FCA & PRA - Operational Discussion Paper
Building the UK financial sector’s operational resilience – response from ABCUL
We appreciate the opportunity to respond to this discussion paper. The Association of British Credit Unions Limited (ABCUL) is the main trade association for credit unions in England, Scotland and Wales. Out of the 275 credit unions which choose to be a member of a trade association, 71% choose to be a member of ABCUL. There are currently 312 credit unions registered in Great Britain.
Credit unions are not-for-profit, financial co-operatives owned and controlled by their members. They provide safe savings and affordable loans. Some credit unions offer more sophisticated products such as current accounts, ISAs and mortgages.
At 31 March 2018, credit unions in Great Britain were providing financial services to 1.3 million people using credit unions, including almost 140,000 junior depositors. The sector held more than £1.57 billion in assets with more than £890 million out on loan to members and £1.33 billion in deposits.
Credit unions’ work to provide inclusive financial services has been valued by successive Governments. They provide a valuable social role in providing affordable credit to those otherwise excluded from mainstream credit, a secure and regulated place to save and encourage people into a savings habit, often for the first time. Successive Governments have legislated and invested in credit unions to expand this role.
Response to consultation
Credit unions make up a diverse sector of institutions which range in size from professional institutions with tens of thousands of members and tens of millions of pounds in assets to very small community organisations with a few hundred members, several tens of thousands of pounds in assets and entirely led by volunteers. Likewise the services they offer – while always built around a core savings and loans proposition – are diverse both in terms of the complexity of the services themselves – with some of the largest offering payments services and mortgage lending, for example – and in terms of the sophistication of their delivery.
This being the case, it is vitally important that any requirements or supervisory approaches that result from the process initiated by the discussion paper are applied on a principles basis with a proportionate application in practice. While the largest credit unions can and should be expected to have a robust and thoroughly-developed operational resilience approach which is well-resourced and regularly reviewed regulatory supervisors, the long tail of smaller credit unions will only have capacity to comply with the operational resilience approach outlined to the extent that their resource capacity allows and their operational complexity requires it.
To this end, we are very encouraged by the passage on how the operational resilience approach is likely to be overseen and supervised found in Chapter 4 of the discussion paper. Credit unions of all shapes and sizes provide an important service to their communities and members and in order to preserve this valuable societal and market role, they must be regulated proportionately. Likewise, the regulatory authorities’ statutory remit would not be well served by overly focussing on small institutions that represent a small risk of disrupting either financial stability or effecting consumer harm relative to other larger firms in the regulated population.
We look forward to working with both FCA and PRA in developing their practical approach to implementing operational resilience as a regulatory tool and focus within the credit union sector.
While proportionality is our key concern in responding to the discussion paper, we also wish to welcome and support the framework approach that the regulatory authorities are testing with the discussion paper. By the same token as that which necessitates proportionality, credit unions are also more limited in their capacity to tackle issues of operational resilience, business continuity and cyber security than are larger firms. But they are also under increasing pressure created by the imperative to modernise and digitalise their services and to become more relevant and competitive in so doing. And while this is the right strategy for credit unions to pursue for their long-term sustainability and expanded future, it also brings with it risks in terms of the modern market place and the vulnerability created by an increasing reliance upon technology.
As such we welcome the framework for approaching operational resilience that the discussion paper sets out. We agree that the principles and methodology that it outlines are equally applicable to firms of differing profiles and scales and as the approach develops it will provide a sound basis for credit unions to strengthen their operational resilience.
The focus on services over systems; the assumption that disruption will occur and planning for how to cope with it when it does; the prioritisation of critical services; the setting and testing of tolerance levels; and, the focus on impact of service disruption on members and the real economy in prioritisation are all invaluable contributions to the development of operational resilience approaches for credit unions as they become more sophisticated and complex in how they design and deliver services.
However, it would be useful for credit unions and many other sectors of smaller firms, for the authorities to think about how they might provide further practical support and guidance to firms in implementing their operational resilience expectations. While we do not advocate for pure prescription, guidance and best practice dissemination in terms of the kinds of practices that the regulators would consider adequate or exceeding expectations, perhaps based on what they see across the sector cohort, is always a useful reference for small firms with limited resources.
Finally, ABCUL is about to embark upon a process of consultation and vision-setting with its membership to define the future of the credit union sector and ABCUL’s role within this. As part of this regulatory compliance and the focus of the regulatory authorities – as well as how ABCUL can support credit unions in rising to these challenges – will be key questions for discussion. We envisage a challenging conversation around how the sector can enhance standards in parallel to addressing its long-term relevance and this new arena of operational resilience in regulatory supervision is a timely introduction to that discussion.
A) What are readers’ views on the proposed focus on continuity of business services? Would a service rather than systems-based approach represent a significant change for firms and FMIs compared with existing practice? What other approaches could be considered?
We are in broad agreement with a focus on business services which is then underpinned by an understanding around particular systems that support those services. We believe that this will be a helpful way to approach resilience planning for credit unions and usefully captures the broader range of issues underpinning service continuity away from the usual focus on technological systems in isolation.
