Prudential Regulation Authority Rulebook

10.1

Rule 17.1 of the Credit Unions Part of the PRA Rulebook requires a credit union to put in place contingency arrangements to ensure it could continue to operate and comply with its regulatory obligations in the event of an unforeseen interruption, such as a complete failure of information technology systems or destruction of premises by fire, which would otherwise prevent the normal operation of the credit union. Operational risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, people, and systems or from an external event. Examples include the risk of losses arising from the following:

• internal/external fraud – this may arise from lack of adequate security of information systems as well as credit union officers, assets, and systems (including cyberattacks);
• damage to physical assets;
• business disruptions and information system failures – this includes hardware and software failures, telecommunication problems, and utility outages;
• execution, delivery, and process management failures –this includes transaction and execution errors arising from human error, lack of resources, skills, training, policies, procedures, or poor management;
• failure of an outsourcing or a third party service provider;
• legal risk –this includes failure to meet legal, contractual, and other obligations (including exposure to fines, penalties, or damages); and
• member, product, and business practices – this includes unintentional or negligent failure to meet obligations to specific members (including fiduciary and suitability requirements), or from the nature or design of a product.

10.2

The PRA’s expectations for operational risk management should apply proportionately according to the scale and nature of the credit union. The PRA expects all credit unions to consider the operational risks they are exposed to, and to have mitigating policies and procedures in place to manage them appropriately. As part of this, credit unions may consider, as evidence of good practice, the Basel Committee on Banking Supervision document on Principles for the Sound Management of Operational Risk.^[8] 

10.3

The PRA expects governance and oversight arrangements for operational resilience to be in place. All credit unions must test the business continuity arrangements regularly (under Rule 17.1 and Rule 17.2 of the Credit Unions Part of the PRA Rulebook). The PRA expects business continuity arrangements to be reviewed at least annually. 

10.4

The PRA expects to be notified, in advance of material operational changes and/or a credit union entering into any material outsourcing agreements. Credit unions are expected to ensure they have appropriate governance, risk management, and mitigation in place in advance of the material operational change or material outsourcing including, where relevant, communications to affected members. Plans for exiting from the material operational change or material outsourcing agreement and contingency plans should also be included. This could be a simple plan, depending on the complexities involved and materiality of the services impacted, and should not require material additional costs and resources to develop. The PRA considers failed or poorly implemented operational changes have the potential to cause significant disruption to credit unions, including interruption to critical services, often with an immediate impact on members relying on these services.

10.5

Examples of material operational changes that the PRA would expect to be notified of include the replacing of core banking systems, material change of or new relationship with third party critical service suppliers (including Cloud suppliers and payment systems providers), digital transformation programmes, and data centre migrations. Where a credit union is unclear on their notification expectations, it should discuss this with the PRA.