Regulations in the Financial Services Sector Artwork

Building a More Resilient World

The Building a More Resilient World podcast series, sponsored by Fusion Risk Management, discusses the basics of operational resilience, business continuity, and risk management.

All Episodes

Building a More Resilient World

Regulations in the Financial Services Sector

March 25, 2022 • Fusion Risk Management • Season 2 • Episode 3

0:00 | 20:59

Season 2, Episode 3: Regulations in the Financial Services Sector covers critical components related to ongoing and new regulations. Join our host Manager, Marketing Communications Bridget Anders and two amazing speakers Solutions Manager, Compliance Lauren Kornutick and Senior Director of Operational Resilience Darren Smith for a discussion on:

regulator perspectives in the financial sector
individual mandates and what they mean for Chief Resiliency Officers
the varying stages of maturity in operational resilience programs
and more!

Learn more about Fusion Risk Management and see how technology can help with the basics. Discover what's possible and request a demo!

Bridget Anders (00:00):

Welcome back to Building a More Resilient World, sponsored by Fusion Risk Management. This podcast is where we discuss the basics of operational resilience, business continuity, and risk management. Today we'll be discussing regulations in the financial services sector. My name is Bridget Anders, and we will be speaking with Lauren Kornutick, Compliance Solution Manager, and Darren Smith, Senior Director of Operational Resilience. Thank you both for joining me today. Let's get started with discussing what's happening currently in the regulation and compliance arena.

Lauren Kornutick (00:36):

This is Lauren Kornutick, I am Fusion's Compliance Solution Manager. And to kick this discussion off, there has been a drive by regulatory authorities to, kind of, codify all of the underlying practices that make up a resilient organization. And when I say underlying practices, they are your standard business continuity, IT, disaster recovery and crisis management plans, cyber resilience, as well as privacy requirements and third-party risk management and downstream regulations and supply chains. So, historically these regulations were, kind of, handled independently and at the enterprise level. And what we're starting to see from a regulatory perspective is a drive by regulators to tie these very important operational things that a company has to do back to business processes that impact consumers.

Darren Smith (01:50):

Hi, this is Darren Smith, I'm the Senior Director of Operational Resilience for Fusion, and I think I'd agree completely with what Lauren is saying. And just to add to that - you know, obviously with my role title, I'm particularly interested in operational resilience as it pertains to organizations, and in particular the Bank of England, FCA, and PRA regulations specific to financial institutions and the insurance market out of the UK. I think to Lauren's point, tying that back to processes and understanding the complete end-to-end chain within your organization with a particular lens on the products and services that are consumed in the marketplace with the intention or the caveat of doing no harm – and I think that's the key piece of those particular regulations. It's a, sort of, higher level top-down look into your organization rather than the traditional bottom-up approach that you might see through business continuity or another program.

Bridget Anders (02:55):

Yes, thank you. And what does this look like for the regulators?

Lauren Kornutick (02:59):

So, just touching on what Bank of England and its two regulatory authorities did: they were really the pioneers of this kind of legislation, and they were the first to codify it and set a deadline for it. But, basically breaking it down into its pieces, it's a new set of requirements on the financial institutions to map out their critical and important business services. It requires them to set a risk impact tolerance, and a risk impact tolerance is just what is something that's maximumly acceptable by that particular financial institution. The regulator is not going to tell them you can only tolerate 30% risk. They're really putting it in the hands of the financial institutions to define what an acceptable risk threshold is, but they also, really, are putting some parameters around running scenario testing on things that could have severe consequences for consumer-facing business processes. So, some examples, like, when I talk about this I like to flag are: a lightning strikes a data center, and the ATM that's attached to it goes down, or another severe but possible scenario is something related to war or an environmental issue that would prevent access to these services. The regulations also are requiring the banks to do more ongoing continuous monitoring and really just prove that they have a functional program versus doing things on paper without having it embedded into their business practices. Darren, is there anything you add to that?

Darren Smith (04:57):

Well, I think I would just pick on a couple of the points that you've mentioned, and you have mentioned many things there, and they're all absolutely right in terms of the focus. The operational resilience regulations in particular are focused on, as I said before, the end consumer and in a particular lens on the vulnerable consumer. So, I think the ATM outage is a great example of a use case where the regulator is focusing on either those that are more vulnerable or maybe those, for example, that wouldn't necessarily have easy access to credit facilities or digital money. An ATM network may well be an absolute critical provision for that group of individuals. So, you know, the tolerance, or the impact tolerance, of the outage of that provision may well be a shorter timeframe for the vulnerable consumer than others, as an example. So, I think, you know, the lens, again, is on the outside of your organization looking in to the services that you provide.

Darren Smith (05:55):

So, I think for me, that's one of the key things to think about in terms of the regulations. Many, many organizations with strong, good, mature risk programs and resilience programs would historically look inside – how quick do I need this server back? How quick do I need that component, if it fails, replaced? What resources do I need to do that? What team activities does it impact if I have this particular impact or outage? But with these particular operational resilience regulations, as I've said, it's a higher view - a more strategic view of your organization, but as I say, with your products and services at the core, at the center of that view.

