In a highly informative webinar, industry experts Julien Haye, Andrew Sheen, and Jimi Hinchliffe delved into the critical convergence of operational resilience and consumer duty regulations, highlighting their impacts, overlaps, and potential conflicts. A recently co-authored white paper exploring these themes in detail served as the anchor for this discussion.
The session began with introductions. Julien, with 24 years of experience in financial services, moderated the discussion. Andrew, a former UK regulator with expertise in operational risk, and Jimi, with a decade of experience in regulatory affairs and operational resilience consulting, shared their insights on the complexities of these regulations.
In this article, you will find a summary of the webinar's key discussion points, and you will be able to listen to the full webinar. We have also considered additional insights not necessarily covered during the discussion, such as the impact of DORA, that were not covered explicitly in the webinar, although the main insights would apply to them.
Why look at the intersection of Operational Resilience and Consumer Duty?
Operational resilience and customer duty are pivotal focuses within regulatory and strategic landscapes. While often complementary, they can occasionally conflict and generate some localised pain points, posing challenges for resource allocation and strategic planning.
From the diverging customer harm definition to service prioritisation and customer complaint handling, both sets of regulations require a nuanced approach to end-to-end organisational and product/service design as well as customer servicing.
Coupled with the Senior Managers and Certification Regime, executives and board directors face conflicting demands requiring a detailed approach to compliance and a holistic approach to risk management.
Download the White Paper: When Operational Resilience and Consumer Duty Collide to gain comprehensive insights and practical guidance by downloading our detailed white paper.Â
Key Regulatory Frameworks
Operational Resilience and Consumer Duty
The core of the discussion revolved around how operational resilience, focused on maintaining critical business services during operational disruption, intersects with consumer duty, which mandates firms to avoid foreseeable harm to customers. The speakers underscored the necessity of integrating these frameworks to prevent regulatory conflicts and ensure comprehensive compliance.
Senior Managers and Certification Regime (SMCR)
"The Senior Managers and Certification Regime places immense responsibility on executives to ensure that both operational resilience and consumer duty are prioritised, requiring a cohesive approach to governance."- Jimi Hinchliffe on the Role of Senior Managers
Both regulations require clear accountability within firms across the UK financial system and beyond. The COO or SMF24 often manages operational resilience, while compliance typically handles consumer duty. This separation can create silos, making integrated governance and communication essential.
The discussion's topic could potentially impact other connected regulatory frameworks.
Bank of England’s PS16/24 Policy on Critical Third Parties
The Bank of England’s new PS16/24 policy on Critical Third Parties (CTPs) further strengthens operational resilience requirements, specifically for service providers whose disruption could impact the UK financial system. This policy aligns with the broader goal of safeguarding financial stability and emphasizes the need for CTPs to meet high standards in risk management, scenario testing, and governance. Firms working with these critical providers must now carefully manage third-party dependencies to ensure compliance with resilience standards.
Digital Operational Resilience Act (DORA)
Digital Operational Resilience Act (DORA). DORA aims to ensure that financial institutions in the EU can withstand, respond to, and recover from all types of ICT-related disruptions and threats. Our experts highlighted the following key points:
DORA Overview:Â DORA establishes a comprehensive framework for digital operational resilience, emphasising the need for financial entities to have robust ICT systems and controls in place.
Compliance Requirements: Financial institutions must adopt measures to manage and mitigate ICT risks effectively, ensuring continuous operational resilience and stability of the financial system.
Impact on Financial Institutions: The act requires firms to regularly test their digital operational resilience and report any significant ICT-related incidents to the relevant authorities.
Definition of Consumer Duty and Operational Resilience
These regulations, implemented by the Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA), and BOE (Bank of England), ensure that firms in the categories described in the next section maintain necessary resilience to prevent disruptions to their services and prioritise the best interests of consumers in their operations and service offerings.
Consumer Duty: Ensuring fair treatment of retail customers and meeting regulatory expectations. It focus on consumer protection and target markets.
Operational Resilience: The ability of an organisation to prepare for, respond to, and recover from disruptions. This includes the implementation of tolerances for each important business services.
If you need tailored support or have specific questions about how to integrate these regulatory frameworks within your organisation, please don't hesitate to reach out. Our experts are here to help.
