From an operational resilience perspective, the securities services industry successfully navigated the pandemic with its operations intact. However, financial institutions including custody providers cannot allow for complacency to creep in. Instead, they need to be thinking about how the next existential crisis – together with the emergence of new technologies could potentially impact their operational resilience.
Led by Reto Faber, EMEA Head of Custody, Securities Services, Citi, a panel of leading experts shared their insights at Citi’s EMEA Securities Leadership Forum (ESLF).
Focusing on the client
Firstly, organisations are now expected to consider operational resilience and impact tolerance from the client’s point of view – a perspective that forces material changes in approach among financial institutions, according to Charlotte Branfield, Global Head of Operational Resilience, Operations and Technology at Citi.
“The important business service concept is critical and turns firms’ approaches to prioritisation on its head. For example, a for-profit organisation will traditionally prioritise their biggest revenue streams but this might not tally with what the client thinks is important. A client may care most about the payroll infrastructure, for instance, which to a bank is not likely to be the biggest revenue generator,” she highlighted.
To adequately develop the correct approach, financial institutions must engage with clients to find out what is critical to them and why, and then look to provide customers with a seamless user experience by having the processes and substitutability in place to port activities to a back-up provider in a crisis situation.
Having navigated almost two years of the pandemic, banks – including Citi – are undertaking laborious mapping exercises into their operational activities covering everything from transaction capture, settlement, the asset servicing life-cycle and tax. “This has enabled us to create a better end to end holistic picture. In particular, it has also helped us with our location strategy, namely on how we can leverage our globally distributed operation centres to improve redundancy and become more resilient,” said Rhys Thomas, Global Head of Custody Tax, FX, and Cash Operations, Securities Services, Citi.
Joerg Guenther, Global Co-Head of Operations and Technology, Securities Services, Citi, agreed that most financial institutions are redefining their playbooks around operational resilience. “In the past, the approach was to assume that in the event of a site outage, there will be a failover. Now, these processes are more scenario-driven, looking at different functions and applications not being available and how these can be recovered, and what the workarounds are,” he said.
Guenther added that Citi is focusing more on site reliability engineering (SRE), namely the use of software to ensure automation in operations. “We have hired resources in SRE, so that failovers can be executed in a way that is as seamless as possible,” he said.
Learning from a crisis
During the pandemic, the ongoing delivery of business as usual (BAU) at financial institutions was facilitated by digitalisation, with tools such as application programming interfaces (APIs) being deployed to help ensure client connectivity and enable positive user experiences. However, technological innovation brings with it new risks, a point made by Branfield.
“The uptake of APIs has to be taken seriously from a risk management perspective. With APIs, we now have a heightened level of connectivity between firms, which means existing risks may transmit though the system quicker or new digital risks may be created, which are not yet properly defined. Today, we think about risk in terms of businesses and geographies, yet APIs mean firms will need to think about risk on a bilateral firm-to-firm basis as well as a systemic basis. Do we actually know the risks that will arise if APIs do not function? As we emerge from the pandemic, we do need to think about our traditional approaches to risk management and how they are fundamentally changing,” noted Branfield.
With digitalisation becoming increasingly ubiquitous, incidents of cyber-crime have skyrocketed. According to BAE Systems, 74% of financial institutions reported a significant spike in cyber-attacks since the pandemic began.2 Such attacks are overwhelmingly carried out by hostile outsiders (e.g. nation states, criminals, etc.) or disgruntled employees. In the case of cyber-crime, financial institutions need to think practically about how they manage such risks.
“Let us imagine a cyber-attacker has infiltrated your systems, and to kick them out, your cyber team will implement a forced password reset and reboot that is going to shut 2,500 people on your trading floor out of the system without forewarning. With all of these people logged out simultaneously, do you know whom to bring back online first? Do you have protocols in place for managing open trades and risk if the traders cannot access their systems?” asked Branfield.
She added many people in financial services simply assume a cyber-attack is a problem that IT will handle, yet IT teams are not experts in product areas such as payments or fund accounting, and so may not necessarily understand the business implications of the decisions they are taking. It is therefore vital that the different business streams within banks approach cyber-security holistically and collaborate closely with IT to minimise any risk and disruption in the event of an attack.
Although financial institutions need to be fully cognisant of emerging digital risks, Thomas pointed out that legacy technology risks should not be forgotten about. In the case of Citi’s linkages with central securities depositories (CSDs), Thomas shared that the bank had measures in place to ensure that communications are not interrupted in the event of an outage – either at Citi itself or at the CSD level. “We have made ourselves as resilient as possible and we always have contingency channels in place to ensure communication remains online between Citi and our CSD partners. The challenge, however, would be if there was a market-wide outage,” he said.
Consequentially, many institutions are rethinking their legacy technology architecture. “In the context of operational resilience, we are decomposing the monolithic functionality of our systems into smaller functional components. The traditional way in which we interface prescribes and constrains how our entities and systems communicate. We want to decouple this integration by leveraging event-driven technologies which allows us to build a layer of abstraction between legacy applications and what we build today and tomorrow in terms of micro-services,” said Guenther.
Climate risk – the next challenge in operational resilience
Coinciding with the COP26 in Glasgow, climate change risk was also discussed extensively during the panel. While a number of Central Banks have repeatedly highlighted that climate change risks – such as physical damage caused by flooding or extreme weather events, stranded assets and rising borrower defaults – are systemic challenges for banks, the operational risks it poses are equally serious. Branfield warned the operational risks of climate change are potentially more severe than that of COVID-19. She highlighted that while BAU during COVID-19 was enabled by people working from home, energy shortages (i.e. fuel or electricity), fires and floods caused by climate change risked the feasibility of working from home – whilst significantly impacting peoples’ lives as homes could be damaged or destroyed– in what would lead to serious long-lasting business interruptions.
In the near -term and with the world facing acute energy shortages, Branfield cautioned that financial institutions need to think carefully about their energy supplies. “In a standard business continuity plan set-up, a back-up power generator will be turned on if the main generator goes down. But, for example, if there is an energy shortage and governments are rationing fuel, that will not be possible,” she said. She anticipated energy shortages will happen more frequently – as new technologies (i.e., gaming, electric vehicles) put pressure on electricity infrastructure and as countries shift away from fossil fuels – which is likely to coincide with more severe weather events. As a result, firms should actively start refreshing their business continuity planning and exploring various “what if” scenarios.
Firms also need to think laterally about how they approach digital and climate change risks if they are to safeguard their operational resilience and business continuity as much as possible. This rings true for both network managers and their custody providers. As a result, custodian banks are becoming increasingly open with clients about their operational resilience procedures – especially during network managers’ initial due diligences or ongoing reviews.
“Providers need to offer due diligence information – which does not necessarily go into huge detail about their actual internal processes but rather focuses on how an outage at their end would affect a client, and outline what they would do to respond to that. This is something we will be reaching out to our clients about over the course of the next year,” concluded Faber.
1 Bank of England (December 16, 2019) Systemic Risk Survey – 2019 H2
2 BAE [April 28, 2021] COVID Cyber-crime