Bridget Anders (06:32):

Yeah, those are really great insights. Thank you both. What is an individual mandate, and what does it mean for Chief Resiliency Officers?

Lauren Kornutick (06:42):

We're starting to see regulators put requirements into their legislation that a person is responsible for the program, and they must be designated as responsible for the program. And that's something that's been emerging across all different spaces of regulation that are related and cousins of resiliency, like compliance and other things. So, it's really giving - I guess a way to say this is it really gives individuals the backing they need to go and stand up to their management and boards and talk about why they need resources – because it gives them incentive, as their name is now directly attached to the program. And my experience has been that back office, operational risks, resilience, compliance programs are usually staffed – at minimum – to operate, but this really, kind of, puts some backing around those resource requests.

Darren Smith (07:56):

Yeah, agreed. And I would add to that, if I may Lauren – for me, this is not just about resources and getting backing, this is absolute direct accountability. And, again, referring back to the operational resilience requirements, one of the first deadlines – or the first deadline – is approaching now. The end of March 2022 regulated organizations will have to make their first attestation, and that attestation will talk to their important business services and the criticality assessment of those and how organizations have mapped those services. We don't yet know what "good" will look like – the requirements are not particularly prescriptive. And I suspect what will happen is that the regulators will take stock and take time to look at the submissions; understand where the average is coming in at; understand where the mean, is so to speak; and will give some guidance and feedback in terms of those that are coming in at the expected level or what best practice might even look like.

Darren Smith (08:56):

But, I guess in terms of the individual mandate, they are also likely to come and point out where organizations have fallen short. Now, if you are a named individual, like an SMF 24 for example, it is possible that the regulators could make an example of you as an individual. Make an example is probably the wrong terminology to use, but, you know, it might not just be "X PLC Limited" that is mentioned – it could be the individuals themselves in those named mandated roles that are mentioned and called out. So, I think this does bring a direct responsibility, a direct accountability at the right level within organizations. And I feel that this is a swing in the right direction from regulation per se, and I think that this just isn't a tick box exercise anymore. You are going to have to live - as Lauren said earlier, you're going to have to live these mandates. It's not something that you can put on paper or write your framework or your program and policy statements, etc. and believe that that's enough from the regulator's eyes or an evidential point of view. I think this is now going to be part of DNA as we move forward, to ensure that the marketplace is robust and can withstand impacts as we've seen before, back in early 2000s.

Bridget Anders (10:17):

Can you talk a little bit about the varying stages of maturity that we're seeing with institutions?

Darren Smith (10:24):

Yeah, I'm guessing the question is centered around, sort of, the varying levels of maturity that we're seeing in terms of operational resilience programs, or at least I'll take the question that way if I may. And this is a real interesting question and really interesting point, and I think in truth, the answer is that we're seeing everything. We're seeing organizations that are approaching this for the first time and are in a green space in terms of the starting point, and we're seeing organizations that are both very complex in nature but with very mature foundational programs, such as operational risk, such as business continuity, IT, disaster recovery. Now, of course, in many organizations those programs are owned separately and, you could argue, in silos, and therein lies some of the challenge for organizations as they move forward towards operational resilience: breaking down that siloed approach, that siloed mentality. Breaking that down either internally through structure or via the use of tool sets and technology that can break that down for you is going to be key to moving your organization to be able to really understand what the operational resilience lens looks like.

Darren Smith (11:39):

So, I think in all honesty, people are at various stages. Some of the challenges to maturity can be non-clean data sources, for example, ownership of different data sources within an organization sitting in different parts of the organization – so no true golden source of data. That's where we tend to find the main challenges to maturity, and I think, Lauren, you touched on it earlier, resource is another key challenge. Resourcing is always something that everyone would argue they need more people to do what they need to do. But, traditionally, the disciplines that we are talking about here are low-resourced in terms of number and often will need to call on volunteers, if you like – those that are interested in helping the organization become more resilient, but it isn't the job that they are recruited for, it's not the job that they're paid for day-to-day, so it's a hat they wear out of interest. So, I think, you know, in all honesty, we see everything in terms of stages of maturity, stages of clarity as well I would add on top of maturity.

Lauren Kornutick (12:40):

I would add to that that one way to, kind of, get around that resourcing constraint is to start to leverage technology as a vehicle to help prove these programs exist as part of the organizational structure and the organizational framework, right? I mean, you could have five or 10 people do things on paper, and it's not necessarily an efficient way to do it, but moving up that maturity ladder will help you, and moving into tech will help a lot of these companies really automate those very time consuming but low value tasks. So, an example of that is, really, just when you run a risk or resiliency program, you have to ask others for inputs. And often, as Darren said, those people – it's not their full-time job, but their information's required. So, as that practitioner, you're spending a lot of time chasing for information when you could be using your time to work on more high value tasks, like working through ways to find better controls around your critical and important business services. So, as companies really start to mature their programs, I think what we're seeing is users looking to get into technology that can help them versus relying on traditional methods and resources like Excel spreadsheets and notebooks.

