Banks and other financial firms in Britain must set out by March 2022 how quickly critical parts of their business could recover from IT glitches and other disruptions and how to minimise the impact, the Bank of England said on Monday.
The BoE’s Prudential Regulation Authority (PRA), in conjunction with the Financial Conduct Authority, set out rules on operational resilience after glitches at TSB in 2019 and at other banks left millions of customers locked out of their online accounts and facing delayed payments.
Each regulated firm must draw up plans that set out where disruption could hit customers and broader financial stability, and how long it would take to resume normal service.
Each firm will decide the time it would take for a specific part of its business to recover and the time allowed should reflect its importance to customers and overall stability.
“The speed at which vulnerabilities are remediated should be commensurate with the potential impact that a disruption would cause, and will be an area of supervisory focus,” the BoE said.
Firms are not expected to have fully fleshed out and tested plans by March 2022, but are required to show by March 2025 that they can recover within the “impact tolerances” that have been set.
“The PRA expects firms to update their mapping annually at a minimum, or following significant change if sooner,” the BoE said.
A senior manager in each firm will be directly responsible for operational resilience plans, with boards required to approve the tolerances that have been set.
Reporting by Huw Jones; editing by Barbara Lewis