By Guy Warren, CEO of ITRS Group
Much like The Beatles – and regulations like MiFID and GDPR – operational resilience has gained somewhat of a stronghold in the UK, but it’s about to hit the US big time. With whispers that the Federal Reserve Board (the Fed) is set to bring in similar regulations to those introduced by the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA) and the Bank of England (BoE) earlier this year.
While many financial institutions in the US have made strides to improve their resilience to market volume spikes, IT failures, incidents like cyberattack, or degraded performance over the last 18 months in response to the huge COVID-induced digital transformation of the sector, most still have a long way to go to become truly operationally resilient.
This is no truer than in the case of the Fed itself, whose four-hour outage in February this year left systems that execute millions of transactions a day down and out. Was it a cyberattack? A rogue employee? In fact, the root cause was far more mundane. The Fed’s systems, which encompass everything from payroll to tax refunds to interbank transfers, had been taken down by a basic maintenance process that had been unintentionally triggered during business hours.
This outage, plus many others of its kind that have taken down everything from exchanges and asset managers, to retail trading platforms and banks, has set the clock ticking for the introduction of formalized operational resilience legislation.
If the UK rules, set to come into effect from March last year, are to be used as a blueprint by the Fed, US financial services firms would do well to get acquainted.
Broadly, the legislation looks at mandating greater business accountability for the impact of outages and cyberattacks on the financial services sector.
A key part of holding the C-suite accountable is the introduction of the Senior Management Function 24 (SMF24), which will enforce greater accountability of senior management for operational failures, including the appointment of a mandatory operational resilience officer.
US financial services players that want to get on the front foot of SMF24-style regulation should look to designate a senior leader to focus solely on operational resilience so that the c-suite’s slate is clean by the time they come under scrutiny. The fact that SMF24 in the UK will backdate past discretions makes this all the more important to do sooner rather than later.
Another requirement that is likely on the cards in the coming year is the mandate that businesses declare the level of uptime they are prepared to commit to, and stick to it. This is another thing that firms should start thinking about today as it will require significant historic data to accurately calculate and feed into predictive analysis.
Already, financial executives are gripping their wallets more tightly, with 80% predicting their institution’s expenses will increase in 2022, largely due to the anticipated need for stronger operational resilience systems.
But operational resilience isn’t about spending more money; it’s about spending money more smartly.
As companies further enhance their digital services, and their estates grow increasingly complex, they will require targeted, tailored, comprehensive monitoring tools and solutions. Silos must be eliminated so that, if a problem occurs in one system, they will be able to track its effect across their entire estate.
Capacity planning must also be at the top of the priority list. Many of the outages that have occurred over the last 12 months have resulted from companies offering new digital services, while not knowing how much traffic they can handle in a certain timeframe. Capacity planning at a basic level allows firms to identify what a system can handle. At a more advanced level, it can identify specific pinch points, as well as model future scenarios, giving CIOs crucial insight into how their system handles them.
Financial firms are no longer able to simply apologise for an outage and move on. Not only are regulators cracking down, but customers are more willing than ever to switch – particularly in the case of banking and payments.
Given the high likelihood that the Fed will introduce operational resilience legislation similar to the UK’s come 2022, US businesses should tune in now to learn all that they can from the rollout.