It would however represent a significant change from current systems-based approaches and this should be borne in mind, particularly in light of the need for proportionality, in relation to the credit union sector, as well as other sectors of smaller firms.
B) Would encouraging firms and FMIs to consider their contribution to the vital services that the real economy demands change the way they manage operational resilience, and if so how? What additional costs would this incur?
We believe that there needs to be nuance to this approach from the point of view of smaller, less systemically-important firms like those within the credit union sector. The impact of a typical credit union’s services being disrupted is unlikely to have substantial impact in economic terms in most cases but would certainly have significant disruptive consequences for the members that rely on the services. So perhaps to reframe this in terms of impact on customers’ economic activity would be a better way to make this notion relevant for smaller firms as well as larger ones.
C) How do boards and senior management currently prioritise their work on operational resilience?
Credit union boards and management tend to prioritise their work on operational resilience currently in terms of critical systems and services that they rely upon, rather than differentiating by services they deliver to the end user. While this is important we agree with the discussion paper’s proposed reframing as it will assist credit unions in prioritising and developing back-up arrangements in the event of system disruption.
The current approach tends to lead to a focus on the speed with which systems can be restored, rather than what the credit union would do in the interim and this can leave credit unions’ exposed. It also tends towards a focus on ensuring systems will not be disrupted, rather than assuming that they will be and planning for when they are.
D) What changes are firms and FMIs planning to make to strengthen operational resilience over the next few years? How involved are board members in the planning, implementation and embedding of any changes? What are the likely benefits and costs involved?
Credit unions are very aware that they need to improve their provisions for business continuity and security but the notion of operational resilience is a relatively new one for our sector given its size and relative lack of sophistication. However, many credit unions are rapidly modernising, digitalising and automating their services in an attempt to remain competitive and relevant and so the introduction of this new approach is a timely intervention for our sector.
E) What are readers’ views on the possibility of firms and FMIs being asked to set impact tolerances for their most important business services?
We believe this is a valuable approach but that it must be introduced sensitively and carefully into credit unions and other small firms. Impact tolerances will definitely form a useful tool for credit unions to manage their operational resilience and allocate resources appropriately but there is a risk that small firms with limited resources will fall into the trap of focussing on tolerance levels in some areas at the detriment of others. Likewise, it may be difficult to test tolerance levels in the way envisaged for smaller firms.
Some consideration should be given to how prescriptive this requirement might be in a credit union setting. We would advocate for a more flexible and less prescriptive approach to allow credit unions to set tolerance levels that are appropriate to them and reflect their own business services and priorities.
F) What approach and metrics do firms and FMIs currently use?
Today credit unions typically base continuity and security metrics on acceptable downtime periods and financial impact of downtime.
G) If these proposals would require some firms and FMIs to update part of their existing risk management framework, what would this involve?
There would be a significant outlay in terms of time and resource spent reframing risk management frameworks and the impact of this on small firms with limited resources should be considered in terms of ensuring that the proposals are proportionate.
H) What are readers’ views on producing an impact tolerance statement as described? What relevant operational resilience risk management documentation do firms and FMIs already produce, and how does this differ from impact tolerance statements?
In principle we agree that an impact tolerance statement would be a useful tool to produce and rely upon but we are concerned that any such requirement should be proportionate and perhaps only required for larger credit unions which are more complex. Even in those where it were to be required, consideration should be given to explicitly allowing documentation of limited scope and complexity.
I) What operational resilience tests or scenarios do firms and FMIs already consider and undertake for their own risk management purposes? What factors do firms and FMIs take into account when devising operational resilience tests or scenarios?
This varies greatly between credit unions and so is hard to say definitively. Credit unions would consider a range of scenarios from technical systems outage and access issues, to physical incidents preventing access to business premises, key person risk and mitigation of these and other similar scenarios. They would generally consider their technology, facilities and people dependencies and seek to put in place credible mitigations for a range of scenarios.
J) How do boards and senior management currently gain assurance over the operational resilience of their firm or FMI?
This is generally done through a risk management framework with regular testing of key vulnerabilities and internal and external audit of key systems and suppliers’ security arrangements.
K) What are readers’ views on the proposed developments to the supervisory authorities’ approach to operational resilience?
We are encouraged by the supervisory approach outlined. As we set out above, proportionality is absolutely critical to the success of this approach and it is very encouraging to see the detail into which the discussion paper explores what that might mean in practice for supervising operational resilience.
Once again, we would only reiterate how proportionality will be critical to the meaningful and effective implementation of operational resilience from the perspective of smaller firms like credit unions. ABCUL is keen to work with the regulatory authorities to ensure an effective approach is adopted which supports the sector’s real desire to improve and address these issues without inadvertently overburdening credit unions with requirements that are hard to meet and therefore counterproductive.
Once again, we appreciate the opportunity to respond to this discussion paper. We would be happy to discuss any of the points raised should that be required.
The PDF version of this response is available to download on the right-hand side
ABCUL – October 2018