As a regulated business with compliance at its core, Lenvi continuously scans the horizon to ensure that we (and our clients) are prepared for potential shifts in the regulatory landscape. As a result, the team here has been taking a deep dive into the regulators’ latest consultation paper on system risk and operational resilience. Director of Compliance, Martin Kisby reports .
Back in the summer, the FCA and Bank of England PRA launched a joint consultation paper exploring tighter regulation of Critical Third Parties (CTPs) to the UK finance sector. The paper attracted 58 responses and, overall, demonstrated broad support for regulatory intervention to reduce system risk. As a CTP to the UK lending market, we welcome these developments, and support all positive moves towards encouraging sector resilience.
Respondents also called for greater international regulatory and supervisory co-operation between the UK and jurisdictions that have, or are in the process of developing, similar regimes for CTPs. And several responses also highlighted the importance of ensuring that additional measures for CTPs are proportionate and do not unduly restrict the ability of firms and Financial Market Infrastructure entities (FMIs) to choose third party service providers.
Then, before Christmas, the discussion moved on again with another paper CP26/23 – Operational resilience: Critical third parties to the UK financial sector. This of great interest to myself and my colleagues at Lenvi. With our 25 year heritage, compliance has always been at the heart of everything we do and, for us, that means not just fully understanding the regulatory landscape as it stands today but also how it may change. We have a team dedicated to horizon scanning, ensuring that we’re able to respond rapidly and effectively to developments such as these for the benefit of Lenvi and our clients. And as a regulated business ourselves, we fully appreciate the importance of operational resilience.
So what does the new PRA/FCA paper propose? Well firstly it has defined six rules that it wants CTPs to comply with. These are as follows:
- Conduct your business with integrity
- Conduct your business with due skill, care and diligence
- Act in a prudent manner
- Deploy effective risk strategies and risk management systems
- Organise and control your affairs responsibly and effectively
- Deal with the regulators in an open and co-operative way and disclose to the regulators appropriately anything that they would reasonably expect
In addition, the regulators propose to introduce eight Operational Risk and Resilience Requirements. I’ve summarised a very brief overview of what CTPs are likely to have to comply with as a result:
1. Governance
Appoint an appropriately qualified employee to act as the central point of contact with the regulators; establish clear roles and responsibilities at all levels of staff involved in the delivery of material services; and establish clear resilience and recovery processes.
2. Risk Management
Identify and monitor relevant external and internal risks; and ensure effective and regularly updated risk management processes.
3. Dependency and supply chain risk management
Take all reasonable steps to ensure that each person in the supply chain understands the requirements that apply to the CTP and provide the regulators with access to any information relevant to them exercising their oversight functions.
4. Technology and cyber resilience
Ensure the resilience of any technology that delivers, maintains or supports a material service, through regular testing and operational resilience measures.
5. Change management
Ensure a systematic approach to dealing with changes to a material service by implementing appropriate policies, procedures, and controls.
6. Mapping
Identify and document resources including the assets and technology used to deliver, support, and maintain each material service it provides, plus any internal and external interconnections between the resources identified in respect of that service.
7. Incident management
Appropriately manage any incidents that adversely affect, or may reasonably be expected to adversely affect, the delivery of a material service.
8. Termination of services
Have in place appropriate measures to respond to a termination of any material services, including provision for ensuring access, recovery and return of any relevant assets to the firms or FMIs that material services were provided to.
This is an important debate, and we support proportionate intervention to reduce system risk and increase operational resilience. It’s also a complex one and my colleagues have compiled detailed analysis that we’re sharing with interested clients. If you have any questions about operational resilience that we may be able to help with, please do get in touch.