On March 12, at the Institute of International Bankers Annual Washington Conference, Acting Comptroller of the Currency Michael J. Hsu discussed the importance of operational resilience in the banking sector and hinted that potential regulations aimed to promote the same may be forthcoming.

Comptroller Hsu defined operational resilience as a bank’s ability “to prepare for, adapt to, and withstand or recover from disruptions.” These disruptions can stem from external events like natural disasters, bad actors, pandemics, or global conflicts, or from weak internal systems, controls, or risk management. Disruptions may impede the provision of payments services, adversely impact systems, or corrupt data. The Comptroller noted that the probability of disruptions and their potential impacts are increasing. “As banking services continue to grow and as technology and third parties play a greater role in the provision of those services, the threat surface for disruptions is expanding.”

According to Comptroller Hsu, regulatory agencies expect financial institutions to be operationally resilient. These expectations were first laid out in the Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System that was released following the September 11, 2001 terrorist attack on the U.S. The White Paper provided guidance on geographic diversity and resiliency of data centers and on recovery and settlement expectations for significant firms in critical financial markets. As the operating environment has since evolved significantly with technological advancements, widespread digital adoption, and increases in cyber-attacks, federal banking agencies have continued to issue guidance.

Currently, the federal banking agencies are considering what changes to the operational resilience framework might be necessary, including additional regulation. Comptroller Hsu noted that the European Union, the United Kingdom, and Japan have proposed operational resilience rules that require firms to identify important business services, map processes, set impact tolerances, test under different scenarios, and establish standards for third-party risk management. The federal banking agencies are likewise exploring baseline operational resilience requirements for large banks with critical operations. According to Comptroller Hsu, “[s]uch baseline requirements could include establishing clear definitions for identifying critical activities and core business lines; defining tolerances for disruption; requiring testing and validation of resilience capabilities; incorporating third-party risk management expectations; stipulating clear communication expectations among stakeholders and counterparties; and addressing expectations for critical service providers, with emphasis on governance and risk management expectations.” The agencies are looking for feedback from the industry on issues like ensuring consistency across institutions; how critical systems are defined; what the relationship is between concepts such as recovery time objectives, tolerance for disruptions, and maximum allowable downtime; and whether expectations vary for different scenarios such as loss of a data center due to fire compared to ransomware attack.

Comptroller Hsu concluded by emphasizing that the resilience of large banks’ critical operations is crucial and, as the threat surface for disruptions expands, federal agencies are considering whether additional regulation is the best response.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Matthew Bornfreund Matthew Bornfreund

Matthew provides comprehensive guidance to clients on a wide range of regulatory, transactional, and compliance matters, helping them to advance their operational goals and launch new products and services. His clients include domestic and international traditional and nontraditional banks, as well as fintechs…

Matthew provides comprehensive guidance to clients on a wide range of regulatory, transactional, and compliance matters, helping them to advance their operational goals and launch new products and services. His clients include domestic and international traditional and nontraditional banks, as well as fintechs, private equity funds, and payment services firms.

Photo of Ethan G. Ostroff Ethan G. Ostroff

Ethan’s practice focuses on financial services litigation and compliance counseling, as well as digital assets and blockchain technology. With a long track record of successful litigation results across the U.S., both bank and non-bank clients rely on him for comprehensive advice throughout their

Ethan’s practice focuses on financial services litigation and compliance counseling, as well as digital assets and blockchain technology. With a long track record of successful litigation results across the U.S., both bank and non-bank clients rely on him for comprehensive advice throughout their business cycle.

Photo of Gregory Parisi Gregory Parisi

Greg leverages his broad experience and pragmatic approach, bringing a wealth of knowledge, business insight and practical problem-solving skills to efficiently manage transactions and advise clients in an evolving legal landscape. He combines his corporate and transactional experience with a robust knowledge of…

Greg leverages his broad experience and pragmatic approach, bringing a wealth of knowledge, business insight and practical problem-solving skills to efficiently manage transactions and advise clients in an evolving legal landscape. He combines his corporate and transactional experience with a robust knowledge of bank regulatory issues to provide valued legal solutions for financial institutions, financial technology companies and other businesses. Greg often works closely with clients to design and implement internal policies and procedures and contractual safeguards in commercial arrangements in connection with corporate and regulatory requirements and risk management best practices.

Photo of Kevin Petrasic Kevin Petrasic

The world’s leading banks trust Kevin to manage their regulatory challenges. An in-depth understanding of regulators and their objectives, coupled with his comprehensive knowledge of the banking business, have positioned him as a trusted advisor to clients across the financial sector.

Photo of James Stevens James Stevens

James is the co-leader of the firm’s Financial Services Industry Group. He has significant experience working with clients across the entire financial services sector, regularly working with public and private companies such as banks, neobanks, marketplace lenders, and other fintech and financial services…

James is the co-leader of the firm’s Financial Services Industry Group. He has significant experience working with clients across the entire financial services sector, regularly working with public and private companies such as banks, neobanks, marketplace lenders, and other fintech and financial services providers and partners.

Photo of Seth A. Winter Seth A. Winter

Seth represents publicly traded companies and financial institutions, including banks and bank holding companies, nonbank lenders, and other fintech and financial services companies, on regulatory, compliance, strategic, corporate law, securities law, and disclosure matters.