LONDON (Reuters) - Regulators made proposals on Thursday to strengthen the ability of banks and payment firms in Britain to cope with major incidents and maintain key services with minimum interruption.
A parliamentary committee called for changes in October following a string of IT failures at banks, most recently one at TSB that left thousands of customers unable to make payments from their accounts.
The Bank of England and the Financial Conduct Authority have proposed that banks, insurers, investment firms, exchanges and financial market infrastructure (FMIs) firms like Visa that make payments possible, set “impact tolerances” for important services.
Firms themselves would quantify the maximum level of disruption they would tolerate in terms of time, volume of business or number of customers affected.
A metric based on time alone may be insufficient, the regulators said, taking a more nuanced approach from an earlier discussion paper.
Firms will have to spell out what backup plans they have to stay within these tolerances to avoid huge disruption to services, the regulators said in proposals put out to public consultation.
“I will be asking your Chairs and CEOs what strategic decisions and investment choices they are making to build operational resilience and to maintain the supply of important business services in the event of a major incident,” Megan Butler, executive director of supervision at the FCA, said in a speech to the financial sector.
She warned firms not to “game the system” by setting an excessively high impact tolerance to avoid spending money.
Consultants PwC said that while the proposals have no fixed tolerances, regulators made it clear that boards and senior managers are firmly on the hook for overseeing operational resilience.
“These moves by the regulators bring operational regulation on a par with the regulation of financial stability,” added Angela Greenough, a lawyer at CMS
The regulators also issued papers on how operational resilience relates to services outsourced by financial firms, such as cloud computing, that can leave them vulnerable to disruptions.
Firms must be certain that important services can recover from a disruption within a set period even when they rely on outsourcing or third party providers for those services, the BoE said.
“Firms and FMIs should use impact tolerances as a planning tool and should assure themselves they are able to remain within them in severe but plausible scenarios,” the BoE said.
Regulators will issue final rules in the second half of 2020.
Reporting by Huw Jones; Editing by Christina Fincher