By Huw Jones
LONDON (Reuters) – Banks and other financial firms in Britain must set out by March 2022 how quickly critical parts of their business could recover from IT glitches, cyber attacks or other disruptions, and how to minimise the impact, the Bank of England said on Monday.
The BoE’s Prudential Regulation Authority (PRA), in conjunction with the Financial Conduct Authority, set out ground-breaking rules on operational resilience after glitches at TSB in 2019 and at other banks left millions of customers locked out of their online accounts and facing delayed payments.
Andrew Husband, a financial services partner at consultants KPMG, said the rules were an international opportunity.
“At a time when Brexit is focusing minds on the future of financial services, this is an area of regulatory policy that provides an opportunity for UK financial services to gain competitive advantage on the global stage,” Husband said.
Each regulated firm must draw up plans that set out where disruption could hit customers and broader financial stability, and how long it would take to resume normal service.
Each will decide how long a specific part of its business would take to recover and the time allowed should reflect its importance to customers and overall stability.
“The speed at which vulnerabilities are remediated should be commensurate with the potential impact that a disruption would cause, and will be an area of supervisory focus,” the BoE said.
The BoE said firms were not expected to have fully fleshed out and tested plans by March 2022, but must show by March 2025 that they can recover within the “impact tolerances” that have been set.
“The PRA expects firms to update their mapping annually at a minimum, or following significant change if sooner,” the BoE said.
A senior manager in each firm will be directly responsible for operational resilience plans, with boards required to approve the tolerances that have been set.
(Reporting by Huw Jones; editing by Barbara Lewis)