Jim Freis talks about the principles involved in determining the level of criticality in the vendors of financial institutions.
One of the areas where regulators have been asked by quite a number of parties throughout the industry and through the public consultations to provide more guidance and more clarity is with respect to what is deemed critical. Criticality is an aspect of prioritization and in a risk focused environment, a risk based environment, prioritization is really key to the implementation of that approach.
The regulators currently use the term critical in different regulatory pronouncements in different ways, but there’s two reasons why we should understand critical. One is, even the effort to document a decision that an entity is critical or not critical takes time. So why do I raise that? If we had a proposition or a presumption that an activity were critical, such as a core banking system, literally the software that runs the debits and the credits that are essential to the banking function, no one would doubt that that’s critical. But should we take time to actually need to document that review and that decision? If there are presumptions that that would be critical, it would relieve the banks to focus on the risk management aspects in that regard.
When we do talk more broadly about principles where it’s not such an obvious situation, meaning that there should be a default presumption, we can look at principles to help drive that decision. One is the potential monetary impact of a disruption. If a system were down, what would be the impact on that bank, to that bank’s revenue, ultimately to the bank’s profitability? Beyond a certain threshold, it can be deemed critical. And that threshold could be something that a board takes in terms of a risk management decision in the same way that the executive, and ultimately, a board of directors overseeing that executive, might take in terms of a credit risk exposure limit above a certain materiality, above a certain defined value would be considered critical to the bottom line of the bank.
Another aspect where the regulators will be focused is the impact on customers, especially retail customers, and consumers. Put the situation this way. If a payment system disruption does not allow customers to withdraw funds from a bank, the bank is actually not at a loss because it’s sitting on the money. It hasn’t realized the credit risk in that regard, but the customers are certainly inconvenienced and will have opportunity costs in terms of what services they were looking to purchase with the funds that they were withdrawing. That is something that I think the regulators will take a view that the impact upon the customers is a critical part of the responsibility of being a licensed financial institution.
There are other aspects that might not easily fit into the categories or the principles of a monetary loss or a direct customer impact. And those are regulatory required functions, such as transaction monitoring, OFAC monitoring, or an anti-money laundering monitoring, which the regulators rightly would say, in my view, that you cannot function as a bank when there’s a disruption of that for an extended period of time, because you would be in violation of your risk management of those regulatory requirements.
So those are three categories that I think are critical, that I think are important to understanding what the term critical means. Another category that has already been identified by the regulators, but doesn’t have a universal applicability, is a function that would impact the stability of the entire country’s financial institution. So that is something that would occur in the event of a failure of a systemically significant institution or a financial market utility, but not necessarily an individual smaller institution. It could, however, be the case due to concentration risk, meaning that service providers impact many institutions, including a significant number of small or medium sized institution, that a failure of that one service provider or some domino effect caused by the failure of a service provider, could have a systemic impact across the country because so many smaller institutions were dependent on it.
That’s part of the biggest concerns for regulators today about knowing what they don’t know. They don’t know the level of dependencies upon many of the service providers. They don’t have this logical map that would show them through a type of risk management exercise, an operational testing scenario, that the failure of one entity would have such an adverse impact upon so many different institutions at once. That’s something that keeps them asleep at night and part of what they hope to get out of this evolution in the risk management framework.
