Banking regulators are considering what changes to the U.S. operational resilience framework may be appropriate as the risk for a major disruption in critical banking services grows, Acting Comptroller of the Currency Michael Hsu said today. Speaking at an international banking conference in Washington, D.C., Hsu said that as banking services continue to grow and as technology and third parties play a greater role in providing those services, “the threat surface for disruptions is expanding.”
The threat of disruptions from cyberattacks, natural disasters or other calamities can’t be solved through capital or liquidity, Hsu said. Rather, resilience results from ensuring that critical operations and banking services can withstand or recover from disruption through good planning, prudent investment, well-designed systems and regular testing. He noted that the European Union, U.K. and Japan have proposed operational resilience rules requiring financial institutions to identify important business services, set impact tolerance and test different scenarios, among other things. U.S banking agencies also are considering changes to operational resilience requirements.
“Our current focus is on exploring baseline operational resilience requirements for large banks with critical operations, including third-party service providers,” Hsu said. “Such baseline requirements could include establishing clear definitions for identifying critical activities and core business lines; defining tolerances for disruption; requiring testing and validation of resilience capabilities; incorporating third-party risk management expectations; stipulating clear communication expectations among stakeholders and counterparties; and addressing expectations for critical service providers, with emphasis on governance and risk management expectations.”
