Payments Trends 2021 - Operational resilience and personal accountability
Part three of our five part 2021 themes series
11 February 2021
There has been a renewed focus on the payments sector and its regulation. COVID-19 and its impact on spending habits and the Wirecard scandal are two of the contributing factors. But what’s next? We explore five themes likely to drive regulatory change for payments, as well as shape the enforcement policies of global regulators over the next 12 months. In part three we look at operational resilience and personal accountability
High profile IT failures and the impact of COVID-19 meant that operational resilience (or ensuring the continuity of key business services) was a high priority for regulators during 2020. This will continue throughout 2021. Growing digitisation of customer experiences, greater automation of internal processes and increased use of third-party providers all make firms increasingly susceptible to technology disruption events. In September 2020, the European Commission unveiled its proposal for an EU regulatory framework on digital operational resilience (DORA – see our take here), to better align financial entities’ business strategies with the conduct of internet and communication technology (ICT) risk management and to prevent and mitigate cyber threats, published as part of the EU’s Digital Finance Package.
EU - DORA
DORA requires firms to have internal governance and control frameworks that ensure an effective and prudent management of all ICT risks.
Management bodies will be required to define, approve, oversee and be accountable for the implementation of all arrangements related to the ICT risk management framework. It takes a “sliding scale” approach to compliance with critical businesses having greater compliance obligations than others. 2021 will see DORA continue through the EU legislative process, with approval from the European Parliament and Council of the EU still required.
We anticipate that domestic regulators will also increasingly look to formalise existing operational resilience guidance into specific regulations throughout 2021. In the UK, the FCA, the Prudential Regulation Authority and the Bank of England will finalise rules and policy statements on a new operational resilience framework for financial services firms, following several consultations which closed last year.
The final rules are likely to be implemented by firms by late 2021/early 2022 and will require firms to identify their important business service and impact tolerances with a strict liability offence for failing to remain within impact tolerance levels. Enhanced governance obligations and a greater emphasis on the responsibilities of the current senior manager function, will reinforce personal accountability at board level with clear links between oversight responsibilities and decision making. Firms will need to put in place systems and controls to implement a robust communications strategy, expand self-assessment testing capacities, assess the systemic materiality of third party partnerships, and carry out mapping exercises of resources required to deliver each of the core business services.
Singapore - TRM Guidelines
In Singapore, to address growing technology and cyber risks for financial institutions becoming increasingly reliant on technology, the MAS recently issued a set of revised Technology Risk Management (TRM) Guidelines (TRM Guidelines), setting out the regulator’s higher expectations in the areas of technology risk governance and security controls in financial institutions. It provides additional guidance on the roles and responsibilities of the board of directors and senior management in managing technology and cyber risks, making it clear that both are expected to set the tone from the top and cultivate a strong culture of technology risk awareness and management.
The TRM Guidelines also require the board of directors and senior management to ensure that a Chief Information Officer, a Chief Technology Officer or Head of Information Technology, and a Chief Information Security Officer or Head of Information Security, are appointed. In parallel, an individual accountability regime, that will take effect from September 2021, will also require the identification of senior managers with core management functions, such as a chief technology officer, who must be fit for their roles.
The MAS has also proposed to introduce new powers to issue rules on TRM on any financial institution in relation to its systems, irrespective of whether the systems support a regulated activity. The MAS views this as necessary as systems that do not support regulated activities can pose contagion cyber risk to systems that do, due to inter-linkages. To highlight the importance of compliance with TRM rules, the MAS has proposed to set the maximum penalty for breaches of the TRM rules at S$1 million.
Globally, we are also likely to see an increase in enforcement action relating to operational disruptions. Regulators may seek to hold firms accountable for failures in their responses to the challenges resulting from COVID-19, particularly where disruptions arise from cost-cutting in any economic downturn brought on by the pandemic. In parallel, the same technology disruption events (and any criticism from regulators,) are likely to give rise to civil claims – whether for breach of contract, negligence or data breach litigation.
Firms will need to act swiftly to factor new regulatory requirements into existing operational resilience frameworks and to ensure that any policy changes required for compliance can be implemented in time, to reduce the chance of suffering a significant operational disruption and the risk of associated enforcement action.