Recent FCA outcomes and a speech by the ECB earlier this month are stark reminders that financial resilience alone is not a sufficient safeguard to operate in today’s increasingly complex risk environment – firms must have robust, resilient operational systems in place, as well. (See our comments on the ECB speech).
From an enforcement perspective, the past couple of years have seen significant outcomes relating to outsourcing (see here) and cybersecurity arrangements (see here) and we have also seen an increase in intervention and enforcement action by the FCA including in relation to firms breaching requirements imposed on them as a result of inadequate implementation, testing and monitoring of controls designed to comply with requirements imposed by the regulator. (See our briefing on issues for firms to consider when managing regulatory intervention). In a very recent speech by the markets and executive director of the FCA at the Financial Crime Summit, ‘A targeted and outcomes-based approach to tackling financial crime’, the FCA reemphasised the importance of making “strategic interventions” to prevent fires from breaking out rather than “constantly hosing down fires where they arise”. Financial crime in particular has been a consistent area of enforcement action where inadequate systems and controls has often been the key breach.
It is clear that, in the eyes of the regulators, a robust approach to operational resilience, and diligent implementation, testing and monitoring of new and updated IT or other systems when they are put in place, should be taken as seriously by firms as the financial and commercial factors that drive the commercial business.
Against this regulatory backdrop, we set out below, at a high level, some key lessons learned from recent FCA outcomes for firms to consider when carrying out systems/operational changes and updates.
1. Regulated firm (and relevant SMF) retains responsibility: Where the firm is undertaking an IT change management project, making use of outsourcing arrangements more broadly or changing its systems or products in response to regulatory intervention – whether via an independent third party or intragroup service – the regulated firm and relevant SMF remain responsible and this should be factored into consideration of the steps necessary to mitigate adequately the risks of any issues arising and how these steps could be evidenced to the regulator.
2. Governance framework: Those involved in overseeing the process should consider the appropriate governance framework for implementation of any new operational change or process and how to document this. Individual accountability and oversight, MI reporting, escalation and ongoing monitoring should all form part of project governance, and be regularly recorded and filed so as to be easily accessed in the event that questions arise in future (when key individuals may no longer be available).
3. Pre-implementation testing: Undertaking sufficiently robust pre-implementation testing of changes to new systems (for example, IT migration) and/or processes (for example, customer onboarding) will help the firm to understand where there might be any gaps in controls in the business which would increase its regulatory exposure before any new systems ‘launch’ or ‘go live’; firms would be well advised to keep records of the testing carried out.
4. Ongoing monitoring: Review and stress-testing should be an ongoing process in order to avoid the perception of a ‘plug and play’ approach which does not periodically evaluate the effectiveness of implementation.
5. Respond to early warning signs: Firms and senior managers must be alert and respond to any early warning signs in relation to planned IT migrations or other projects, such as any indicators of potential performance or service issues. Root causes should be investigated promptly and lessons learned fed back into the system. Adequate reporting and management information will need to be in place so as to equip relevant individuals with an early warning system and they will need sufficient time, expertise and resource to be able to review and assess the information and respond. Designing and planning this support and safety mechanism should take place before any change is implemented.
6. Reliance on third (or fourth) parties: Liked to the first point regarding regulated firm responsibility: Where assertions of confidence or confirmations in system readiness are provided by third or fourth parties, senior managers must ensure that sufficient challenge and investigation has taken place (and is documented in writing) to mitigate regulatory criticism that the firm and relevant individuals were over-reliant on third/fourth parties. Asking enough of the right questions and getting the answers on the record in advance will be invaluable in the event of any unforeseen developments.
Related to good governance, records of steps taken with regards to design, implementation, testing and ongoing monitoring should be maintained on a centralised basis and responsibility for updating these should be clearly assigned. Organised documentation puts a firm on the front foot in dealing with any regulatory enquiries which may be made on a relatively short notice basis.
We regularly advise firms and individuals on operational resilience and general governance around change management, including responding to regulatory intervention and enquiries at pace. Please get in touch if you require a deeper dive on any of these issues or wish to discuss.