In recent years, with the increasing use of cloud services and reliance on information and communication technology (ICT) in the industry, financial services regulators have provided extensive Operational Resilience guidance, covering areas such as pandemics, cybersecurity, ICT outsourcing, and ICT third-party risks respectively. Before I describe how VMware offers our financial services customers choice to meet their regulatory compliance demands, how should we understand “Operational Resilience” in the context of the financial services industry?
Let’s explore this through examples from prominent regulatory bodies:
Financial Services Regulator Definition of Operational ResilienceUS Federal Reserve Operational Resilience is the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions. A firm that operates in a safe and sound manner is able to identify threats, respond and adapt to incidents, and recover and learn from such threats and incidents so that it can prioritize and deliver critical operations and core business lines, along with other operations, services, and functions identified by the firm, through a disruption. Federal Financial Institutions Examination Council (FFIEC) The ability of an entity’s personnel, systems, telecommunications networks, activities, or processes to resist, absorb, and recover from or adapt to an incident that may cause harm, destruction, or loss of ability to perform mission-related functions. Basel Committee on Banking Supervision The ability of a bank to deliver critical operations through disruption. This ability enables a bank to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events in order to minimize their impact on the delivery of critical operations through disruption. In considering its operational resilience, a bank should assume that disruptions will occur and take into account its overall risk appetite and tolerance for disruption. Bank of England By ‘Operational Resilience’, we mean the ability of firms, and the financial sector as a whole, to absorb and adapt to shocks and disruptions, rather than contribute to them. It extends beyond business continuity and disaster recovery. Financial firms and FMIs must have robust plans in place to deliver essential services, no matter what the cause of the disruption. This includes man-made threats such as physical and cyber attacks, IT system outages, third-party supplier failure, as well as natural hazards such as fire, flood, severe weather, and pandemic. European Commission – Digital Operational Resilience Act (DORA) ‘Digital Operational Resilience’ means the ability of a financial entity to build, assure, and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions. Table of Operational Resilience Definitions
To summarize, Operational Resilience involves a comprehensive approach to ensuring that essential customer services (e.g. customer banking, payments, etc.) can be delivered continuously regardless of disruptions and that financial services organizations can respond and recover effectively to maintain its critical operations and business functions. Key components include the ability to identify and protect against threats, respond and adapt to disruptive events, and recover and learn from incidents to mitigate their impact on critical operations and core business lines.
Furthermore, here are some examples of how regulators in Europe and North America are strengthening industry regulations around Operational Resilience:
The Digital Operational Resilience Act (DORA) by the European Commission introduces extensive regulations for managing Digital Operational Resilience, aiming to mitigate risks related to ICT systems and third-party dependencies. DORA seeks to rationalize the fragmented European financial services regulatory landscape by establishing a comprehensive EU-wide framework with no overlaps or gaps. DORA entered into force in January 2023 and shall apply to all EU member states from 17 January 2025.
DORA puts detailed requirements on FS firms across five pillars:
Risk management – firms must have a comprehensive and well-documented ICT risk management
Incident Reporting – firms must report major ICT-related incidents
Digital operational resilience testing – firms’ business continuity and disaster recovery plans must deliver high levels of operational resiliency and tested regularly (at least annually)
ICT third-party risk* – firms must manage ICT third-party risk as part of their overall risk management framework
Information & intelligence sharing – firms are encouraged to share cyber-threat information to enhance operational resilience of the entire financial system
*Under DORA, “critical” ICT third-party providers now come under the direct supervision of EU financial services regulators.
The UK’s supervisory authorities (collectively the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA), along with the Bank of England)) initially released its final rules and guidelines in March 2021. Financial Services firms in the UK are expected to adhere to these requirements to ensure operational resilience by a deadline of 31 March 2025.
Key actions include:
Identifying vital business services that could harm consumers, market integrity, firm viability, or financial system stability if disrupted.
Setting impact tolerances for maximum allowable service disruption.
Conducting thorough mapping, testing, and vulnerability assessments.
Undertake lessons learned exercises to enhance response and recovery capabilities.
Creating communication plans for service disruptions.
Preparing self-assessment documentation.
And by 31 March 2025:
Perform mapping and testing to stay within impact tolerances for crucial business services.
