Estimated reading time: 6 minutes
Operational resilience in the US: best practices
Operational resilience is the ability for organisations to continue working at full capacity when parts of their process have been compromised or interrupted. However, in the US, many recent events have threatened operational resilience in the financial sector, leading to growing concern around more general economic matters.
In this compliance corner, we’ll discuss the current state of operational resilience in the US, factors which affect the continuing of service provision and what the guidance is from regulators, committees and industry leaders.
Operational resilience: what’s the current state of play?
In recent years, open banking technology has made it super simple for FinTechs to connect with banks in the US. As each financial institution has become more and more intertwined with external businesses, the risks to its own operations have been heightened.
Better known as third party service providers – or 3PSPs – these are programs designed to enable banking services. Apple Pay and Google Pay are two of the most famous American examples, existing to make it easy for customers to pay for goods and services through their smartphones.
But with new technologies come new threats.
Specifically, most 3PSPs in the states aren’t subjected to the same rigorous regulations as banks and financial institutions. Without these rigid requirements, both the financial institutions themselves and their customers are put at risk to the likes of security issues, data leaks, identity theft and could be exposed to huge economic losses.
Factors affecting operational resiliency
There are a number of circumstances that have posed a threat to operational resilience in the US over the past few years. For example:
- Cyber security incidents
- Natural disasters
- The global pandemic
- Reliance on 3PSPs
Cyber security incidents
New SEC regulations require disclosures from financial institutions when cyber incidents occur. This means that now, and in the near future, we expect the volume of cyber attacks reported to increase.
One such attack was the second-largest cryptocurrency hack in history, occurring in March 2022. The Ronin network was subject to theft of over $450 million in assets, which left millions of people out of pocket. Plus, the reputation of the network itself has been decimated.
Cyber security incidents like this one, and even google password leaks, for example, put the public at risk. With this information able to verify bank accounts, the compromise of a single company within the chain can affect the entire network.
An increasing number of natural disaster incidents have occured in recent years, leading to millions in economic losses. If the trend continues, the likes of hurricanes, flooding and drought are likely to continue to wreak havoc on the world’s global economy.
Within the last 18 months, the state of Texas has experienced droughts, flash flooding, snow and cyclones. Hundreds of Fintech startups in the region have been rendered useless during each of these events, when workers were unable to reach their offices and weakened electricity power grids prevented working services.
The compromise of operational resilience in each of these events has led to reduced security around each of these fintech startups, leaving them exposed to hackers. Moreover, when formed as part of a network of infrastructure, they have also left customers unable to access essential banking services.
Reliance on 3PSPs
With increasing interconnectivity, third party services are only growing in their volume and userships. In order to move with the times, most banks have no choice but to create partnerships with these external operators.
However, if any one of these services are disrupted, the entire network feels the effects. The current focus for many financial institutions is to work out how they can operate without relying on these 3PSPs, or how to connect with external accounts without opening their own infrastructure and customers to security threats.
This focus on third parties mirrors the EU’s latest guidance on building operational resilience, the Digital Operations Resilience Act.
Federal Reserve and Central Bank Guidance
In October 2020, the Federal Reserve and Office of the Comptroller of the Currency (OCC) released new guidance, named “Sound Practices to Strengthen Operational Resilience”.
Matching up with the direction of European Regulators on committees such as Basel III, the paper released a directive for companies to evaluate their operational resilience through seven core principles.
It’s important to note that no new regulatory frameworks have been released, just general guidance. In recent years, the industry hit back at regulation plans that were deemed too rigid. This, then, seems to be a more flexible approach towards helping banks and institutions to maintain operational resilience through navigating new tech landscapes.
7 principles of operational resilience
Seven core themes were released in the paper to enable regulated financial institutions to follow best practices.
These are governance, operational risk management, business continuity, third party risk management, scenario analysis, resilient information systems and surveilling or reporting factors.
- Governance: including the board of directors regularly reviewing activities, critical operations and ongoing risks, as well as holding senior management accountable
- Operational risk management: identifying, managing and preventing exposure to risk by following regulatory advice, performing impact tolerance tests and risk assessments
- Business continuity management: consider specific, industry-wide and unsystematic stresses as well as institutional coping mechanisms
- Third party risk management: identify and analyse third-party risks, as well as verifying their external and internal management practices
- Scenario analysis: validate tolerance testing by designing scenarios to test operational disruption
- Secure resilient information systems and management: establish controls to safeguard data against evolving cybercrime threats
- Surveilling and reporting factors: monitoring risks and management techniques, and informing on the performance of business services on occasions of weakened cyber resilience
Each of these seven core themes enable financial institutions to identify, analyse and manage risks in order to prevent threats to organisational resilience.
Third party service providers guidance
In August 2021, the Central Bank worked in conjunction with the Federal Reserve to release further direction around performing due diligence on financial technology partners.
Specifically, this was targeted at community banks, which typically have a smaller bank of resources against cyber threats at their disposal. Its purpose was to enable community banks to better respond to threats.
Key points included data collection and analysis, as well as scoping out the nature of threats. Moreover, banks must be able to estimate the ability of each of their partners to continue working through a disturbance.
From this guidance, a regulatory framework was developed for community banks:
- Identify a potential threat
- Respond to the threat
- Secure itself
- Secure its customers
- Develop a disaster recovery plan, including continuous adaptive planning through post-investigations
Who must comply with operational resilience rules?
The guidance set out by the Federal Reserve applies to US banks with more than $250 billion in total consolidated assets, or more than $100 billion if they meet other characteristics. The recommendations aim to harmonise best practices across the financial industry.
However, continuous risk assessment and testing will be required to stand up to future threats. Moreover, an increased focus on integration and partner management will help reveal the firms who strengthen their operational resilience.
For tailored regulatory planning that enables financial service providers to proactively manage changes and reduce risk, choose CUBE. With end-to-end technology, your company can implement operational resilience best practices without costly consultant or legal fees.
If you’re struggling to remain operationally resilient, we’d love to hear from you.