UK BoE FPC and Operational Resilience

On Mar. 27, UK BoE set out macroprudential approach to resilience.

  • UK PRA set out Financial Policy Committee’s (FPC) macroprudential approach to operational resilience, i.e. financial system participants' ability to prevent, respond to, recover, learn from operational disruptions, e.g. cyber-attacks, internal process fails.
  • Operational Resilience
  • Operational resilience becoming more important; financial services now more digital, interconnected as financial firms are increasingly outsourcing services to 3rd parties.
  • New technology, e.g. AI, is continuing to develop, so these trends likely to continue.
  • Effect on Financial Stability
  • When financial firms and financial market infrastructures (FMIs) are operationally resilient, they can provide vital financial services to households and businesses.
  • This includes services like lending and taking deposits, or making payments.
  • But this may not be enough to prevent operational disruptions impacting the financial system, e.g. firm-level disruptions can lead to widespread loss of confidence in system.
  • Therefore, when improving their resilience or responding to operational disruptions, financial firms and FMIs must consider how their operational weaknesses might affect the stability of the financial system more widely, not just the risks to their businesses.
  • As part of that, the FPC expects key financial firms and FMIs to consider which of their services are vital to UK financial stability when they build their operational resilience.
  • Vital services include payments, clearing and settlement of transactions; deposit taking and lending; and insurance and activities which support the functioning of markets.
  • FPC Next Steps
  • The FPC will review the existing policies on operational resilience regularly.
  • Monitoring for new threats, changes in technology and in provision of vital services.
  • Will assess potential gaps from system-wide perspective not covered by existing rules.
  • Continue to run cyber-attack stress tests and consider other types of operational disruption themed tests; monitor implementation, outcomes of a new set of rules for important outside service providers; and consider whether to set further expectations about how quickly services should be able to be restored after an operational incident.

Regulators UK BoE; UK PRA
Entity Types Bank; BS; Corp
Reference PR, 3/27/2024
Functions BCS; Compliance; Cyber; Legal; Operations; Outsourcing; Risk; Technology
Countries United Kingdom
Category Central Bank; National Regulator
Products Banking; Corporate; Payments
Regions EMEA
Rule Type Final
Rule Date 3/27/2024
Effective Date 3/27/2024
Rule Id 206182
Linked to N/A
Reg. Last Update 3/27/2024
Report Section UK

Last substantive update on 04/02/2024