The Authorities' Response Framework is a formal way for UK financial authorities to co-ordinate with each other. It is used when there is an incident or threat that could cause a major disruption to financial services.
The three financial authorities (the Authorities) are:
The finance sector is made up of many different types of firms (such as banks, building societies, insurers) and financial market infrastructure providers (FMIs). They rely on each other in order to provide important business services to the UK. Usually, links between these firms/FMIs work well, but sometimes things can go wrong.
When things go wrong, important business services may be disrupted. Responsibility for responding to disruption sits with firms/FMIs themselves. They will have their own methods and plans in order to react and ensure the continuity of those services.
But, because firms/FMIs rely upon one another, disruption in one part of the sector can spread to another part. It can also spread beyond the finance sector to other sectors in the UK. The Authorities have a crucial role in reducing the effects of this and ensuring stable functioning of the system. This is managed through the Authorities’ Response Framework.
The Authorities’ Response Framework enables the Authorities to engage and communicate with each other to respond to operational disruption in the sector. It can also be used to respond to incidents in other sectors that may indirectly affect the finance sector.
If there is a cyber incident, the Authorities’ Response Framework will include the National Cyber Security Centre (NCSC) to support the response. They are the UK’s National Technical Authority for cyber security. The Framework also allows the Authorities to engage with other organisations and government bodies as needed.
Where required, it can also link to government structures like the Cabinet Office Briefing Room (COBR). As the Lead Government Department for the finance sector, HMT will lead any cross-government coordination.
As noted previously in all incidents, the Authorities are responsible for supporting firms’ and FMIs’ response to incidents, in a way that aligns to the Authorities’ (HMT, Bank, FCA) statutory objectives.
In cyber incidents only, the NCSC is responsible for supporting firms’ and FMIs’ technical response. They can provide advice, guidance or intelligence insights to organisations.
Resilience specialists at the Authorities form a group to activate and run the Framework. This group:
Subject matter experts are involved when their expertise is needed.
In the most severe cases, senior officials can be brought together to direct the Authorities’ response. These Seniors include the Second Permanent Secretary from HMT, Deputy Governors from the Bank/PRA and members of the Executive Committee from the FCA.
The Framework also enables the Authorities to engage with international partners, such as other finance ministries, central banks and regulators.
The Framework can be invoked for any operational incident that affects, or has the potential to affect, the finance sector.
These incidents can have an impact on the Authorities’ objectives. The Framework can also be invoked for other reasons where cross-authority coordination is needed.
In all incidents that required the Authorities’ Response Framework, a Lead Financial Authority is agreed based on the impact to statutory objectives.
The Authorities’ Response Framework operates at three levels. These are:
The Authorities’ Response Framework is regularly reviewed by the accountable executives and exercised by the resilience teams in the authorities. Lessons learned from incidents are used for future improvement.