Operational resilience is the ability of a bank to prepare for, adapt to, and withstand or recover from disruptions. These disruptions flow from external events such as natural disasters, malicious actors, pandemics, or global conflicts. In addition, disruptions may be attributable to internal deficiencies, including weak internal systems, controls, or risk management.
In recent remarks, Acting Comptroller of the Currency Michael Hsu offered an important perspective on regulatory expectations for operational resilience for critical banking services. Speaking to an industry group, Hsu noted that the both the probability of disruptions occurring, and the potential impact of such disruptions, is increasing, particularly as banks increasingly rely on technology and third-party vendors to provide services. Hsu emphasized that the risks associated with operational resilience are unique since they cannot be solved through increased capital and liquidity.
Hsu cited several statistics that highlight the potential risks for disruption in the financial services industry. In 2004, the top four custodian banks safe-kept $24 trillion in assets. In 2024, the top four safe-keep over $108 trillion. In 2014, the ACH network processed 18 billion payments totaling $40 trillion. In 2023, the network processed 31 billion payments totaling $80 trillion. Similarly, the notional amount of derivative contracts held by US banks has increased from $70 trillion in 2003 to $193 trillion at the end of 2023. These statistics confirm that the universe of possibilities for disruption in the banking system has increased significantly and is likely to continue to increase in the future.
A 2020 interagency white paper outlined the supervisory perspective on sound practices to strengthen operational resilience. In the bulletin, which was principally directed to the largest and most complex banks, the regulators identified a series of factors that would support the maintenance of operational resilience. The agencies’ recommendations focused on the development of sound governance structure at the board and management levels, the maintenance of an effective system of operational risk management, the adoption of a robust business continuity management system, and risk management of third-party vendors that support critical bank functions. Other agency pronouncements have also called out operational resilience as a significant concern with particular emphasis on cybersecurity risks and the risks associated with third-party relationships.
In his remarks, Hsu indicated that federal bank regulators are actively considering changes to the existing operational resilience framework, noting that other jurisdictions, including the European Union, have already issued rules to improve operational resilience for the financial sector in the areas of information and communication technology. The new baseline requirements could include (i) clear definitions for what constitutes a critical activity and a core business line; (ii) clear identification of the tolerances for various categories of disruption; (iii) mandated testing and validation of resilience capabilities; (iv) clear expectations for management of third-party risks; and (v) clear expectations for critical service providers with an emphasis on risk management and governance. Hsu noted that information gathering from the industry and key stakeholders will be essential to the development of the new framework.
The renewed focus on operational resilience is noteworthy since, in recent months, significant regulatory resources have been dedicated to addressing the issues that have been cited as the cause of 2023’s major bank failures, including capital, liquidity, governance, and risk management. It appears that any future guidance on operational resilience will target large banks. However, it is likely that the examination process for smaller bank will also take into account a new framework for operational resilience.
Disclaimer
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.