The Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (collectively, the agencies) issued an interagency paper titled “Sound Practices to Strengthen Operational Resilience.” The sound practices paper generally describes standards for operational resilience set forth in the agencies’ existing rules and guidance for domestic banking organizations that have average total consolidated assets greater than or equal to (1) $250 billion or (2) $100 billion and have $75 billion or more in average cross-jurisdictional activity, average weighted short-term wholesale funding, average nonbank assets, or average off-balance-sheet exposure.

Although operational resilience is important for all national banks and federal savings associations (collectively, banks), the sound practices paper is directed to the largest and most complex domestic banking organizations.

Highlights

The sound practices paper

• outlines standards for operational resilience set forth in the agencies’ rules and guidance for domestic banking organizations that have average total consolidated assets greater than or equal to (1) $250 billion or (2) $100 billion and have $75 billion or more in average cross-jurisdictional activity, average weighted short-term wholesale funding, average nonbank assets, or average off-balance-sheet exposure.
• promotes a principles-based approach for effective governance, robust scenario analysis, secure and resilient information systems, and thorough surveillance and reporting.
• includes an appendix focused on sound practices for managing cyber risk.

Background

Over the last decade, the agencies have instituted various reforms aimed at enhancing the prudential framework and improving the financial resilience of domestic banking organizations and the financial system more broadly. These reforms – which included stronger capital and liquidity requirements as well as enhanced recovery and resolution mechanisms – reduce the likelihood and severity of a banking organization’s failure.

Notwithstanding these improvements to financial stability, banking organizations in recent years have experienced significant challenges from a wide range of disruptive events, including technology-based failures, cyber incidents, pandemics, and natural disasters. Such events, combined with a growing reliance on third-party service providers, expose banking organizations to a range of operational risks. These risks underscore the importance for banking organizations to strengthen their operational resilience, which the sound practices paper describes as the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. These disruptions could include technology-based failures, cyber incidents, natural disasters, and third-party failures.

The agencies recognize that technological developments have provided banks with new tools, such as cloud-based computing resources, to strengthen their operational resilience. Nonetheless, the agencies view the risk of a significant operational disruption as material, and such a disruption could jeopardize gains in financial stability and resilience. While efforts to strengthen operational resilience may not prevent a disruption from occurring, a pragmatic, well-constructed approach to operational resilience can help minimize the adverse effects of an operational disruption and enhance a bank’s ability to withstand a disruption.

The sound practices paper brings together existing regulations, guidance, and common industry standards to provide a comprehensive approach that banks may use to strengthen and maintain their operational resilience. Effective governance grounds the sound practices paper. Robust operational risk and business continuity management anchor the sound practices, which are informed by rigorous scenario analyses and consider third-party risks. Secure and resilient information systems underpin the approach to operational resilience, which is supported by thorough surveillance and reporting. The sound practices paper does not revise the agencies’ existing regulations or guidance.

Given the significance and technical nature of cybersecurity risk, which constitutes one of the most important types of operational risk, appendix A of the sound practices paper provides a separate collection of sound practices for managing cyber risk. Appendix B of the sound practices paper provides a glossary of terms used in the paper.

The issuance of these sound practices would facilitate ongoing discourse with the public on operational resilience. In the coming months, the agencies intend to convene discussions with the public on further steps to improve operational resilience. Continued dialogue with the public will allow the agencies to further refine their approach to support the operational resilience of banking organizations. In these forthcoming discussions, the agencies will be particularly interested in discussing ways in which the largest and most complex banking organizations can improve the operational resilience of critical operations and core business lines of a banking organization’s material entities and how they and supervisors can measure operational resilience and banking organizations’ progress toward achieving it. Given that many of these banking organizations have extensive cross-border activities, the agencies will seek to minimize the potential for market fragmentation and to align best practices for operational resilience.¹ The agencies may update the sound practices to reflect input from these discussions.

Applicability

Although operational resilience is important to all banking organizations, the sound practices described in the paper are directed to the largest and most complex domestic banking organizations. The paper describes sound practices drawn from existing regulations and guidance for individual national banks, state member banks, state nonmember banks, savings associations, U.S. bank holding companies, and savings and loan holding companies that have average total consolidated assets greater than or equal to (1) $250 billion or (2) $100 billion and have $75 billion or more in average cross-jurisdictional activity, average weighted short-term wholesale funding, average nonbank assets, or average off-balance-sheet exposure.² The sound practices paper does not set forth any new regulations or guidance; rather, the paper brings together the existing regulations, guidance, and common industry standards in one place to assist in the development of comprehensive approaches to operational resilience.

The agencies acknowledge that operational resilience is important to banking organizations of all sizes and that any bank may find elements of the sound practices useful as it considers operational risk and resilience challenges. Because the sound practices emphasize critical operations of a banking organization’s material entities, which generally are characteristic of large banking organizations, the sound practices paper is not addressed to smaller banking organizations.

A key objective of the sound practices paper is promoting harmonization across international and domestic frameworks regarding operational resilience, and the agencies are aware of similar international efforts to improve operational resilience.

To view the paper, please visit https://www.occ.gov/news-issuances/news-releases/2020/nr-occ-2020-144a.pdf