Testing: the regulatory imperative
This week we have a guest post from Tim Nash of Finextra who talks about the importance of testing from a regulatory perspective….
Beyond the risks to reputation and share price associated with outages in bank systems, there is a wide-scale and significant Regulatory imperative around banks’ ability to undertake testing in a comprehensive, insightful and auditable manner. As well as Capital Adequacy Stress Tests, Regulators require their banks to test and report – and be subject to spot-checks – on a range of issues: operational resilience, business continuity and cyber-crime security checks to name but three.
However, much bank testing is based on expensive and inefficient manual processes that are often able to review individual elements rather than complete end-to-end processes. Bank executives will only benefit from fewer sleep-free nights when their organisation’s approach to operational resilience switches from simple testing to one of strategic assurance – a key imperative, particularly when the Regulators are involved.
In 1996 the Basel Capital Accord was amended to require banks to conduct Stress Tests to determine their ability to respond to market events. As a regulatory requirement, certain financial institutions were required to ensure that they had adequate capital levels to cover potential losses incurred during extreme, but plausible, events. Since that time, the press has given regular coverage to the performance of individual banks in their Stress Tests together will a commentary around any remedial action required.
But, beyond the areas of Capital Adequacy and intra-day liquidity, there are a number of other important regulatory-related tests that banks are required to both perform regularly and report their performance in.
In the UK, the Bank of England is responsible for the overall business continuity and operational resilience of the banking system. Its approach to what it terms Operational Resilience – the ability of firms and the financial system as a whole to adsorb and adapt to shocks, rather than contribute to them – is based on the supervision of individual firms and financial market infrastructures. Its operational resilience strategy includes an element called ‘Building Resilience’. This includes the Bank’s expectations regarding the operational resilience required of firms and the development of a supervisory framework and tools – critically ‘assurance testing’ – for assessing the performance of individual institutions. To this end, one of the Bank’s ‘Dear Chairman’ letters was issued with the intention of initiating a review of the technology and cyber resilience of the UK’s major Retail deposit takers.
Such testing is also required to comply with the Financial Conduct Authority (FCA) Handbook which sets out the need for banks to develop “a description of the applicant’s business continuity arrangements, including a clear identification of the critical operations, effective contingency plans, and a procedure for regular testing and reviewing of the adequacy and efficiency of such plans”. Banks, therefore, are required to both have documented business continuity plans and to test and review them regularly.
A recent interview conducted by Finextra with a number of senior bankers demonstrated that cyber crime and fraud is widely expected to present the biggest risk to the industry both now and into the future. To protect banks against this threat the Bank of England has developed its CBEST framework for testing firms’ cyber resilience. The aim of the initiative is to both test an individual institutions defences, and also its ability to detect and respond to a range of external attackers.
In addition to being subject to cyber resilience spot checks by the Bank, CBEST also encourages UK institutions to conduct regular security checks themselves. The CBEST programme also involves work on cyber crime involving players from across the whole banking industry. When discussing CBEST the Chairman of the Bank of England said, “What I have mentioned so far – information-gathering, testing and information sharing – are essential ingredients to improving the sector’s resilience to potential cyber threats”.
Further, in 2017 it was announced that the EU was also considering the implementation of a similar programme to test bank defences against cyber attacks.
PSD2 and Opening Banking
These regulations are aimed at increasing competition, innovation and consumer protection within the banking industry and require the larger banks to open-up their customer franchises to specialist external providers – Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). With the opening-up of bank’s core systems to such third-party providers (TPPs) via Application Programmes Interfaces (APIs), Regulatory compliance has focused the minds of banks on the importance of both security/firewalls and testing as never before.
The operation of APIs will be governed by Regulatory Technical Standards (RTS) which will specify the requirements for common and secure standards of communication between banks and TPPs. Strong customer authentication (SCA) will be put at the centre everything, and all TPPs will need to prove the implementation, testing and auditing of such security measures. This will place additional strain on bank’s testing resources and capabilities as they may well be required to undertake robust testing – particularly around security – will multiple TPPs at the same time and with the TPPs under the eye of their Regulator.
Hence, the amount of change faced by banks to achieve regulatory compliance – the regulatory imperative – determines that they must raise the importance of testing and operational control in their business priorities.