk management practices, aim to minimise the likelihood and impact of disruptions. Consistent with the UK’s consumer duty principle, APRA defines critical operations as processes conducted by the firm or its service provider that if disrupted beyond tolerance levels (note the distinction between tolerance and appetite), “would have a material adverse impact on its depositors, policyholders, beneficiaries or other customers, or its role in the financial system.” There must be a clear methodology on how operations are defined as critical. The consumer focus is apparent here, as APRA clearly expects the methodology to consider operations that have both direct and indirect adverse consequence on customers.

At a minimum, Business Continuity Plans (BCPs) must include triggers to identify a disruption, mechanisms for prompt activation of the BCP, actions to maintain the critical operations within accepted risk tolerance levels throughout the disruption, and an assessment of the execution risks of the BCP. APRA must be notified within 24 hours of a disruption to a critical operation. [9]

Like the FMA’s Standard Condition, CPS 230 mandates that entities must maintain adequate current and future IT capability to support critical operations and risk management: This also aligns with APRA’s CPS 234 Information Security.

A common global theme throughout recent operational resilience planning is third and fourth party risk. A section of CPS 230 is devoted to this, with APRA requiring entities to identify all of its MSPs including material fourth parties and to keep the register current. APRA identifies MSPs as those providers or services on which the firm relies upon to execute a critical operation or that potentially exposes the firm to material operational risk.

To determine MSP status, the firm must consider the totality of services provided, the nature of the services provided, whether it exposes the entity to material operational risk (including cyber), and whether the service involves sensitive or critical information assets. Some service providers are already designated as MSPs by APRA, unless the entity can justify otherwise.[10]

To support firms in managing MSP-related risks, APRA imposes specific requirements on the procurement process. For example:

• Before entering into, or materially modifying, an arrangement with an MSP, an entity must undertake appropriate due diligence, including assessing whether the service can be provided on an ongoing basis and an assessment of the financial and non-financial risks of relying on the MSP.
• The contract between a regulated entity and an MSP must include certain prescribed terms, (e.g., allowing APRA access to documents, data, and any other information (including via on-site visits)).
• For each MSP arrangement an entity must identify and manage risks that could arise from the arrangement, including risks that that could affect the ability of the MSP to provide the service on an ongoing basis, or risks to the entity that could result from the arrangement.

APRA expects firms to take reasonable steps to ensure the MSP’s standards are equivalent to those applied by the firm internally. This includes process mapping and risk practices such as onsite visits and control monitoring. APRA also expects firms to report on the MSP’s performance and the effectiveness of its risk management to senior management on an ongoing basis, including any material risks associated with the relevant fourth-party service providers.

From an ownership perspective, ultimate accountability for oversight of operational risk management sits with the firm’s Board, including approvals of the BCP and tolerance levels for disruptions to critical operations.

APRA considers senior management as responsible for operational risk management across the entity’s end-to-end processes and responsible for clear and comprehensive reporting to the Board on the expected impacts on the critical operations when the Board is making decisions that could affect the resilience of critical operations.

New Zealand BS11

The RBNZ’s BS11 Outsourcing Policy and APRA’s CPS 230 overlap significantly, however, there are some key differences.

As mentioned above, while the BS11 Outsourcing Policy was issued in 2017 the four major New Zealand banks only achieved compliance from December 2023. Given the step change towards a more consumer-focused regulation of operational resilience in Australia, US and UK, and the likely adoption of a CPS 230-light approach by the four major banks in New Zealand, it will be interesting to see whether the RBNZ considers a different approach when it reviews its banking standards during the implementation of the Deposit Takers Act. [14]

FMA Standard Condition – BCPs

In April 2024, the FMA approved adding a condition to the licenses of providers of certain financial products. [15] This reflects a similar condition that is already in place for providers of a financial advice service, and an identical condition that will apply to financial institutions licensed under the Financial Markets Conduct Act 2013. There are three main elements to the FMA’s Standard Condition, which are explained below and compared with APRA’s CPS 230.

The Standard Condition also shares some features with APRA’s CPS 234, which deals with information security; however, the FMA’s definition of critical technology appears broader than the remit of CPS 234 (information security), putting it somewhere between the realms of the two APRA standards.

