The world of regulations
Operational resilience has been recognized as an important issue for banking organizations for many years. Recently, the major regulators have issued a slew of guidance and policy documents to strengthen and formalize the operational resilience frameworks in banks and financial organizations. It is a statement of the obvious that the increased regulatory scrutiny of operational risk is a direct consequence of the Covid-19 pandemic being a major disruption event that not only tested the resilience of many areas of the global economy severely, finance firmly included but also had a profound impact on how people and organizations work, further requiring all firms to readjust their processes and systems to the new normal.
In September 2020, the European Commission proposed the Digital Operational Resilience Act ("DORA"), which is meant to harmonize the requirements for digital operational resilience for financial organizations within the EU. This proposal is currently undergoing finalization. It primarily focuses on Information and Communications Technology ("ICT") systems and forms a robust framework that boosts the IT security of the financial sector. The Act will impact nearly all financial institutions within the EU once it comes into force, along with the accompanying directive, likely with a 24-month implementation period. You can read more on the DORA in our overview.
US Banking regulators
Shortly after the DORA proposal announcement within the EU, the US Banking Regulators published guidance relating to operational resilience best practices for US financial firms. The guidance covers practices drawn from existing regulations, guidance, statements, and common industry standards. The practices are grounded in effective governance and risk management techniques, consider third-party risks and include resilient information systems. Taking a slightly broader approach than the DORA, the US guidelines span several areas of existing banking regulation. However, the US guidance applies directly only to very large institutions, with smaller firms being advised to consider applying all or some of the best practices. We provide more detail on the US Banking regulators' guidance here.
As the EU law no longer applies to the UK firms after Brexit, the FCA has issued its own guidance and rules on operational resilience for the UK financial sector, applying to FCA-regulated firms. Taking the usual risk-based approach, the FCA applies the regulation to banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, Enhanced scope Senior Managers and Certification Regime firms, and entities authorized and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011. As with the US guidance, firms not covered within the scope of the FCA rules are advised to consider aligning with them to strengthen their operational resilience. Here you can find a deeper overview of the FCA rules and policy in our article.