Firms Affected by Operational Resilience and Consumer Duty Regulations
Operational resilience and consumer duty regulations apply across the UK financial sector.
Operational Resilience:
Banks: Including retail banks, wholesale banks, and investment banks.
Building Societies: Mutual organisations that provide banking and related financial services.
Credit Unions: Member-owned financial cooperatives.
Insurance Companies: Both life and general insurers.
Payment Service Providers: Entities that provide payment services to consumers and businesses.
E-money Institutions: Firms that issue electronic money.
FCA and PRA Designated Investment Firms: Companies that offer investment services and products.
Asset Managers: Firms that manage investment funds and portfolios.
Market Infrastructure Firms: Including central counterparties and trading venues.
Financial Market Utilities: Firms providing essential services for the functioning of the financial markets.
Consumer Duty:
Banks and Building Societies: Engaging in retail banking activities.
Mortgage Providers and Administrators: Firms involved in the provision and management of mortgages.
Consumer Credit Firms: Companies offering loans, credit cards, and other consumer credit products.
Insurance Firms: Both providers and intermediaries, including brokers.
PRA and FCA Investment Firms and Advisers: Those offering investment products and financial advice.
Payment Service Providers: Companies facilitating payments.
E-money Institutions: Firms issuing and managing electronic money.
Asset Managers: Firms managing investments on behalf of clients.
Financial Advisers: Providing financial advice to consumers.
Pension Providers and Administrators: Companies managing pension schemes and products.
Main Discussion Points
Customer Harm Definitions
"Foreseeable harm is what a reasonable firm can predict and mitigate against, while intolerable harm is about recovery being difficult or impossible. Balancing these is crucial for regulatory compliance." - Andrew Sheen on Foreseeable vs. Intolerable Harm
Intolerable Harm:Â Defined in operational resilience as harm from which recovery is difficult. It is fundamentally about business continuity and recovery.
Foreseeable Harm:Â In consumer duty, it refers to harm a reasonable firm could predict. The speakers emphasised that firms need to set their impact tolerances to avoid both foreseeable and intolerable harm, thus requiring proactive investment.
Strategic Decisions and Tensions
Branch Closures:Â The closure of branches, driven by cost-cutting and resilience costs, can lead to foreseeable harm, particularly to vulnerable customers reliant on in-person banking.
Access to Cash:Â Reducing cash services can exclude customers not using digital banking, underscoring the importance of maintaining multiple service channels to meet diverse customer needs.
Holistic Organisational Design
"To truly achieve operational resilience, we must integrate it seamlessly with our consumer duty obligations, ensuring that no aspect of customer service is compromised during disruptions." - Julien Haye on the Importance of Integration
The need for integrated frameworks was highlighted, urging firms to break down silos between operational resilience and consumer duty teams. This includes aligning management information systems and scenario planning to consider both regulations simultaneously.
Cost of Compliance
"Investing in resilience is not just about meeting regulatory standards; it's about safeguarding our customers and ensuring long-term stability. The cost is significant, but the cost of non-compliance or failure is far greater." - Julien Haye on the Cost of Compliance
Investments in resilience are expensive, and meeting consumer duty standards can add to these costs. The webinar stressed the importance of strategic planning to manage these expenses while ensuring compliance.
Vulnerable Customers
"We must remember that reducing physical banking services can have a profound impact on vulnerable customers. It's essential to maintain multiple channels to ensure inclusivity and prevent exclusion." - Andrew Sheen on Vulnerable Customers
A significant focus was placed on how these regulations impact vulnerable customers, who may not be digitally literate or may rely on physical banking services. It is crucial to ensure the inclusion of these customers.
Governance and Accountability
The speakers discussed the role of the consumer duty champion, an individual responsible for overseeing consumer duty compliance. This role must be clearly defined and integrated with operational resilience responsibilities to ensure a unified approach to regulatory compliance.
Holistic Risk Management and Operational Risk Integration
 "Holistic risk management means looking beyond silos and integrating operational risks with other risk types. It's about having a unified strategy that ensures resilience across all facets of the organization." - Jimi Hinchliffe on the Necessity of Holistic Risk Management
Comprehensive Approach
A comprehensive approach to risk management is crucial for financial institutions to identify, assess, and mitigate all potential threats. This approach involves a broad view of risk management that encompasses various types of risks, including financial, operational, strategic, and reputational risks. By considering all these aspects, organisations can develop robust strategies that not only protect their assets but also ensure long-term stability and growth.