Make necessary investments for consistent operation within impact tolerances.
In October 2020, an interagency paper titled “Sound Practices to Strengthen Operational Resilience” was released by the United States Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation collectively. This interagency paper consolidates existing regulations, guidance, and common industry standards in one place to provide a comprehensive approach that banks may use to strengthen and maintain their operational resilience.
The sound practices are anchored by robust operational risk and business continuity management, informed by rigorous scenario analyses and testing, consideration of third-party risks, and planning for alternative service providers where necessary.
Additionally, the Canadian Office of the Superintendent of Financial Institutions (OSFI) has also openly discussed issuing more stringent guidance on managing IT operational risks from use and reliance on services from cloud providers and other third-party service providers.
What impact does this risk & regulatory environment have on our Financial Services customers?
While regulators offer prudent guidance on key risks that should be considered, firms themselves are directly responsible for identifying operational risks and mitigating them through appropriate risk management and resiliency strategies, including those related to cloud service providers. The days when firms could treat compliance as a checkbox exercise and state a critical service has a “backup” are behind us. Firms need to demonstrate through regular testing they can actually sustain their operations, have further remediation plans enacted, and fully developed exit strategies in place (ahead of when you need one).
Relying on new software or a cloud service is not enough, however. For all “critical” and “important” services, firms need to make sure that they have implemented the solution, run it optimally, and can demonstrate to regulators that they have full visibility, control, and contingency in place. And just as we see a commonality in how the various regulators define terms, financial services firms around the world should expect regulators to continue to talk amongst each other to encourage common prudential guidelines across the world. Much like GDPR, the EU’s DORA is particularly one regulation that we anticipate will have a much wider impact on the financial services industry than just within EU member states.
All things considered, compliance is not such an easy task for banks, insurers, and other financial services firms. It’s become much more than a checkbox exercise; it’s increasingly feeling like a full-contact sport!
For Financial Services, Multi-Cloud can provide a solution to the Operational Resiliency challenge!
At VMware, we’re seeing many financial services customers: 1) struggling to execute their public cloud strategies, and 2) adapting their operational models to run critical business systems seamlessly across both the data center and the public cloud. Many of their cloud migration projects have either stalled or exceeded their initial timelines.
Correspondingly a December 2022 report on cloud adoption in Europe by the Association for Financial Markets in Europe highlights regulatory complexity as a major barrier affecting the pace of cloud adoption within the finance industry.
With an estimated 75% of FSI firms leveraging multiple cloud providers, many financial institutions are embracing a multi-cloud strategy to mitigate operational risk. However, in pursuit of this objective, firms encounter the difficulty of navigating and managing diverse cloud approaches for each CSP, all while ensuring a resilient financial ecosystem.
VMware’s multi-cloud approach for financial services risk/regulate environments combines the use of our VMware SDDC architecture across all clouds (private, public, sovereign, and edge) with our workload migration and DR capabilities. By maintaining a common and consistent architecture, financial institutions can:
Develop and operate diverse applications delivering an agile and scalable cloud experience across multiple cloud providers and on-premises
Ensure continuity of operations during planned DR testing or unplanned outages/disasters
Protect against ransomware and other cyber-threats
Enable seamless migrations between different clouds should firms need to enact cloud provider contingency plans
However, not all workloads or financial systems can or will be migrated to the public cloud and regulators are no less concerned with how data center environments operate in the event of instability. For those environments, utilizing VMware Cloud Foundation, firms can enjoy the advantages of the same highly available and resilient SDDC architecture on-premises, enabling streamlined operations and efficient utilization of infrastructure in the data center.
Key Takeaway for Financial Services Institutions
VMware offers our financial services customers unequivocal choice in both application platform and infrastructure platform layers enabling them to strike a balance between agility and operational resilience!
We’re excited to be working with our partner Runecast to address the challenge financial services firms face in gaining visibility into and managing their EU DORA compliance posture in a multi-cloud world enabled by VMware. More to come on our partnership so stay tuned to VMware’s Industry Solutions blog for updates.
The post Decoding Operational Resilience: Navigating Industry Regulations in Financial Services appeared first on VMware Industry Solutions.
VMware Industry Solutions