Operational resilience regs may be on the way: OCC’s Hsu

Bank regulators are considering changes to the industry’s operational resilience framework as the risk of disruption continues to rise, Acting Comptroller of the Currency Michael Hsu told a group of bankers Tuesday.

Operational resilience — a bank’s ability to prepare for, adapt to, withstand or recover from disruptions both external, like a flood, and internal, like lax risk management — often plays second fiddle to capital and liquidity.

But, Hsu noted, it “warrants our full attention, especially in our highly interconnected world.”

The risk of disruption has grown over time, given the growth of the financial sector, Hsu said at the Institute of International Bankers’ annual Washington conference.

Twenty years ago, for example, the four largest banks safe-kept $24 trillion in assets; and now, they safe-keep $108 trillion. The Automated Clearing House processed twice as much in payments ($80 trillion vs. $40 trillion) in 2023 as it did in 2014 — meaning the “sheer magnitude of what can be disrupted” has grown notably.

The growing impact of third parties, too, means the “threat surface for disruptions is expanding,” Hsu said; and technology has affected operations in another threatening way, too, as cyberattacks become more prevalent.

“Our current focus is on exploring baseline operational resilience requirements for large banks with critical operations, including third-party service providers,” Hsu said. “Such baseline requirements could include establishing clear definitions for identifying critical activities and core business lines; defining tolerances for disruption; requiring testing and validation of resilience capabilities; incorporating third-party risk management expectations; stipulating clear communication expectations among stakeholders and counterparties; and addressing expectations for critical service providers, with emphasis on governance and risk management expectations.”

Prior to the toilet-paper-and-everything-else shortage of the COVID-19 pandemic, arguably few people gave thought to the intricacies of the supply chain. The delivery of banking services is similar to the supply chain in its global and complex nature, yet “most consumers and users of banking services today are similarly unaware of the growing risks of disruptions in today’s banking system,” Hsu said.

“Take, for instance, the recent ransomware attacks on EquiLend, a securities trading provider, on Ion Markets, a capital markets technology firm, and on the Industrial and Commercial Bank of China, one of the largest banks in the world,” Hsu said. “Most observers could be forgiven for shrugging these off as minor incidents, when in fact, they should be seen as early warning signs of the complexity of the financial system and its vulnerability to disruption.”

Internationally, various governments, including the European Union, United Kingdom and Japan, are adopting rules to strengthen financial institutions’ operational resilience.

But in the U.S., regulators must carefully consider “how critical systems are defined, what the relationship is between similar concepts (e.g., recovery time objectives, tolerance for disruptions, maximum allowable downtime), and whether expectations vary under different scenarios (e.g., loss of a data center due to fire versus a ransomware attack),” Hsu said.