By Huw Jones
LONDON, March 29 (Reuters) - Banks and other financial firms
in Britain must set out by March 2022 how quickly critical parts
of their business could recover from IT glitches and other
disruptions and how to minimise the impact, the Bank of England
said on Monday.
The BoE's Prudential Regulation Authority (PRA), in
conjunction with the Financial Conduct Authority, set out rules
on operational resilience after glitches at TSB in 2019 and at
other banks left millions of customers locked out of their
online accounts and facing delayed payments.
Each regulated firm must draw up plans that set out where
disruption could hit customers and broader financial stability,
and how long it would take to resume normal service.
Each firm will decide the time it would take for a specific
part of its business to recover and the time allowed should
reflect its importance to customers and overall stability.
"The speed at which vulnerabilities are remediated should be
commensurate with the potential impact that a disruption would
cause, and will be an area of supervisory focus," the BoE said.
Firms are not expected to have fully fleshed out and tested
plans by March 2022, but are required to show by March 2025 that
they can recover within the "impact tolerances" that have been
set.
"The PRA expects firms to update their mapping annually at a
minimum, or following significant change if sooner," the BoE
said.
A senior manager in each firm will be directly responsible
for operational resilience plans, with boards required to
approve the tolerances that have been set.
(Reporting by Huw Jones; editing by Barbara Lewis)