(Adds Butler speech, more detail, reaction)
By Huw Jones
LONDON, Dec 5 (Reuters) - Regulators made proposals on
Thursday to strengthen the ability of banks and payment firms in
Britain to cope with major incidents and maintain key services
with minimum interruption.
A parliamentary committee called for changes in October
following a string of IT failures at banks, most recently one at
TSB that left thousands of customers unable to make payments
from their accounts.
The Bank of England and the Financial Conduct Authority have
proposed that banks, insurers, investment firms, exchanges and
financial market infrastructure (FMIs) firms like Visa that make
payments possible, set "impact tolerances" for important
services.
Firms themselves would quantify the maximum level of
disruption they would tolerate in terms of time, volume of
business or number of customers affected.
A metric based on time alone may be insufficient, the
regulators said, taking a more nuanced approach from an earlier
discussion paper.
Firms will have to spell out what backup plans they have to
stay within these tolerances to avoid huge disruption to
services, the regulators said in proposals put out to public
consultation.
"I will be asking your Chairs and CEOs what strategic
decisions and investment choices they are making to build
operational resilience and to maintain the supply of important
business services in the event of a major incident," Megan
Butler, executive director of supervision at the FCA, said in a
speech to the financial sector.
She warned firms not to "game the system" by setting an
excessively high impact tolerance to avoid spending money.
Consultants PwC said that while the proposals have no fixed
tolerances, regulators made it clear that boards and senior
managers are firmly on the hook for overseeing operational
resilience.
"These moves by the regulators bring operational regulation
on a par with the regulation of financial stability," added
Angela Greenough, a lawyer at CMS
The regulators also issued papers on how operational
resilience relates to services outsourced by financial firms,
such as cloud computing, that can leave them vulnerable to
disruptions.
Firms must be certain that important services can recover
from a disruption within a set period even when they rely on
outsourcing or third party providers for those services, the BoE
said.
"Firms and FMIs should use impact tolerances as a planning
tool and should assure themselves they are able to remain within
them in severe but plausible scenarios," the BoE said.
Regulators will issue final rules in the second half of
2020.
(Reporting by Huw Jones; Editing by Christina Fincher)