A comprehensive risk management approach encompasses key aspects such as
Risk Identification: Systematically identifying all potential risks that could impact the organisation.
Risk Assessment: Evaluating the likelihood and impact of each identified risk.
Risk Mitigation: Implementing strategies to reduce the likelihood and impact of risks.
Continuous Monitoring: Monitoring the risk environment on a regular basis to identify new risks and assess the effectiveness of mitigation strategies.
This comprehensive approach guarantees the identification of all potential threats and the readiness of all organisational areas to manage disruptions.
Integration of Operational Risk
Operational risk is an essential component of overall risk management. Integrating operational risk with other risk types allows for a unified risk management strategy that provides a more accurate and comprehensive view of the organisation's risk profile.
Operational risk integration involves:
Cross-Functional Collaboration: Encouraging collaboration between different departments to share information and insights about potential risks.
Unified Risk Framework: Developing a single framework that incorporates all types of risks, allowing for a consistent approach to risk management across the organisation.
Centralised Risk Reporting: Implementing centralized systems for reporting and analysing risks aids in identifying correlations and interdependencies between different risk types.
Strategic Decision-Making: Using integrated risk information to inform strategic decisions and prioritise risk mitigation efforts.
By integrating operational risk with other risk types, organisations can ensure a more resilient and proactive approach to managing risks.
Effective Risk Assessment
Effective risk assessment is essential for identifying, assessing, and mitigating risks in a systematic and comprehensive manner. Advanced techniques and tools can enhance the accuracy and efficiency of the risk assessment process.
Effective risk assessment techniques include:
Quantitative Risk Analysis: Utilising statistical methods and models to quantify the likelihood and impact of risks. This approach provides a data-driven basis for risk management decisions.
Qualitative Risk Analysis: Gathering expert opinions and conducting scenario analysis to assess risks that are difficult to quantify. This approach adds context and depth to the risk assessment process.
Risk Heat Maps: Visualising risks on a heat map to prioritise them based on their likelihood and impact. This tool helps to quickly identify the most critical risks that require immediate attention.
Stress Testing and Scenario Analysis: Simulating various adverse scenarios to evaluate the organisation’s resilience and preparedness. These techniques help in identifying vulnerabilities and testing the effectiveness of mitigation strategies.
Â
The webinar concluded with a Q&A session, addressing audience queries about the need for regulatory guidance on the interaction between foreseeable and intolerable harm. The consensus was that clearer regulatory directives would be beneficial, although firms must proactively integrate these frameworks in their governance structures.
Other Frequently asked questions
1. What are Target Markets?
Definition: Target markets refer to specific groups of consumers for whom a product or service is designed. Identifying the target market involves understanding the needs, characteristics, and objectives of these consumers.
Relevance to Consumer Duty:
Product Governance: Firms must ensure that products and services are designed to meet the needs of identified target markets. This involves a thorough understanding of the target market's financial situation, needs, and objectives.
Fair Treatment: Firms need to ensure that their marketing and sales practices are aligned with the needs and understanding of their target markets. This includes clear communication, avoiding misleading or overly complex information, and providing appropriate advice.
Outcome Monitoring: Firms are required to continuously monitor and review whether the products or services deliver the intended outcomes for the target market. This helps in identifying any misalignment or potential detriment to consumers.
2. What are Closed Products:
Definition: Closed products are financial products that are no longer offered to new customers but are still managed and serviced for existing customers.
Relevance to Consumer Duty:
Ongoing Responsibility: Firms must continue to act in the best interest of customers holding closed products. This includes ensuring that the products remain fit for purpose and continue to meet the customers' needs.
Communication: Clear and effective communication with customers about the status of closed products is essential. Customers should be informed about their options, including any potential changes to the product's terms or performance.
Review and Remediation: Firms must regularly review closed products to identify any issues that may arise over time, such as changes in market conditions or regulatory requirements. If a closed product no longer meets the needs of consumers, firms should take appropriate action, which may include providing alternative solutions or compensation.
