Insights

How 10x helps banks meet new operational resilience regulations

Written by Rowan Platt | 22 July 2024

Rowan Platt, Head of Compliance & Regulatory Affairs, explains why it’s imperative banks work with third parties to enhance digital resilience maturity in light of new regulations.

A number of key regulations come into force over the next 12 months in the UK, Europe and Australia*, impacting regulated banking entities. Operational resilience is to become more important than ever before as regulators ensure financial entities can withstand and respond to disruptions such as cyber-attacks and operational or technical outages.

As a third-party provider of core technology that delivers important banking services to retail customers, 10x has an important role to play in assisting our banking clients to comply with these regulations.

While the regulations have distinctions in their respective countries, there are consistent fundamental obligations globally. We think the consistencies across regulations demonstrate a growing global trend that regulators are taking operational resilience more seriously – moving from a “nice to have” to an enforceable requirement with real consequences.

Common themes

The central theme across these regulations is that financial entities will need to demonstrate their resilience in providing critical operations or important business services for their customers. They will need to ensure that they can remain within their impact tolerance in severe but plausible disruption scenarios.

To do this, financial entities need to identify the resources and technology required to deliver their important business services. This includes any relationships with material third parties, such as core technology providers. They will also be expected to more effectively manage the risks associated with these third-party service providers, by obtaining an end-to-end view of operational risk in their supply chain.

Perhaps most importantly, regulators will also expect a more sophisticated approach to resilience testing, which goes beyond traditional business continuity or disaster recovery plans. Testing plans should be designed to evidence the bank can remain within impact tolerance. Over time, they will also need to incorporate testing of additional scenarios to identify the point at which tolerance levels are breached and identify new vulnerabilities to be remediated.

Testing with third parties

In many cases, firms will need to mature their resilience testing. They will need to move from largely desk-based exercises to a wider range of testing, producing more meaningful data and insights on vulnerabilities.

Given how integral core technology providers are in ensuring the resilience of a bank’s important business services and functions, it is imperative for financial entities to involve their third-party providers. Providers need to be involved in aligning on tolerance levels for disruptions and the process for responding to them.

Third parties can carry out the testing of their own resilience on their own platform, but financial entities will be responsible for ensuring that any third-party providers remain within their respective impact tolerance levels. Therefore, it’s crucial that the methodology and tested scenarios used by third parties align with their own requirements.

How 10x supports operational resilience

While it will always be for the financial entity to set the tolerance levels (in accordance with their own risk appetite), it will be for the third-party provider to define the testing process and to ensure this remains within the relevant impact tolerances.

The 10x response to disruption always aims to strike an acceptable balance between risk, cost, and operational performance. We have considerable experience of working with clients to test for a range of disruption scenarios. This includes both cyber incidents and outages of our primary cloud provider. Tests ensure we can remain within time-bound and data loss tolerance levels. For example, the maximum tolerable length of time that the 10x platform can be down after an outage occurs.

10x also understands the unique governance implications these regulations will have for financial entities. Regulators expect boards and senior management to actively oversee the delivery of their firm’s operational resilience program. 10x is here to support your architecture and executive teams so they can satisfy any information requests or resilience concerns their boards or the regulators may have.
 
*The key regulations are the Financial Conduct Authority’s (FCA) and Prudential Regulation Authority’s (PRA) policy statements on Building Operational Resilience (PS21/3) and Operational Resilience: Impact tolerances for importance business services (SS1/21) coming into force in March 2025; the EU’s Digital Operational Resilience Act (DORA) (January 2025); and in Australia the APRA CPS230 on Operational Risk Management (July 2025).