In today’s increasingly digital era, the Financial Services Industry stands at the intersection of technological advancement and regulatory scrutiny. Operational resilience becomes paramount as cyber threats evolve and global financial systems become ever more interconnected. Understanding the landscape of Digital Operational Resilience Regulations is vital for executives to ensure that their firms remain compliant, competitive, and competent in the face of disruptions.
A Glimpse into Digital Operational Resilience
Operational Resilience is the ability of a Financial Institution to deliver its critical services continuously, even during disruptions. With Digital Transformation sweeping across Sectors, Digital Operational Resilience zeroes in on the institution’s capacity to navigate digital disruptions, especially those tied to Information and Communications Technology (ICT).
A Summary Overview of Key Regulatory Frameworks in eMFusion’s Key Markets
The European Union’s DORA (Digital Operational Resilience Act)
DORA represents a sweeping new cybersecurity mandate for Financial Services Firms and Technology Providers. Approved in late 2022 and in effect by 2025, DORA aims to harmonise resilience standards across the sector.
The scope covers most Financial Entities, including Banks, Insurers, Investment Firms, and Financial Market Infrastructure. Notably, DORA also extends to “ICT third-party service providers” – a broad range from cloud services to data processors. Some specific Insurance and Banking Institutions are exempt.
The implications are extensive, given the breadth of companies impacted. To comply, many will need to overhaul Risk Management Policies, IT Strategies, and Provider Relationships. With under two years to implement complex changes, preparations should already be underway.
DORA’s primary objective is reducing systemic cyber risks by unifying currently fragmented regulations under one EU-wide approach. It addresses ICT Risk Governance, Information Sharing, Resilience Testing, and Incident Response.
To operationalise DORA, Regulatory Technical Standards will provide implementation details. The first batch is already out for consultation as of mid-2023.
DORA overlaps with the NIS2 Directive on Cybersecurity. Where they cover the same issue, DORA takes precedence as the specialised regulation. But NIS2 cannot be ignored.
The UK’s Operational Resilience Guidelines
The UK regulators have signalled that operational resilience is a top priority for 2023. In the Prudential Regulation Authority’s (PRA) open letter to CEOs on January 10th, 2023, they emphasised toughening impact tolerance performance for financial firms’ critical services.
The Bank of England defines ‘operational resilience’ as the ability of firms, and the financial sector, to absorb and adapt to shocks and disruptions rather than contribute to them. It extends beyond business continuity and disaster recovery. It requires robust plans to deliver essential services regardless of the disruption cause. The PRA and Financial Conduct Authority (FCA) have set out their expected approach by firms in their various Policy Statements and expect firms to comply by March 2025.
The PRA is already scrutinising self-assessments based on Supervisory Statement 1/21, which mandates identifying Important Business Services, Defining Impact Tolerances, and Scenario Testing. Supervisory Statement 2/21 also focuses on managing increased outsourcing and third-party risks, especially cloud usage.
US Regulators have sharply intensified their focus on Operational Resilience, Cybersecurity, and Third-Party Risks. The SEC’s 2022 and 2023 Examination Priorities spotlight these areas, signalling they are now regulatory imperatives.
Authorities are championing Financial and Operational Resilience as crucial enablers of Market Integrity, Consumer Protection, and Adaptability amid growing threats. Resilience is no longer just a buzzword – it is being hardwired into the Regulatory Framework.
Various Agency Regulations are consolidating into unified Directives centred on Resilience. The spotlight is brighter than ever, with examinations rigorously assessing firms preparedness.
US Finance Executives must make Resilience Capabilities an urgent priority. Cyber Defences, IT Infrastructure, Third-Party Oversight, Crisis Response Plans, and Regulatory Reporting must withstand regulatory scrutiny.
Proactive resilience investments are vital to avoiding significant examination findings or enforcement actions. Firms not actively strengthening their Resilience Programs face substantial Regulatory Risks in this new environment.
Canada B-10 guidelines
Canada’s principle-based approach to Financial Sector Resilience continues advancing in 2023, driven by the Office of the Superintendent of Financial Institutions (OSFI).
