|
|
The banks we supervise operate in an ever more complex risk environment, marked by heightened climate and nature-related risks, increasingly sophisticated cyberattacks and risks stemming from non-bank financial institutions – to name just a few for discussion today. The common denominator of all these risks is that they affect all of us: from Asia to the Americas, from Africa to Europe. To get a better grip on these risks enhanced international cooperation is essential – and this conference is a testament to that.
In my remarks today, I will focus on a cornerstone of prudential supervisors’ mission to keep banks sound: ensuring that banks build up and maintain adequate operational resilience.
Let me start with a small detour into the world of botany. In an environment subject to more extreme weather conditions, certain tree species have proven particularly resilient to strong winds due to their distinct characteristics. The silver birch, for instance, is known for its flexible branches and widespread root system. These characteristics help it master the art of bending with the wind without breaking, even under hurricane-like conditions.
The same resilience is needed in today’s risk landscape, swept by heightened operational headwinds such as cyber incidents, technology disruptions and natural disasters: to master the art of bending without breaking under such headwinds, banks must develop distinct characteristics.
Now, you might primarily associate a bank’s resilience with its financial strength – particularly given the significant increases in capital and liquidity buffers following the post-crisis reforms. But I’ll highlight why financial resilience alone is far from sufficient to weather the storms brewing over today’s risk landscape.
Consider the example of Amsterdam Trade Bank (ATB), which filed for bankruptcy although it had ample capital and liquidity. What went wrong? Imagine the bank’s credit officers turning up at the office one Friday morning in April 2022, trying to access their documents – and all they see on the screen is that access is denied. Why?
Owing to sanctions ATB had lost access to its IT systems, which were run by third-party providers. As a result, the bank couldn’t provide banking services anymore. There weren’t adequate contingency arrangements in place – because a scenario in which IT systems weren’t operable had seemed too unrealistic – and so the bank had to close shop.
In 2023 when the New York arm of an investment bank was hit by a ransomware attack, it literally sent a runner with a USB stick across downtown Manhattan to help settle trades in the $25 trillion US treasury market.[1]
And most recently, the CrowdStrike incident caused the operating system of a major provider to crash, displaying the so-called blue screen of death, leading to significant disruptions across sectors – including at a few banks.[2]
All these examples underscore a fundamental point: financial resilience alone is a necessary but not sufficient condition to weather operational headwinds. You can have ample capital and liquidity but still face major operational issues or even fail if you lack robust contingency planning for operational shocks that are impossible to avoid. In other words, some banks were missing an essential safeguard – operational resilience.