Acting Comptroller of the Currency Hints About Possible Operational Resilience Regulations
On March 12, at the Institute of International Bankers Annual Washington Conference, Acting Comptroller of the Currency Michael J. Hsu discussed the importance of operational resilience in the banking sector and hinted that potential regulations aimed to promote the same may be forthcoming.
Comptroller Hsu defined operational resilience as a bank’s ability “to prepare for, adapt to, and withstand or recover from disruptions.” These disruptions can stem from external events like natural disasters, bad actors, pandemics, or global conflicts, or from weak internal systems, controls, or risk management. Disruptions may impede the provision of payments services, adversely impact systems, or corrupt data. The Comptroller noted that the probability of disruptions and their potential impacts are increasing. “As banking services continue to grow and as technology and third parties play a greater role in the provision of those services, the threat surface for disruptions is expanding.”
According to Comptroller Hsu, regulatory agencies expect financial institutions to be operationally resilient. These expectations were first laid out in the Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System that was released following the September 11, 2001 terrorist attack on the U.S. The White Paper provided guidance on geographic diversity and resiliency of data centers and on recovery and settlement expectations for significant firms in critical financial markets. As the operating environment has since evolved significantly with technological advancements, widespread digital adoption, and increases in cyber-attacks, federal banking agencies have continued to issue guidance.
Currently, the federal banking agencies are considering what changes to the operational resilience framework might be necessary, including additional regulation. Comptroller Hsu noted that the European Union, the United Kingdom, and Japan have proposed operational resilience rules that require firms to identify important business services, map processes, set impact tolerances, test under different scenarios, and establish standards for third-party risk management. The federal banking agencies are likewise exploring baseline operational resilience requirements for large banks with critical operations. According to Comptroller Hsu, “[s]uch baseline requirements could include establishing clear definitions for identifying critical activities and core business lines; defining tolerances for disruption; requiring testing and validation of resilience capabilities; incorporating third-party risk management expectations; stipulating clear communication expectations among stakeholders and counterparties; and addressing expectations for critical service providers, with emphasis on governance and risk management expectations.” The agencies are looking for feedback from the industry on issues like ensuring consistency across institutions; how critical systems are defined; what the relationship is between concepts such as recovery time objectives, tolerance for disruptions, and maximum allowable downtime; and whether expectations vary for different scenarios such as loss of a data center due to fire compared to ransomware attack.
Comptroller Hsu concluded by emphasizing that the resilience of large banks’ critical operations is crucial and, as the threat surface for disruptions expands, federal agencies are considering whether additional regulation is the best response.