Operational Resilience Requirements May Be Coming for Large U.S. Banks Soon

Posted
By , and

On March 12, 2024, Acting Comptroller of the Currency Michael Hsu indicated in a speech that regulations may soon be forthcoming that would be designed to bolster larger depository institutions’ ability to withstand disruptions to their critical operations. If enacted, these regulations would require covered financial institutions (and by extension, their third-party service providers) to satisfy operational resilience requirements at a level of granularity that has previously been absent from United States financial regulations.

In recent years, the Office of the Comptroller of the Currency (OCC), the primary U.S. federal regulator for nationally chartered depository institutions, and other federal financial regulators have cited a continually growing risk of operational disruption among larger depository institutions—e.g., from security breaches, natural disasters and other unanticipated occurrences. Due to an ever-increasing concentration among a smaller number of larger financial institutions, and greater dependency among these financial institutions on a similarly concentrated web of outsourced third-party service providers, the stakes are particularly high when these disruptions occur. Similar to recent disruptions to global manufacturing supply chains, any single point of operational failure by any major depository institution or its service providers can have cascading effects across the entire financial industry (and by extension, the wider economy).

In response to these trends, the OCC is previewing the possibility of new regulations by the end of 2024 that would strengthen baseline operational resilience standards for larger depository institutions (a designation that has yet to be defined). These standards would potentially impose:

  • clear definitions for identifying critical activities and core business lines;
  • requirements for establishing different tolerance levels for operational disruption;
  • enhanced requirements for testing and validation of resilience capabilities;
  • enhanced third-party risk management requirements;
  • clearer communication requirements among key stakeholders and counterparties; and
  • new expectations for critical service providers, with emphasis on increased governance and risk management.

The operational resilience regulations, if enacted, would build on the existing framework that the OCC has developed with other federal financial regulatory agencies over the last 20 years. Specifically, since 2001, the OCC has collaborated with other federal regulators to continually release guidelines and best practices for operational resilience. This culminated in 2020 with the release of “Sound Practices to Strengthen Operational Resilience” and the addition of Business Continuity Management booklet to the Federal Financial Institutions Examination Council (FFIEC) “Information Technology Examination Handbook.” Together, these publications integrated and restated the guidance that had been developed since the push began in 2001. The 2021 “Computer-Security Incident Notification Rule” and the 2023 “Interagency Guidance on Third-Party Relationships: Risk Management” have since supplemented these resources. These guidelines generally set forth suggested principles for governance and risk management that financial institutions can implement to promote operational resilience. However, the current regulatory framework does not follow a highly prescriptive model, and instead takes a more risk-based and open-ended approach in enabling financial institutions to set their own operational resilience standards.

The new requirements suggested by the OCC would build on this existing regulatory landscape while increasing the baseline requirements and best practices covered banks must follow to meet operational resilience requirements. These new requirements would also align closer with new operational resilience rules being put into place by other international jurisdictions, including the EU, United Kingdom and Japan.

If the OCC follows through on the regulations previewed in Acting Comptroller Hsu’s March 12 speech, covered financial institutions will need to ready themselves by reviewing and updating their policies and procedures to adhere to the OCC’s more prescriptive requirements. Additionally, covered financial institutions will need to review their third-party service provider contracts (and contracting guidelines) to ensure that these new standards are appropriately passed through to their counterparties. We will continue to monitor these developments and provide further analysis as a more concrete proposal emerges.