From Brexit and COVID-19 to generative AI and war, recent years have been marked by serial shock waves of disruption. Through it all, banks have been on the frontline to serve their customers even as their own operations have faced new challenges, whether it’s developing an ‘always on’ capability for instant payments, deterring an unprecedented onslaught of cyberattack or a seemingly relentless tide of new regulation.
Some of these new regulations are designed to shore up the resilience of banks in this fast-changing and uncertain world. Under the new rules, the concept of financial resilience is no longer confined to allocation of capital but rather to wider bank operations so that services can be maintained whatever the threat, be it cyber, geopolitical or extreme climate events.
For Anurag Maheshwari, Global Head of Third Party and Corporate Banking Resilience Function at Standard Chartered Bank, this broadening of the regulatory landscape is to be welcomed.
‘It makes sense from a regulatory point of view, and it makes sense for the business too,’ he said, welcoming that regulators appear to be taking a pragmatic approach.
Cyber threats are top of the list of concerns. Giles Taylor, Head of Resilience & Cyber Risk, Data Services, Commercial Banking at Lloyds Banking Group, discussed how attitudes to cyberattacks have matured as the scale of the threat has grown, with most not acknowledging that breaches are inevitable.
‘You need to be able to respond and recover,’ Taylor said. ‘The regulators have understood this is not just a technology problem but a business problem.’
Under the new operational resilience rules, banks need to be mindful of their selection of critical operations, severe but plausible scenarios and tolerance for disruption. What’s more, this is not a one-off box-ticking compliance exercise but an ongoing expectation that banks will be able to provide services to their customers through any severe disruption. OR compliance will look different for different banks and it’s not just confined to the UK – or Europe, under the DORA legislation which hits next year – but is being applied in multiple jurisdictions in various guises.
Fast-changing technological changes, such as cloud computing, are being incorporated into these rules. Digital-first banks such as Allica Bank are already fully in the cloud, where they can leverage cloud mechanisms to build resilience while incumbents are having their migration journeys scrutinised and re-ordered in order to satisfy regulators. ‘There is a possible re-concentration risk if too many financial services institutions all use a particular cloud for a particular purpose,’ explained Giles Taylor of Lloyds Banking Group.
Neil Robinson, Chief Information Security Officer at Virgin Money, pointed out that operational resilience is not a one-and-done exercise because cyber risk in particular is evolving at pace, often influenced by external forces such as state-sponsored bad actors or technology disruption.
‘Until recently ransomware was not a thing but in the last three years it has become a material attack plane because we now have crypto so the criminals can get paid,’ he said, also highlighting that cyberattacks have become so sophisticated that some criminals now provide ‘as a service’ access for other criminals.
Being able to keep pace with these changes, and to prevent, withstand and adapt to emerging risks is going to be key if banks are to meet their obligations not just to the regulators but also to their customers, stakeholders and wider society.