New rules from the UK on financial firms’ operational resilience came into force this year, a move that is expected to herald similar measures by regulators in other major financial centers. Many market participants are now reviewing the resilience of their operations and processes with a degree of granularity as never before. This regulation complements enhanced guidelines on working with outsourcing vendors. Together, these rules represent the most significant regulatory initiative the UK’s market regulator has undertaken since the introduction of the Senior Manager & Certification Regime.
The new rules apply to many market participants, but regardless of whether a firm formally falls within the scope of the regulation, operational resilience is critical. The disruption caused by the Covid 19 pandemic – and the potential impact on firms, their clients and their counterparties – provided a timely reminder as to how central the topic of resilience must be to any firm’s strategy.
Engaging the services of an outsourced trading provider can help firms of all sizes improve their operational resilience. While an outsourced trading solution does not remove the firm’s ultimate responsibility, it can provide an important back-up for critical functions. A partner such as Cowen can also assist firms with the design of their own resilience strategy.
At Cowen, we are continually investing in our own operational resilience and have identified a number of key areas that trading firms will want to consider as they develop their own resilience strategies. In this report, we discuss some of the implications of the rules and show how working with an outsourced trading provider can make a difference.
Introduction – The challenge for market participants
In adopting the new rules, the Regulator’s goal is to ensure the financial sector is resilient to a wide array of potential disruptions. When the rules were first drafted, the FCA cited cybercrime as a key threat. Then came Covid-19, which firmly placed operational resilience at the top of the agenda for all firms. The next test to businesses could come from any number of areas – from technology outages and vendor failures to natural disasters and geopolitical instability. In essence, the UK authorities are asking firms to ensure that they have solid contingency plans in place that guarantee the continuity of their critical business services in the face of these threats.
There are several steps a firm should take to comply (see our “7 Key Steps” box below). These steps include identifying those business services that are critical from the perspective of potential harm to clients, the firm or wider market; conducting extensive “deep dives” to understand the resources, technology, processes and vendors required to carry out that service; and scrutinising each of these components to understand whether any vulnerabilities exist with respect to their continuity arrangements.
For example, imagine your firm was subject to a cyber-attack on a particular piece of technology, a trading system went offline or there was a flood in a vital data centre. What impact would those scenarios have? What contingency arrangements are in place? How quickly could the service recover? How would the firm communicate with its clients through the disruption and recovery period? These are the types of questions that a review would need to consider. Processes may have a technology component, a human component, or both. There may also be internal or external dependencies that must be considered.
The importance of a robust vendor outsourcing framework underpins the operational resilience rules. Where firms engage with vendors, they need to ensure they have performed appropriate due diligence, including understanding their vendor’s control frameworks, data security protocols, change management processes, and that the vendor has their own operational resilience, including business continuity plans. Guidelines on vendor outsourcing also state that a firm must understand material fourth party vendors and the risks associated with them. For example, if a firm engages a vendor to act as a contingency to a critical process, this may not be an effective back up if the primary and contingency processes are both reliant on the same data center, and are therefore subject to the same vulnerabilities. The operational resilience rules require firms to consider and address these risks.
How outsourced trading fits into the picture
Full-service outsourced trading providers such as Cowen are themselves required to meet the new resilience requirements. That can translate into extra resilience for our clients. By outsourcing even just a portion of your trading needs, you are automatically strengthening the resiliency of your processes. What is more, Cowen has made significant technology investments to ensure service availability and flexibility in how clients are supported. For example, during the pandemic, Cowen was immediately able to switch to remote working to ensure 100% up time of coverage for all clients no matter of their location.
A firm’s size and geographical focus has implications in terms of building resiliency. Large firms may have extensive resources, both in terms of people and technology, to ensure that all critical functions are resilient. Smaller firms, on the other hand, may not have the resources to implement full back-up processes for every Important Business Service. An outsourced trading solution can help provide additional resilience without a firm having to make substantial new investments.
And for firms that trade in multiple markets and geographies, an outsourced trading solution brings extra advantages. With trading desks in Asia, Europe and the Americas, Cowen can provide a follow-the-sun model to ensure that clients are always supported out of hours and at times of market instability. We also have strategically located operations teams in multiple geographic centres. Operations teams in London and Belfast, for instance, are able to fully support clients throughout Europe, such that during the worst of the Covid period, we saw no increase in trade or settlement fails in the outsourced trading business despite higher volumes.
It’s not just external issues such as market instability that firms need to worry about. Clients may suffer technology issues or staffing headaches due to illness. In such situations, Cowen can supplement internal trading teams so that firms can execute during times of high volatility. It’s worth noting here that Cowen maintains a trader-to-client ratio that is high by industry standards, so that there is always a team available for trading in geographies or asset classes that might usually be handled in-house. Some firms may engage us for only a small amount of trading, but they can be confident that they can call on support in other areas if needed.