Application and Compliance:
Product Approval Process: Firms must have a robust product approval process that considers the target market's needs and ensures that the product design and distribution strategy align with those needs.
Training and Competence: Employees should be adequately trained to understand the target markets and the specifics of both open and closed products. This helps in providing appropriate advice and support to customers.
Documentation and Record-Keeping: Firms should maintain detailed records of their product governance processes, including how they identified target markets and managed closed products. This documentation is crucial for regulatory reviews and audits.
Customer Support: Providing ongoing support to customers, especially those with closed products, is vital. This includes addressing any issues or queries promptly and effectively.
Feedback and Adaptation: Regularly seeking feedback from customers and using it to refine products and services ensures that firms continue to meet their customers' needs effectively.
3. What is an operational resilience framework?
An operational resilience framework is a structured approach that organisations, particularly in the financial sector, use to ensure they can prevent, adapt, respond to, recover, and learn from operational disruptions. The aim is to maintain critical functions and services in the face of adverse events, minimising the impact on customers, the organisation, and the broader financial system. This is about to ensure the stability of firms and financial markets.
The UK operational resilience framework aligns closely with the Basel Committee on Banking Supervision (BCBS) Principles for Operational Resilience (POR) published on 31 March 2021, as both sets of principles emphasise the importance of preparing for, responding to, and learning from operational disruptions. The UK framework, developed by the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA), integrates the BCBS guidelines and adapts them to the specific regulatory and market conditions in the UK.
Key Components of an Operational Resilience Framework:
Governance and Oversight:
Leadership Commitment: Senior management and the board must be committed to operational resilience, providing direction and resources.
Roles and Responsibilities: Clearly defined roles and responsibilities for resilience planning and response across the organisation.
Identification of Critical Functions:
Business Services Identification: Identify important business services, services and functions are critical to the organisation and its customers.
Dependencies Mapping: Identify internal and external dependencies crucial for delivering critical services, including third-party vendors.
Risk Assessment and Scenario Planning:
Risk Identification: Identify potential threats and vulnerabilities that could disrupt operations, such as cyber-attacks, natural disasters, pandemics, etc.
Impact Analysis: Assess the potential impact of different disruption scenarios on critical functions and services.
Control and Mitigation Measures:
Preventive Measures: Implement controls to prevent disruptions, such as cybersecurity defenses, physical security measures, and redundancy in critical systems.
Response Plans: Develop and maintain incident response plans that outline steps to take during various types of disruptions.
Business Continuity and Disaster Recovery:
Continuity Planning: Create and regularly update business continuity plans (BCPs) that ensure critical functions can continue or quickly resume during disruptions.
Recovery Strategies: Develop disaster recovery plans (DRPs) that focus on restoring IT systems, data, and infrastructure after a disruption. This ensure the organisation can recover and learn from an incident.
Testing and Training:
Regular Testing: Conduct regular testing of business continuity and disaster recovery plans through simulations and drills.
Training and Awareness: Provide ongoing training to employees on their roles in maintaining operational resilience and responding to incidents.
Communication:
Crisis Communication Plan: Develop a communication plan to inform stakeholders, including employees, customers, regulators, and the media, during and after a disruption.
Internal Coordination: Ensure clear communication channels within the organisation to facilitate swift decision-making and response.
Monitoring and Review:
Continuous Monitoring: Implement systems to continuously monitor for potential disruptions and threats.
Regular Reviews: Periodically review and update the operational resilience framework to incorporate lessons learned from incidents, changes in the business environment, and evolving threats.
Regulatory Compliance:
Adherence to Regulations: Ensure compliance with relevant regulatory requirements and guidelines on operational resilience.
Reporting: Maintain records and provide necessary reports to regulators demonstrating the organization’s resilience capabilities.
Objectives of an Operational Resilience Framework:
Minimise Disruption: Reduce the likelihood and impact of operational disruptions.
Ensure Continuity: Maintain the continuity of critical business functions and services during and after disruptions.
Protect Reputation: Safeguard the organisation’s reputation by effectively managing crises.
Enhance Customer Trust: Build and maintain trust with customers by demonstrating robust resilience capabilities.
Regulatory Compliance: Meet regulatory expectations and requirements related to operational resilience.