There is little doubt that operational resilience will be a key theme for regulators, post-COVID-19. However, how can trading teams explore what has already been published to better understand the strategic choices they may want to take today? In this blog, Janelle Veasey, Head of Real-Time Customer Proposition, considers five key regulatory themes.
- Regulatory and financial industry engagement with operational resilience is much broader than just cybersecurity or COVID-19.
- Regulators are engaged in five key themes within operational resilience: cybersecurity, cloud computing, outsourcing, customers, and the financial system.
- All of these themes are important to trading teams, which should consider incorporating operational resilience best practices into their data and technology strategies.
For more data-driven insights in your Inbox, subscribe to the Refinitiv Perspectives weekly newsletter.
As the COVID-19 pandemic continues, operational resilience is becoming a topic of increasing importance to both firms and regulators. Specifically, there is growing awareness of potential vulnerabilities within firms – with their data and technology infrastructures, for example – which could impact their ability to deliver products and services to their customers. There are also concerns about the robustness of the outward-facing relationships that firms have with their customers, their third parties, other firms, and financial intermediaries.
Operational resilience is particularly important for trading teams because they are highly dependent on data, technology and relationships to deliver for their customers. A new Refinitiv white paper, Why Operational Resilience is Now Essential for the Trading Business, explores ways in which trading teams at financial services firms are starting to consider the importance of operational resilience – both for their business and as a potential future compliance requirement.
This blog, the second in a series of three on the topic, discusses the important regulatory themes within the concept of operational resilience that could provide best practice insights for trading teams.
Read the whitepaper: Why Operational Resilience is Now Essential for the Trading Business
What are the key regulatory themes?
Many regulators around the globe are working on operational resilience publications in different forms. The UK’s Financial Conduct Authority (UK FCA) is perhaps the most advanced, having published a formal consultation paper that proposes an operational resilience framework in December 2019. However, work is ongoing with both the US and the EU, as well as in other jurisdictions. The Basel Committee on Banking Supervision published its own consultation paper on operational resilience in August 2020.
Overall, there are five key themes that regulatory publications focus on:
1. Cybersecurity – This is the original issue that kicked off regulatory interest. Cyber attacks cause system outages, data breaches and data corruption, all of which are real threats to a trading operation. Globally, financial institutions experience cyber attacks at a higher rate than other industries, meaning that this will remain an important focus even as other operational resilience themes come into focus as a result of COVID-19.
For example, in the first quarter of 2020, the number of Financial Services Information Sharing and Analysis Center (FS-ISAC) member submissions reporting phishing attacks to the organization’s intelligence-sharing portal increased by 33%.
As a result, firms are already seeking to invest more in cybersecurity to enhance operational resilience. According to a poll conducted by FS-ISAC, Some 75% of cybersecurity professionals representing firms around the globe made significant changes to their cybersecurity programs in order to cope with the rapid shift to remote working due to the COVID-19 pandemic.
2. Cloud computing – The surge in regulatory interest in cloud computing does not mean that the world’s supervisory organizations are against this increasingly popular approach to storing and using data. Instead, regulators want financial services firms to view working with cloud service providers as a form of outsourcing, and to ensure their cloud partners are trustworthy, secure, and have operational resilience.
Although a recent Refinitiv survey showed that 94% of firms are limiting their use of the cloud because of regulatory concerns, this is likely to be a short-term issue. In fact, the same 2019 Refinitiv survey showed that 64% of respondents felt that the cloud will be significant, or transformational, for their sector over the next 5-10 years. Both firms and regulators could see how the cloud aided operational resilience during the COVID-19 pandemic in a number of ways.
3. Outsourcing – Regulators want financial firms to be sure that the third parties they choose to partner with have operational resilience. For example, the UK FCA acknowledges that data-driven innovation is an important theme within outsourcing today, and stresses that quality and transparency of third party relationships is more important than ever.
Operational risks within third party relationships need to be proactively managed and addressed. This makes sense from a business perspective too. According to a recent Refinitiv survey, when asked about the negative impact on corporate value if their organization or third parties breached regulations, the average estimate for financial services respondents was 28%.
4. Customers – Underpinning operational resilience is the idea that financial firms should be able to maintain the ability to provide products and services to their customers if their firm suffers a negative event. In the ongoing COVID-19 crisis, firms needed to be able to continue to trade on behalf of their clients in the midst of the volatility, physical dislocation, and accelerating data flows.
Firms also need to be able to onboard new customers. This proved to be a significant challenge for many firms during the European and US COVID-19 pandemic lockdown because of manual onboarding processes. Even before the pandemic hit, one study showed that 14% of potential business at firms was lost due to transactions being rejected because not enough information was known about the legal identity of the counterpart. A further 15% of business was lost because onboarding was taking too long. It is possible these numbers will have risen during the pandemic at firms with manual processes. Those with digital processes will have been able to give their customers a better, faster experience.
5. Financial system – Similarly, a firm’s inability to trade, or to trade correctly, could cause harm to other firms, to financial intermediaries, and to the financial system as a whole. The events of the past two decades – 9/11, the 2008 Financial Crisis, and now the COVID-19 pandemic – have demonstrated the importance of having strong data for the financial system be resilient.
The breakdown of a firm’s ability to trade, for whatever reason, would be a failure of operational resilience. Operational losses in these areas are already significant. Total losses for trading and investment teams between 2014 and 2019 for execution, delivery and process management failures was €9.3 billion, while total losses for clients, products, and business practices was €18.3 billion.
How will operational resilience regulations evolve post-COVID-19?
It is clear that the world’s regulators are preparing to focus on operational resilience once the COVID-19 pandemic crisis subsides. “We can expect regulatory interest and work on operational resilience to flow across the markets as a result of COVID-19, and this will have an initial impact on firms’ technology, procurement and data organizations,” says Gavin Carey, Head of Enterprise EMEA at Refinitiv.
Trading teams should examine what regulators have already published on operational resilience in conversation with the general themes mentioned above. To aid trading teams, a list of documents is contained in the new white paper from Refinitiv. By starting now to implement a fresh approach to operational resilience, trading teams have the opportunity to bring potential regulatory requirements together with improved operating practices in a strategic way that has the potential to generate true business value.