Featured Product

    US Agencies Outline Practices to Strengthen Operational Resilience

    October 30, 2020

    US Agencies (FDIC, FED, and OCC) published an interagency paper that outlines sound practices designed to help large banks enhance operational resilience. These practices bring together the existing regulations, guidance, statements, and common industry standards to provide a comprehensive approach that firms may use to strengthen and maintain their operational resilience. The paper details practices in areas such as governance, operational risk management, business, continuity management, third-party risk management, scenario analysis, secure and resilient information system management, and surveillance and reporting. The paper does not revise the agencies' existing rules or guidance. These practices are intended for domestic banks with more than USD 250 billion in consolidated assets or banks with more than USD 100 billion in total assets and other risk characteristics.

    The following are the key highlights of practices presented in the paper:

    • Governance—As a best practice, the board of directors of a firm should approve and periodically review its risk appetite for weathering disruption from operational risks at the enterprise level and for the firm’s critical operations and core business lines. Senior management must be held accountable for developing, implementing, and managing effective and resilient information systems and controls, as appropriate, to maintain critical operations and core business lines consistent with the firm’s tolerance for disruption.
    • Operational risk management—By identifying, managing, and mitigating operational risk exposures related to internal processes, people, systems, external threats, and third parties, a firm should be able to strengthen its operational resilience. Effective operational risk management involves close engagement by the firm’s senior management, business line operations, independent operational risk management function, and independent internal (or external) audit function.
    • Business continuity management—The business continuity management should incorporate business impact analysis; testing, training, and awareness programs; and communication and crisis management policies. A firm should periodically review its business continuity plan to ensure contingency strategies remain consistent with current operations, risks and threats, its tolerance for disruption, and recovery priorities. The firm should leverage information contained in its recovery or resolution plans, where applicable, to identify options to respond to a wide range of severe but plausible internal and external stress scenarios.
    • Third-party risk management—Firm should identify and analyze third-party risk of critical operations and core business lines. Firm should periodically review reports of systems and controls and summaries of test results or other equivalent assessments of third parties. It should verify that third parties have sound risk management practices and controls in place that serve to identify and mitigate hazards to operations and are consistent with the firm’s tolerance for disruption. It should also identify other third parties that may be available to assist in the event its current third parties are unable to continue delivering services.
    • Scenario analysis—As a sound practice, scenario analysis helps a firm to develop, validate, and calibrate a firm’s tolerance for disruption. Firms may integrate the analysis with disaster recovery and business continuity management for use in assessing operational resilience. In designing scenarios, a firm should leverage both the mapped interconnections and interdependencies of its critical operations and the core business lines, including the third-party risks set forth in its recovery or resolution plans, as well as relevant business impact analyses.
    • Secure and resilient information system management—Secure and resilient information systems underpin the operational resilience of a firm’s critical operations and core business lines. The appropriate implementation, use, and protection of information systems can help a firm to identify and detect risks to operational resilience. A firm should routinely apple and evaluate the effectiveness of processes and controls to protect the confidentiality, integrity, availability, and overall security of its data and information systems. A firm should review information systems and controls on a regular basis, against common industry standards and best practices. 
    • Surveillance and reporting—A firm should identify and monitor ongoing exposure to operational risk relative to its risk appetite and tolerance for disruption. Anomalous activity should be detected in a timely manner to avoid or mitigate a disruption in the firm’s critical operations and core business lines. A firm must conduct continuous surveillance and report to senior management and the board of directors, providing sufficient data and information for timely and appropriate decisions regarding measures to respond to a disruption.

    Given the significance and technical nature of cybersecurity risk, which is one of the most important types of operational risk, the US Agencies have presented, in Appendix A, a separate collection of sound practices for the management of cyber risk. The sound practices for cyber risk management are aligned to the National Institute of Standards and Technology Cybersecurity Framework (NIST) and augmented to emphasize governance and third-party risk management.  In the coming months, the US Agencies intend to convene discussions with the public on further steps to improve operational resilience. Given that many of the firms have extensive cross-border activities, the agencies will seek to minimize the potential for market fragmentation and to align best practices for operational resilience. The agencies may update these sound practices to reflect input from such discussions.

     

    Related Links

    Keywords: Americas, US, Banking, Operational Resilience, Operational Risk, Cyber Risk, Governance, Third-Party Risk, Sound Practices, Large Banks, Scenario Analysis, US Agencies

    Related Articles
    News

    BSP Tackles Aspects of Lending and Islamic, Open & Sustainable Finance

    The Central Bank of the Philippines (BSP) issued communications covering developments related to online lending platforms, open finance framework and roadmap, and on the expected regulations in the area sustainable finance.

    January 16, 2022 WebPage Regulatory News
    News

    US Agencies Issue Regulatory Updates, FDIC Launches Tech Sprint

    The Board of Governors of the Federal Reserve System (FED) published the final rule that amends Regulation I to reduce the quarterly reporting burden for member banks by automating the application process for adjusting their subscriptions to the Federal Reserve Bank capital stock, except in the context of mergers.

    January 13, 2022 WebPage Regulatory News
    News

    EBA Issues Guide on Bank Resolvability, Consults on Transferability

    The European Banking Authority (EBA) published its assessment of risks through the quarterly Risk Dashboard and the results of the Autumn edition of the Risk Assessment Questionnaire (RAQ).

    January 13, 2022 WebPage Regulatory News
    News

    MFSA Publishes CRD5 Updates and Supervisory Priorities for 2022

    The Malta Financial Services Authority (MFSA) updated the guidelines on supervisory reporting requirements under the reporting framework 3.0.

    January 13, 2022 WebPage Regulatory News
    News

    HKMA Extends Repayment for Trade Facilities, Consults on Crypto-Assets

    The Hong Kong Monetary Authority (HKMA) published a circular, along with the reporting form and instructions, for self-assessment, by authorized institutions, of compliance with the Code of Banking Practice 2021.

    January 12, 2022 WebPage Regulatory News
    News

    FCA Registers Securitization Repositories; PRA Issues 2022 Priorities

    The Financial Conduct Authority (FCA) decided to register European DataWarehouse Ltd and SecRep Limited as securitization repositories under the UK Securitization Regulation, with effect from January 17, 2022.

    January 12, 2022 WebPage Regulatory News
    News

    EC Regulation Sets Out Methods for Measuring K-Factors Under IFR

    The European Commission (EC) published the Delegated Regulation 2022/25, which supplements the Investment Firms Regulation (IFR or Regulation 2019/2033) with respect to the regulatory technical standards specifying the methods for measuring the K-factors referred to in Article 15 of the IFR.

    January 11, 2022 WebPage Regulatory News
    News

    BIS Studies How Platform Models Impact Financial Stability & Inclusion

    The Bank of International Settlements (BIS) published a paper that assesses the ways in which platform-based business models can affect financial inclusion, competition, financial stability and consumer protection.

    January 10, 2022 WebPage Regulatory News
    News

    CBE Issues Additional Measures to Ease Disruptions from Pandemic

    The Central Bank of Egypt (CBE) published a circular with instructions on emergency liquidity assistance to banks that are unable to meet their liquidity requirements.

    January 10, 2022 WebPage Regulatory News
    News

    ESAs Publish List of Financial Conglomerates for 2021

    The European Supervisory Authorities (ESAs) published the list of identified financial conglomerates for 2021.

    January 07, 2022 WebPage Regulatory News
    RESULTS 1 - 10 OF 7868