Acting Comptroller Targets Operational Resiliency for Critical Banking Services

Operational resilience is the ability of a bank to prepare for, adapt to, and withstand or recover from disruptions.  These disruptions flow from external events such as natural disasters, malicious actors, pandemics, or global conflicts.  In addition, disruptions may be attributable to internal deficiencies, including weak internal systems, controls, or risk management.

In recent remarks, Acting Comptroller of the Currency Michael Hsu offered an important perspective on regulatory expectations for operational resilience for critical banking services.  Speaking to an industry group, Hsu noted that the both the probability of disruptions occurring, and the potential impact of such disruptions, is increasing, particularly as banks increasingly rely on technology and third-party vendors to provide services.  Hsu emphasized that the risks associated with  operational resilience are unique since they cannot be solved through increased capital and liquidity.

Hsu cited several statistics that highlight the potential risks for disruption in the financial services industry.  In 2004, the top four custodian banks safe-kept $24 trillion in assets.  In 2024, the top four safe-keep over $108 trillion.  In 2014, the ACH network processed 18 billion payments totaling $40 trillion. In 2023, the network processed 31 billion payments totaling $80 trillion.  Similarly, the notional amount of derivative contracts held by US banks has increased from $70 trillion in 2003 to $193 trillion at the end of 2023.  These statistics confirm that the universe of possibilities for disruption in the banking system has increased significantly and is likely to continue to increase in the future.

A 2020 interagency white paper outlined the supervisory perspective on sound practices to strengthen operational resilience.  In the bulletin, which was principally directed to the largest and most complex banks, the regulators identified a series of factors that would support the maintenance of operational resilience.  The agencies’ recommendations focused on the development of sound governance structure at the board and management levels, the maintenance of an effective system of operational risk management, the adoption of a robust business continuity management system, and risk management of third-party vendors that support critical bank functions.  Other agency pronouncements have also called out operational resilience as a significant concern with particular emphasis on cybersecurity risks and the risks associated with third-party relationships.

In his remarks, Hsu indicated that federal bank regulators are actively considering changes to the existing operational resilience framework, noting that other jurisdictions, including the European Union, have already issued rules to improve operational resilience for the financial sector in the areas of information and communication technology.  The new baseline requirements could include (i) clear definitions for what constitutes a critical activity and a core business line; (ii) clear identification of the tolerances for various categories of disruption; (iii) mandated testing and validation of resilience capabilities; (iv) clear expectations for management of third-party risks; and (v) clear expectations for critical service providers with an emphasis on risk management and governance.  Hsu noted that information gathering from the industry and key stakeholders will be essential to the development of the new framework.

The renewed focus on operational resilience is noteworthy since, in recent months, significant regulatory resources have been dedicated to addressing the issues that have been cited as the cause of 2023’s major bank failures, including capital, liquidity, governance, and risk management.  It appears that any future guidance on operational resilience will target large banks.  However, it is likely that the examination process for smaller bank will also take into account a new framework for operational resilience. 

Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their