InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC’s Hsu speaks on operational resilience framework as regulators consider non-financial disruptions
On March 12, the Acting Director for the OCC, Michael J. Hsu, delivered a speech at a banking conference in Washington, D.C. on “operational resilience,” which he defined as a bank’s ability to “prepare for, and adapt to, and withstand or recover from disruptions.” Hsu stressed that the most concerning impacts on financial institutions are not financial, but often arise from natural disasters, pandemics, global conflicts, or weak internal governance management. The acting director noted an increase in the probability of disruptions occurring and the impacts of them. In response, the OCC will expect financial institutions to be operationally resilient, and Hsu stated that the federal banking agencies are considering making changes to their operational resilience framework for large banks and possibly third-party service providers.
These principles were first laid out in a white paper following the September 11, 2001, attack on the World Trade Center whereby the paper promoted geographic diversity and the resiliency of data centers. During the Covid-19 Pandemic, the federal banking agencies issued a paper that integrated existing guidance and common industry practices in October 2020.
Agencies outline standards for strengthening operational resilience
On October 30, the Federal Reserve Board, OCC, and FDIC (agencies) released an interagency paper describing standards and sound practices for increasing operational resilience. (See also the Fed’s release and FDIC FIL-103-2020). The paper, titled Sound Practices to Strengthen Operational Resilience, does not revise existing agency regulations or guidance, but rather provides a “comprehensive approach” for banks to strengthen and maintain operational resilience. According to the agencies, “[r]obust operational risk and business continuity management anchor the sound practices, which are informed by rigorous scenario analyses and consider third-party risks. Secure and resilient information systems underpin the approach to operational resilience, which is supported by thorough surveillance and reporting.” The paper also includes an appendix focused on sound practices for cyber risk management and cybersecurity preparedness. The appendix is aligned to the National Institute of Standards and Technology Cybersecurity Framework and is “augmented to emphasize governance and third-party risk management.” The standards set forth in the paper are intended for large, domestic banks with more than $250 billion in average total consolidated assets, or banks with more than $100 billion in total assets and other risk characteristics.