Organizations around the globe are under increasing pressure to meet a growing list of regulatory requirements and guidance. That’s especially true for financial organizations, both in the U.S. and abroad.
Some of these regulations are final, while others are in earlier stages. And depending on where you are, certain regulations may actually contradict or supersede one another – which will be especially challenging for companies that operate in multiple countries or regions.
To help you keep the growing list of requirements straight, here’s a high-level look at the current regulatory landscape for financial institutions:
The Bank of England, the United Kingdom’s Financial Conduct Authority (FCA), and Prudential Regulatory Authority (PRA)
The Bank of England, the UK’s Financial Conduct Authority (FCA), and Prudential Regulatory Authority (PRA) are setting the pace for operational resilience standards for financial institutions. They released operational resilience standards in March 2021 that establish a framework and set minimum resilience standards for all services critical third parties (CTPs) provide to firms and financial-market infrastructure firms. The Bank of England regulations focus mainly on how firms identify important business services and remain within their unique impact tolerances. In particular, it wants firms to understand what activities, when threatened, would affect customers, markets, and organizations at large.
Under these guidelines, firms are expected to identify important business services and impact tolerances, establish strategies and systems to comply with requirements, and document a self-assessment of their findings.
Requirements will likely be published in 2023.
The Basel Committee on Banking Supervision
The Basel Committee on Banking Supervision sets regulation standards for its 63 central banks and authorities around the world. In 2021, it released its “Principles for Operational Resilience.”
Its goal is to establish a principles-based approach to operational resilience so that banks are better prepared to withstand events that may disrupt operations and affect operational resilience. Under these guidelines, banks are expected to identify their critical operations and map internal and external interconnections and interdependencies needed for operational resilience.
These principles focus on:
- Operational risk management.
- Business continuity planning and testing.
- Mapping interconnections and interdependencies.
- Third-party dependency management.
- Incident management.
- Resilient cybersecurity and ICT.
The new principles are also aligned with the Basel III operational risk framework. Basel III standards had an implementation deadline of Jan. 1, 2023.
Canada’s E-21 Operational Risk Management Guidelines
The Operational Risk Management Guidelines were released in 2016 for all of Canada’s federally regulated financial institutions (FRFIs). The goal is to ensure consistent application of sound operational risk management practices across industries and institutions.
In 2021, the Office of the Superintendent of Financial Institutions announced its intent to review E-21 to focus more on operational resilience. There have been no changes released to date.
U.S. Board of Governors of the Federal Reserve System
In the U.S., the Board of Governors of the Federal Reserve System’s guidance is less explicit than others and is not a direct regulation. The board guides the Federal Reserve System and calls on organizations to use sound practices, existing regulation, and common industry standards for operational resilience, with additional guidance about critical operations and market considerations.
EU’s Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) is designed to ensure the financial sector is able to remain resilient when faced with a severe operational disruption or ICT-related incidents. It covers five core areas of governance, third-party risk mitigation, incident reporting, resilience testing, and information sharing. The guidelines promote a broader, strategic perspective for organizations through its intent to standardize and evolve existing practices.
Once DORA becomes law in each of the integrated states, other technical requirements will be developed and released. Full implementation is expected by 2024.
Central Bank of Ireland
The Central Bank of Ireland’s Cross-Industry Guidance on Operational Resilience is designed to help organizations prepare for, respond to, recover, and learn from operational disruptions that affect delivery of important business services. As such, organizations are expected to begin the process of mapping all important business services. Provided in these guidelines is a 15-point list outlining what goes into a successful operational resilience program. There is an expectation that organizations develop action/plans to address operational vulnerabilities aligning with the guidance by December 2023.
Australian Prudential Regulatory Authority (APRA)
In July 2022, the Australian Prudential Regulatory Authority (APRA) proposed new operational risk management standards for all of its regulated entities. Among the requirements, organizations will have to demonstrate effective internal controls, be prepared to continue delivery of critical services during a disruption, and manage risks associated with service providers.
Once finalized, APRA will develop and release an action plan for standard implementation.
Hong Kong Monetary Authority
The HKMA released its supervisory policy manual outlining guidance for its Banking Authorized Institutions (AIs) in 2022. It offers step-by-step guidance to develop an operational resilience framework and determine parameters, including identifying critical operations, setting disruption tolerances, and identifying severe but plausible scenarios.
All AIs are expected to have developed their frameworks and established an implementation timeline by May 31, 2023, and have the framework implemented no later than May 31, 2026.
Monetary Authority of Singapore (MAS)
The updated MAS guidelines focus more on business continuity than operational resilience. These guidelines require financial institutions to “take an end-to-end service-centric view in ensuring the continuous delivery of critical business services to their customers.” The updates to existing guidelines speak to an approach of having business continuity address emerging resilience best practices rather than creating new operational resilience requirements.
In 2021, MAS released guidelines for technology risk management. These guidelines outline risk management principles and best practices standards, which should be commensurate to the organization’s risk level and service-offering complexities. The updated business continuity guidelines should come into effect in June 2023.