Resiliency takes precedence: Ensuring successful business continuity during crises

By HSBC

The pandemic has underscored how important it is for financial institutions – including those in the securities services industry – to have robust operational resiliency processes in place. A failure to do so not only exposes banks to enormous risk, but also their clients too. HSBC’s Securities Services examines some of the safeguarding measures that banks are developing to help ensure successful business continuity during crises.

Featuring insight from:

Jon Szehofner, Group Chief Control Office – Operational Resilience, HSBC

Paul Heffernan, Head of Business Development and Client Management, Asset Managers, Europe at HSBC

Peter Scrivener, Director of Technology Risk Assessment at HSBC.

Richard Pounder, Global Head of Operational Resilience Risk, Securities Services, HSBC

Regulators agitate for change

Operational resilience is an area that has been subject to intense regulatory scrutiny for some time. In 2018, the Bank of England (BOE) together with the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) published a paper underlining the importance of operational resilience in the financial system. Three years and one pandemic later, those same regulators are in the process of introducing new rules around operational resilience. Jon Szehofner, Group Chief Control Office – Operational Resilience SME, said these provisions will force providers to identify their important business services; complete initial mapping exercises; set impact tolerances; begin scenario testing; and identify any vulnerabilities by no later than March 2022.

Between then and March 2025, he added financial institutions will need to remediate any weaknesses. “Operational resilience is a hot topic that has been accentuated by the COVID-19 pandemic. UK regulators are taking a lead on operational resilience but other jurisdictions – including the EU and the US – are following suit as well. I anticipate a global approach towards operational resilience will eventually emerge under the auspices of IOSCO (International Organisation of Securities Commissions),” commented Paul Heffernan, head of business development and client management, Asset Managers, Europe at HSBC. But what exactly should securities services be doing?

Facilitating continuity in Securities Services

Firstly, providers need to identify their important business services. These are overwhelmingly customer-facing banking activities, which if they were to go down would cause serious market-wide disruption. Richard Pounder, Global Head of Securities Services, Operational Resilience Risk at HSBC, said that within securities services, this includes global custody, sub-custody, transfer agency [TA], FX and fund services. “Custody is at the centre of securities services and it is one of our biggest product offerings. In the case of TA – outages there can have a significant effect on retail investors. Even disruption in fund servicing processes such as NAV production can have a direct client impact and adversely affect markets,” he said.

At this point, providers need to perform stress testing to determine whether or not their services and systems are resilient. Such tests, said Pounder, need to mimic severe but plausible crisis events. For example, he said a typical stress test scenario might involve dealing with a technology outage while simultaneously managing a pandemic or extreme weather conditions at a critical IT centre. “Testing is done to the nth degree and impact tolerance is tested to the limit. Providers need business continuity processes in place which are commercially sensible but operationally resilient,” he stressed. In addition to demonstrating their own internal operational resilience, regulators and clients want assurances that financial institutions have systems in place to handle failures at their outsourced providers and IT vendors. “We continuously review and test our third party providers’ resilience. We do not just accept third party assurance reports saying everything is okay. Instead, we will meet up regularly with our providers to validate that they have effective safeguards designed to mitigate any disruption,” said Peter Scrivener, director of technology risk assessment at HSBC. He added risk assessments need to factor in the possibility that an outage at a third party may last for up to several months. “Banks should think outside of the box. They need to ask themselves whether they could replicate a service from scratch using offline copies in the event of long-term downtime,” said Scrivener. This scrutiny comes following several high profile technology outages and cyber-attacks, the latter being something that has skyrocketed during the pandemic. In order to mitigate cyber-risks, Pounder noted banks are increasingly collaborating with each other and sharing intelligence threats.

Managing risks intelligently

The pandemic has put operational resilience at the forefront of people’s minds. Given the critical nature of securities services in the financial system, it is vital that providers have well-tested mechanisms and redundancy processes that can weather extreme disruption.

Top things to consider:

Identify what services are critical, namely those which would cause major disruption in the event of an outage
Internal stress testing must be thorough and rigorous
Providers need to establish contingency plans should a critical outsourced or IT vendor fail