Ramping up operational resilience

Istock 656203534

As a regulated business with compliance at its core, Lenvi continuously scans the horizon to ensure that we (and our clients) are prepared for potential shifts in the regulatory landscape. As a result, the team here has been taking a deep dive into the regulators’ latest consultation paper on system risk and operational resilience. Director of Compliance, Martin Kisby reports . 

Back in the summer, the FCA and Bank of England PRA launched a joint consultation paper exploring tighter regulation of Critical Third Parties (CTPs) to the UK finance sector. The paper attracted 58 responses and, overall, demonstrated broad support for regulatory intervention to reduce system risk. As a CTP to the UK lending market, we welcome these developments, and support all positive moves towards encouraging sector resilience. 

Respondents also called for greater international regulatory and supervisory co-operation between the UK and jurisdictions that have, or are in the process of developing, similar regimes for CTPs. And several responses also highlighted the importance of ensuring that additional measures for CTPs are proportionate and do not unduly restrict the ability of firms and Financial Market Infrastructure entities (FMIs) to choose third party service providers. 

Then, before Christmas, the discussion moved on again with another paper CP26/23 – Operational resilience: Critical third parties to the UK financial sector. This of great interest to myself and my colleagues at Lenvi. With our 25 year heritage, compliance has always been  at the heart of everything we do and, for us, that means not just fully understanding the regulatory landscape as it stands today but also how it may change. We have a team dedicated to horizon scanning, ensuring that we’re able to respond rapidly and effectively to developments such as these for the benefit of Lenvi and our clients. And as a regulated business ourselves, we fully appreciate the importance of operational resilience. 

So what does the new PRA/FCA paper propose? Well firstly it has defined six rules that it wants CTPs to comply with. These are as follows: 

  • Conduct your business with integrity
  • Conduct your business with due skill, care and diligence
  • Act in a prudent manner
  • Deploy effective risk strategies and risk management systems
  • Organise and control your affairs responsibly and effectively
  • Deal with the regulators in an open and co-operative way and disclose to the regulators appropriately anything that they would reasonably expect

In addition, the regulators propose to introduce eight Operational Risk and Resilience Requirements. I’ve summarised a very brief overview of what CTPs are likely to have to comply with as a result: 

1. Governance

Appoint an appropriately qualified employee to act as the central point of contact with the regulators; establish clear roles and responsibilities at all levels of staff involved in the delivery of material services; and establish clear resilience and recovery processes. 

2. Risk Management 

Identify and monitor relevant external and internal risks; and ensure effective and regularly updated risk management processes. 

3. Dependency and supply chain risk management 

Take all reasonable steps to ensure that each person in the supply chain understands the requirements that apply to the CTP and provide the regulators with access to any information relevant to them exercising their oversight functions. 

4. Technology and cyber resilience 

Ensure the resilience of any technology that delivers, maintains or supports a material service, through regular testing and operational resilience measures. 

5. Change management 

Ensure a systematic approach to dealing with changes to a material service by implementing appropriate policies, procedures, and controls. 

6. Mapping 

Identify and document resources including the assets and technology used to deliver, support, and maintain each material service it provides, plus any internal and external interconnections between the resources identified in respect of that service. 

7.  Incident management 

Appropriately manage any incidents that adversely affect, or may reasonably be expected to adversely affect, the delivery of a material service. 

8. Termination of services 

Have in place appropriate measures to respond to a termination of any material services, including provision for ensuring access, recovery and return of any relevant assets to the firms or FMIs that material services were provided to. 

This is an important debate, and we support proportionate intervention to reduce system risk and increase operational resilience. It’s also a complex one and my colleagues have compiled detailed analysis that we’re sharing with interested clients. If you have any questions about operational resilience that we may be able to help with, please do get in touch. 

Read more insights from the Lenvi experts

Contact Us
Istock 1185273881
How lenders can embrace Consumer Duty opportunities
Shutterstock 47578186
Getting to grips with FCA priorities
Istock 1418080357
The Challenges Facing Digital Transformation

Find out more about Lenvi

Cta Alt 1