On April 24th, OSFI released its revised Guideline B-10. This greatly broadens guidance around managing risks related to Technology, Cybersecurity, Data, Business Continuity, and Concentration Risks. OSFI has provided a transition period ending May 1st, 2024, for FRFIs to begin applying Revised Guideline B-10.
On April 21st, OSFI published its Intelligence-Led Cyber Resilience Testing Framework. This guides FRFIs in assessing potential cyber vulnerabilities through simulated threat scenarios and exercises.
Together these represent the evolving prioritisation of shoring up Cyber and Operational Risks across Canada’s interconnected Financial Ecosystem. The emphasis on Resilience Testing, Third-Party Oversight, Cybersecurity, and Public-Private Collaboration highlights OSFI’s adaptive approach to regulation as threats become more sophisticated.
Hong Kong’s OR-2 Regime
This framework emphasises readiness for service disruptions, making senior executives accountable. A key focus is on vulnerabilities in service delivery, especially concerning third-party involvement.
Switzerland’s FINMA Circular 2023/1
The Swiss Financial Market Supervisory Authority (FINMA) has unveiled Circular 2023/1: Operational Risks and Resilience, which will be effective from January 1, 2024. This circular integrates principles from the Basel Committee and expands the regulatory scope. It particularly addresses technology-driven risks. Compliance varies based on a firm’s size, complexity, and risk profile.
What Does This Mean for Financial Services Firms, in Summary?
Proactive Cybersecurity: In today’s digital age, the emphasis on Cybersecurity is more than just about keeping hackers at bay. It’s about safeguarding a firm’s reputation, ensuring customer trust, and adhering to regulatory mandates. This translates to not just having firewalls and security software but establishing a proactive cybersecurity culture. Financial Institutions must prioritise investments in cutting-edge cybersecurity infrastructure, regular staff training, and adopting best practices to stay one step ahead of potential threats.
Third-party Oversight: With the Financial Ecosystem ever-expanding, firms increasingly rely on third-party service providers for myriad functions, from software solutions to customer service. However, every external partnership brings potential vulnerabilities. Institutions, therefore, must establish rigorous mechanisms to monitor and evaluate the resilience of these third-party entities. This means evaluating them at the outset and conducting regular checks and assessments to ensure they meet the evolving resilience standards.
Scenario Testing: While theoretical strategies are essential, testing them in simulated real-world scenarios is critical. Regulations underscore the significance of such scenario testing. Firms must invest in creating mock disruption events to assess their preparedness, identify loopholes, and refine their response strategies. This continuous testing ensures that the firm’s response is swift, efficient, and effective when a real disruption occurs.
Executive Accountability: Operational Resilience is no longer confined to the server rooms; it’s making its way to the boardroom. Executive leadership can’t afford to be passive observers. They must be deeply engaged, taking a hands-on approach in shaping and driving the firm’s resilience strategies. This not only reinforces the importance of resilience across all tiers of the organisation but ensures alignment between strategic objectives and operational practices.
Continuous Evolution: The digital realm is in perpetual motion. New threats emerge, technologies evolve, and customer behaviours shift. To remain resilient, firms must adopt a mindset of continuous evolution. Operational Resilience strategies must be fluid, adapting in real-time to new risks, technological advancements, and changing regulatory expectations. Being static is not an option; firms must be agile, always ready to recalibrate their approach in the face of new challenges.
As the regulatory landscape around digital operational resilience continues to evolve, staying informed is not just a matter of compliance but also a competitive advantage. For Financial Services firms, understanding and adapting to these regulations can ensure uninterrupted service delivery, protect customer trust, and position the firm as a leader in a digital-first world.
For firms operating in Financial Services, forging a partnership with a specialised recruitment agency is a strategic advantage. Aligning with a company like eMFusion Global ensures you access top-tier talent: professionals adept at understanding, navigating, and pioneering in this complex regulatory environment.
We champion tailored project-aligned talent solutions, ensuring that the talent we bring to your doorstep perfectly matches the distinct needs of your specific project. It’s not just about filling roles; it’s about ensuring the perfect fit for every project nuance, maximising efficiency and outcomes.