Changes on the horizon to U.S. operational resilience regulations?
Last month, the Acting Comptroller of the Currency, Michael J. Hsu gave remarks at the annual Washington Conference of the Institute of International Bankers. The topic of the talk was operational resilience.
Given that his office, the Office of the Comptroller of the Currency (OCC), regulates the banking sector and has in the past issued official guidance on the matter, the industry couldn’t afford to consider his remarks simply academic. It makes sense then to ask, do these latest remarks augur a potential shift in operational resilience regulations? We’re diving deeper in this article.
Latest thoughts on operational resilience
It’s no secret that operational resilience has been moving up the list of regulatory priorities. Why? Hsu explains that both the “probability of disruption” and “the potential impacts from those disruptions are increasing.”
Meanwhile, the eruption of digital technologies and third parties have expanded “the threat surface for disruptions,” with no reason to believe any of these trendlines will reverse soon.
Indeed, Hsu likens the trend toward complexity in the banking sector to greater disintermediation in global manufacturing supply, referencing the latter’s “efficiencies, complexities, and vulnerabilities.”
Supervisory expectation of operational resilience
What are the supervisory expectations that flow from this risk picture? The OCC, for one, expects the financial institutions it regulates to remain operationally resilient.
This has been the mission of regulators like the OCC since the early 2000s, when following the September 11 terror attacks, the OCC issued an Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System.
That paper was superseded at the beginning of this decade, with the publication of “Sound Practices to Strengthen Operational Resilience.” The latter piece of interagency guidance, published in October 2020, integrated existing guidance, common industry practices, and the work of the Basel Committee on Banking’s Supervision’s Operational Resilience Group.
Are the Sound Practices obsolete?
Is it now obsolete? Since publishing the “Sound Practices to Strengthen Operational Resilience,” U.S. regulators have seen peers beef up operational resilience requirements in the jurisdictions they oversee.
Hsu himself references the European Union’s Digital Operational Resilience Act (DORA), a new set of rules for protection, detection, containment, recovery, and repair capabilities against information and communications technology (ICT)-related incidents.
Last year, another regulator, the Australian Prudential Regulation Authority (APRA) published Prudential Standard, CPS 230 Operational Risk Management, addressing operational risks, resilience, and business continuity.
Hsu also mentioned similar rules in the U.K. and Japan requiring “firms to identify important business services, map processes, set impact tolerances, test under different scenarios, and establish standards for outsourcing and third-party risk management.”
Is the U.S. next?
Reading the transcript of the talk, it seems regulatory change might be in the air in the U.S., as well. Hsu acknowledges that U.S. banking regulators have been mulling over comparable changes to the nation’s operational resilience framework.
Where’s the current focus likely to be? Hsu mentions baseline operational resilience requirements for large banks with critical operations, including third-party service providers. Such requirements might include the following:
- Establish clear definitions for identifying critical activities and core business lines
- Define tolerances for disruption
- Require testing and validation of resilience capabilities
- Incorporate third-party risk management expectations
- Stipulate clear communication expectations among stakeholders and counterparties
- Address expectations for critical service providers, with emphasis on governance and risk management expectations
What to expect now?
When it comes to operational resilience, U.S. regulators are pointing up the degradation of the threat environment since they last intervened. They’ve also shown themselves to be aware of what’s going on in peer jurisdictions.
So, where do things go from here? The natural next step is for interagency regulators to develop a new approach.
The banking sector should, therefore, anticipate, at a minimum, increased scrutiny of operational resilience in the near term with potential, enhanced requirements coming later.
How to get a handle on expected changes to the compliance environment? The best place to start is to ensure that you’re following the present regulatory regime.
And to that end, it doesn’t hurt to reread the “Sound Practices to Strengthen Operational Resilience.” What’s in those Sound Practices? Read Noggin’s overview of the regulations, here.