THE BANGKO Sentral ng Pilipinas (BSP) is proposing new guidelines to strengthen the operational resilience of financial institutions in case of disruptive events such as natural disasters and cyberattacks.

In a draft circular posted on its website, the BSP said the new rules would boost financial institutions’ ability to manage and mitigate the impact of shocks or disruptions, particularly on their critical operations.

The circular would require all BSP-supervised financial institutions (BSFIs) to prepare an operational resilience framework on a solo and group-wide basis.

Foreign bank branches may adopt the relevant policies of their head offices’ operational resilience framework.

“The critical role of BSFIs in the smooth functioning of the real economy, amidst the increasing digitalization and evolving operational disruptions or hazards that could disrupt the normal operations of the financial system underscore the growing importance of operational resilience,” the BSP said.

“Cognizant that these disruptive events, such as pandemic, natural disasters and/or cyberattacks will happen, the BSFI’s ability to respond to and recover from these disruptions will lessen the impact on its viability and delivery of critical operations and related services.”

All BSFIs will be required to submit a transition plan within one year after the circular takes effect. The plan should include a gap analysis and action plans to attain operational resilience.

All big banks, including digital banks, should implement its operational resilience plan within two years from the circular’s effectivity.

By the third year of the circular’s implementation, all thrift and rural banks should have developed or integrated the operational resilience framework with their existing risk management systems.

The central bank identified key elements of operational resilience that BSFIs should include in their framework, such as an effective governance structure.

“The basic building blocks of operational resilience include the initial steps of identifying the BSFI’s critical operations, setting of tolerance for disruption and determining the range of severe but plausible disruptive scenarios or events of varying nature, seriousness, and duration, relevant to its business and risk profile,” the BSP said.

BSFIs should also plan and manage risks to its critical operations, as well as test its ability to deliver critical operations “amid disruption under severe but plausible scenarios.”

If a disruption occurs that affected the BSFI’s operations, the firm should have the ability to respond, manage, and still deliver critical services. Financial institutions should have an incident response plan that contains the key steps in handling disruptions. 

BSFIs will also be required to disclose in their annual reports the overarching approach to operational resilience. It should also report to the BSP within 24 hours if the incident response plan for critical operations is activated. 

The central bank also said it may deploy appropriate supervisory enforcement actions to ensure BSFIs comply with the new requirements.

Stakeholders have until July 26 to send their feedback on the draft circular. — K.B.Ta-asan