The Standard Condition also requires maintaining the confidentiality, integrity, and the availability of the information and/or the technology of the systems. ‘Maintenance’ is defined as:

1. regularly identifying and reviewing operational risks (including cyber risk and threats);
2. implementing measures that maintain the level of operational resilience necessary for the entity’s risk profile;
3. having effective processes that monitor and detect activity that impacts operational resilience; and
4. setting out in the BCP the entity’s procedures for responding to, and recovering from, events that impact on operational resilience.

CPS 234 Information Security aims for companies to take measures to be resilient against information security incidents, including cyber attacks. It looks to mitigate risks to confidentiality, integrity or availability of information assets, including information assets managed by related or third parties. CPS 234 mandates maintaining an information security capability commensurate with the size and extent of threats to its information assets, and enables the continued sound operation of the business.

Conclusion

In today’s macro environment and accelerating change, operational resilience, and how to maintain essential customer and business services throughout severe disruptions is clearly a top 10 risk concern globally. New Zealand organisations and their customers would benefit from proactively ensuring a fit-for-purpose best practice approach, with data points from both international and domestic reporting and requirements.

Please contact us if you would like to discuss how SHIFT might be able to assist you in considering how these requirements impact your business.

---

1. https://www.federalregister.gov/documents/2023/06/09/2023-12340/interagency-guidance-on-third-party-relationships-risk-management

2. https://www.fca.org.uk/publications/good-and-poor-practice/consumer-duty-implementation-good-practice-and-areas-improvement

3. Where an entity has pre-existing contractual arrangements in place with a service provider, the requirements in this CPS 230 will apply in relation to those arrangements from the earlier of the next renewal date of the contract with the service provider or 1 July 2026.

4. https://www.rbnz.govt.nz/regulation-and-supervision/cross-sector-oversight/our-relationship-with-other-financial-regulators/trans-tasman-council-on-banking-supervision/development-of-a-framework-for-closer-integration-of-trans-tasman-banking-regulation

5. FMA: Financial advice providers (FAPs) have a longer 10-working-day period notification requirement under the standard condition for FAPs. This reflects the reliance on technology by financial institutions and providers of financial products and the likelihood of harm to consumers and investors when disruptions occur. It also reflects the significance of technology in maintaining sound and efficient financial markets.

6. https://www.rbnz.govt.nz/hub/news/2023/12/major-banks-compliant-with-rbnz-outsourcing-policy

7. Where an entity has pre-existing contractual arrangements in place with a service provider, the requirements in this CPS 230 will apply in relation to those arrangements from the earlier of the next renewal date of the contract with the service provider or 1 July 2026.

8. Defined in CPS 230 as either a material financial impact or a material impact on the ability of the entity to maintain its critical operations

9. The notification must cover the nature of the disruption, the action taken, the likely impact on business operations, and the timeframe for returning to normal operations.

10. For a deposit taker these include: credit assessment, funding and liquidity management and mortgage brokerage service providers; for an insurer these include underwriting, claims management, insurance brokerage and reinsurance service providers; and for all entities these include risk management, core technology services and internal audit service providers.

11. A related party includes a range of entities who have some of control or qualifying interest in or over the bank.

12. The objectives of BS11 are to ensure that an outsourcing arrangement entered into by a bank does not compromise that bank’s ability to be effectively administered under statutory management; and operated for the purposes of continuing to provide and circulate liquidity to the financial system and the wider economy; and facilitate the carrying on of basic banking services by any new owner of all or part of the bank; and address the impact that the failure of a service or function provider may have on the bank’s ability to carry on all or part of the business of the bank.

13. https://www.rbnz.govt.nz/-/media/project/sites/rbnz/files/consultations/banks/outsourcing-policy-for-registered-banks/exempt-list-for-the-purposes-of-bs11.pdf

14. Consultation of the Outsourcing Policy indicated to being in 2024 as part of non-core standard review (https://www.rbnz.govt.nz/regulation-and-supervision/depositor-compensation-scheme/regulatory-environment-under-the-dta)

15. Managers of registered schemes (but not restricted schemes); providers of discretionary investment management services, derivatives issuers, and prescribed intermediary services (peer-to-peer lending providers and crowdfunding service providers).

16. https://www.fma.govt.nz/assets/Consultations/Consultation-paper-Proposed-standard-condition-on-business-continuity-and-technology-systems.pdf

17. BCPs are necessarily broader than technology systems and are already required as part of the FMA’s licensing process, where they form part of the minimum licensing standard related to IT systems and business continuity.