Bridget Anders (14:18):

So, kind of going off of all that, how can Chief Resiliency Officers persuade their boards to invest in teams to manage operational resilience without relying on consequences?

Lauren Kornutick (14:30):

So, that's the old carrot or stick approach, right? There's a return on investment, and there's a return on investment on these back office programs. There's an even bigger return on investment when you tie these back or office programs to your corporate values of trust or integrity because having a business that's consumer-facing and having controls around those consumer-facing processes really just helps you to prove to your consumers that you're a trustworthy business, and it's worthwhile for you to invest in programs to help expand those resources. And I call that return on value statements because, again, as we've, kind of, talked throughout this whole discussion, it's one thing to say you're doing something on paper, but it's another thing to live it.

Darren Smith (15:30):

Yeah, and, I guess, traditionally and historically resilience and risk professionals would've talked about the consequences of not doing, right, this, sort of, doom and gloom merchants, if you like. And I think there's still some relevance to that talk track, but, to Lauren's point, there is a return on investment. Now, if we look back to the crash of the early 2000s – 2008 I believe from memory – there are dire consequences to failure, right? There are dire consequences to getting it wrong, and you will or could go out of business whilst also doing harm to the financial marketplace. So, this isn't a light subject for anyone, and from a Chief Resiliency Officer's perspective, you know, that individual accountability is now there for that. So, in terms of their dialogue with their boards to invest in teams, I would say one resource is helpful, of course, but, again, technology and platforms such as Fusion Framework cannot only be a planned storage conduit for you, it can actually give a lens, a view into the health and the state of your organization, right?

Darren Smith (16:27):

It gives you a dynamic picture. It's not just about an impact, although that remains important. It's not just about going through potential scenarios and understanding, you know, how likely - how potential is this scenario that we are working through today? How likely is it to impact us? What's the outcomes of that for us as an organization, but more importantly, for the consumer and for the marketplace? What is the potential for that? How long is it going to be before that potential becomes reality? I think what happens with that mindset shift and with that view and that lens is that actually you begin to show the state and health of the organization. That's much more of an interest to your C-suite and to your C-suite (minus) minds – that's much more of an interest to those that think strategically about the organization and the direction of travel.

Darren Smith (17:20):

One thing I've always spoken to leadership about is that your resilience programs have to be aligned with your strategic vision and your strategic path and your strategic roadmap because M&A activity, for example, could have an impact on your resilience planning. So, getting that alignment at any place that you can, breaking down that silo by the use of technology at any place that you can is all going to inadvertently be a value add, and it's just a way of being able to demonstrate that in real time, in real terms. Usability of tool sets, for example, will do that job for you. So, for me, there are multiple facets to this, there are multiple angles that can take. And just finally, if I may, on this point – we talk about breaking down the silos, and we shouldn't underestimate how difficult that is for organizations. Many organizations are built up over time – many, many years, some hundreds of years. It's a very entwined, complex picture that can be too politically sensitive to undo or change, and it can just be too difficult to even comprehend. So, by using technology platforms, again, as an overlay, in some regards that takes away the need to immediately address those really difficult points, those really difficult discussions when you are up against the clock in terms of regulations, deadlines, etc. So, I think, again, that's another angle you can take as a Chief Resiliency Officer when you're looking for investment, again, not just in terms of people, but in terms of resources all around.

Bridget Anders (18:52):

Yes, such a key piece of this. Is there anything else that is relevant to this topic that our audience should know?

Lauren Kornutick (19:00):

I mean the only thing I would add is that part of having a strong and resilient organization is understanding what's on the horizon. It's just so important to be aware of the external world – and that's something that resiliency officers and practitioners just need to keep in mind: that what you're doing today, while it may be good, it may not be good enough tomorrow.

Darren Smith (19:29):

Akin to that, I would say we know we've got the first deadline, March 22, for attestation submission. There'll be a period between then and March 25 to start scenario testing and working through your important business services and the mapping that's taken place on those. We've got the deadlines around the operational resilience and continuity and resolution requirements later on in '22. DORA on the horizon. Regulation isn't going away, and regulation, I think, as we said earlier, will move away from tick box exercises, checklists, etc. into being embedded in how we do business, and it will be a value add at some point – that's the dream – but, certainly, it'll be a cost of doing business, and we "cannot afford to do it" won't be an answer, "we don't have the resources to do it" won't be an acceptable answer. So, I think we all need to sit up and listen and understand that it's here to stay, and we can't turn away from it at the end of the day. So, and to Lauren's point, it isn't going to stay – it will be iterative. If we are not doing it in the interests of, or in the spirit of, the regulations, I'm sure that the regulators will have their inspections, and they'll be staffed to make sure they help organizations understand the right direction of travel and the plan that they'll need to take going forward.

Bridget Anders (20:46):

Absolutely. Well, it's been a pleasure speaking with both of you today. Thank you again for your insights, and thank you to our listeners for joining us on Building a More Resilient World, sponsored by Fusion Risk Management. Have a good one!