The Bank of England has warned financial market infrastructures that they still have considerable work to do before operational resilience rules take full effect next year. In a speech, Executive Director Sasha Mills tells FMIs what they should prioritise ahead of March 2025.
No flash in the pan: The FCA, PRA and Bank of England have each introduced operational resilience regimes. The rules started to apply in 2022 but key aspects only kick in from 31 March 2025. The Bank of England warns that this deadline is “not the end of the story”. The FMIs that it supervises - such as payment system operators, central counterparties and securities depositories - will need to continue to monitor and improve their operational resilience as technologies and risks evolve.
Quantum leap: As well as addressing known vulnerabilities, FMIs need to make sure that they take into account changing or increasing risks. For example, FMIs need to manage the risks from cloud services, AI, quantum computing and distributed ledger technology, not only when adopting these technologies within their businesses but also when they are used by their customers or suppliers.
Collaborate to calibrate: FMIs need to make sure that they have calibrated their tolerance for disruption to their important business services. The Bank of England wants to see more engagement between FMIs, their participants and the wider market on setting these impact tolerances.
Think the unthinkable: “Significant work” is still needed on the approach and method FMIs use to test disruption to their important business services. FMIs should ask themselves if the scenarios they test are extreme enough. Extreme but plausible scenarios could include the loss of an important third party provider or a severe cyber-attack impacting multiple data centres at once.
Testing, testing: FMIs need to do more work on improving the sophistication of their testing. The Bank of England expects FMIs to prioritise their efforts on scenario testing so that they can identify vulnerabilities early enough to fix them before March 2025. FMIs should also have appropriate funding and resources dedicated to address weaknesses found during testing.
Group think: The Bank of England will consider the wider business model and company structure that financial market infrastructures operate in. For international businesses, FMIs and their parent companies need to ensure that appropriate investment and resources are being directed to the UK entity so that it can meet the Bank of England’s expectations for operational resilience.
Visit our website to explore our operational resilience resources.