In September 2022, the Federal Reserve published a list of proposed changes to the operational risk management requirements for financial market utilities (FMUs). Does your institution provide services to an FMU?
- ICE Clear Credit (ICC)
- CLS Bank International Chicago Mercantile Inc (CME)
- Depository Trust Company (DTC)
- Fixed Income Clearing Corporation (FICC)
- Clearing House Interbank Payments System (CHIPS)
- National Securities Clearing Corporation (NSCC)
- The Options Clearing Corporation (OCC)
The proposed increased standards are the first substantive update since 2014. The updates reflect changes in, operational risk, technology, and regulatory demands.
The four areas of focus are:
1. Third-Party Risk Management – Recommendation for systems, policies, procedures, and controls that effectively identify, monitor, and manage risks associated with third-party relationships and risks stemming from supply chain. Any service provided to the FMU by a third-party must meet the same standards that the FMU is required to meet.
2. Incident Management and Notification – Recommendations call on FMU’s to align their policies and practices to recent joint rulemaking from the OCC and FDIC
3. Business Continuity Management and Planning – Recommendations, at minimum, annual testing, AND annual review of business continuity plans. Incorporation of Lessons Learned and evolving risk environments (i.e., extreme cyber events)
4. Review and Testing – Recommendation to perform a deeper and wider analysis and provide documentation on operational risk.
The major takeaway for third-party providers is that they will now have to design, implement, test, and prove their adherence to the same high standards as set for FMUs. While these recommendations are not (yet) set into practice, the writing is on the wall.
Now is the time to prepare your programs to meet these increased demands. If you aren’t sure where to start, allow Fortrex’s team of subject matter experts to assist your organization rise to the next level of controls.