Trading-related activities often make up a substantial proportion of a financial firm’s critical functions. It is important to note that for firms subject to the new rules, engaging an outsourced trading solution does not automatically mean they have achieved an acceptable level of operational resilience. If they are subject to the rules, they will still need to undertake their own review to ensure their processes are resilient, including the implementation of a regular testing programme. The benefit to working with an outsourcing provider such as Cowen, which falls into the scope of these regulations, is that the firm will have a partner that has implemented their own operational resilience framework and will be in a position to offer help and advice.
Firms looking to gain resiliency through an outsourced trading desk relationship should consider factors such as the size, experience and service culture of the provider. The depth of experience of Cowen’s trading teams has enabled a greater level of support and coverage available, where competitors may have less-experienced teams and less depth on the bench for backup coverage. This level of depth and experience means we can help clients if they need to resort to manual processes during disruptions. It also has meant that Cowen has been able to assist clients with functions they were struggling with in-house and would not necessarily always outsource.
A review of a firm’s operational processes provides an opportunity to take stock. Immediate benefits can be realized by identifying processes that may need strengthening or by implementing additional back-up arrangements. There are other benefits too. The level of granularity at which the regulations require firms to interrogate their processes provides a wealth of information that can be used for a host of other initiatives from strategic planning, to regulatory projects, resource allocation exercises, control reviews, training exercises and governance materials to name a few.
Also, since the regulations focus on preventing client harm, regardless of whether they are in scope of the regulation, any firm that carries out a review will have a compelling message regarding their resilience that can become an important part of their marketing.
Building a living document
Once companies have conducted their initial review, they are required to treat it as a ‘living’ process, one that is continuously refined and enriched. This ensures that they can react to changing environments and quickly identify and remediate vulnerabilities.
At the same time, by regularly updating their process-mapping and operational assessments firms will find themselves in a stronger position to satisfy new operational resilience regulatory requirements from other jurisdictions as they are introduced. While the FCA has led the charge on this topic, there is an expectation that other regulators will follow suit.
Authorities clearly see bolstering the resilience of the financial system as key to protecting individuals as well as improving stability systemically. An outsourced trading solution can form an important component of a firm’s resilience strategy, providing essential back-up to ensure that the firm can continue to perform key functions even when unexpected disruptions occur.
Building a robust, resilient operation is an ongoing process. As a world-leading outsourced trading desk provider, we at Cowen understand the importance of embedding resilience across our trading operations. We know that our clients need to be able to rely on us day in, day out. They benefit from the investments we have made to ensure that our operations can cope with whatever challenges we face. But they can also benefit from the insight we have gained on our own journey to enhance our resiliency. We are always keen to support and work with our clients as they seek to strengthen their operations.
7 Key Steps for Achieving Resiliency
- Business taxonomy: A firm should begin by creating an up-to-date business taxonomy, identifying each of the products and services offered by the business
- Initial risk assessments: Having identified all of the business services, a firm should critically assess each of these to identify which are “important” from a resilience perspective. The FCA defines Important Business Services as those that if disrupted could “cause intolerance levels of harm to any one or more of the firm’s clients; or pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.”
- Impact Tolerances: For each of the services classified as important, a firm will need to consider the maximum tolerance it has for disruption. How long can the services be disrupted before resulting in harm to a client or wider market?
- Process Mapping: Firms should map every component of the process flow required in the provision of each Important Business Service. This should include detailed documentation covering all of the resources required to complete each stage in the process flow including people, technology, data centers and third parties. This review should include documentation of contingency plans in the event of a failure of one of these components. It benefits a firm to take time on this exercise, gathering all of the Subject Matter Experts to critically assess each stage of the process.
- Vulnerabilities: Now that the firm has thorough documentation detailing all of the resources required for the provision of each service, a critical assessment should take place to consider any potential vulnerabilities. For example, if a firm only has one trading system, what would happen if that was disrupted and the back-up process also failed? In smaller firms, if all employees are based in one location, what would happen if there was a city-wide power outage? Where there is a potential single point of failure, such as with these examples, these instances should be recorded as a potential vulnerability.
- Scenario Testing: The FCA requires firms to consider “severe but plausible” scenarios that have the potential to impact on the Important Business Services. Firms need to imagine worst-case scenarios, including where both the primary and back-up systems fail. Subject Matter Experts across all areas of the firm should consider how they would react in these scenarios, and what playbooks are already in place. As part of testing, the firm should consider how (and how quickly) they would be able to identify that the failure had taken place, and how they would communicate internally and to their clients.
- Remediation: On completing the steps above, a firm will have a clear view of any weaknesses that require remediation. This may include bolstering back up processes and systems, documenting playbooks so teams know exactly what to do in the event of an outage, or working with vendors to ensure their back up processes are understood, and that the firm can seamlessly transition to them. For firms in scope of the FCA or PRA regulations, they will have until March 2025 to complete all remedial actions to ensure that the firms remain within their defined “impact tolerances” as outlined above. Firms that do not fall within the scope of the UK regulations may decide not to undertake all the measures outlined above. Such firms, however, will greatly benefit from partnering with an outsourced trading provider that itself has undertaken an operational resiliency program.
CIL is authorized and regulated in the UK by the Financial Conduct Authority
Get in touch
Reach out to us directly for more information.