The Financial Conduct Authority (FCA) has long had a strong focus on operational resilience and its regulatory approach has been closely co-ordinated with that of the Bank of England and the Prudential Regulation Authority to ensure the joined up and effective supervision of firms, financial market infrastructures and an operationally resilient financial sector. 

What does operational resilience mean?

Operational resilience is all about disruption. Specifically, in this context, it is about the resilience of the UK’s financial sector, and its participants, to all kinds of disruption. Disruptions have the potential to cause harm to consumers, threaten the viability of firms, and destabilise the financial system. Disruptions can come in many forms including economic disaster, such as some form of financial crisis or wider uncertainty (such as the coronavirus pandemic), or failure (for example, of a critical service provider). Periodically, we also see systems disruptions, like the recent global IT outage that was caused by a software update, that places the operational resilience of firms right underneath the spotlights. It is a certainty that operational disruptions will happen from time to time, and so it is vital that the financial sector is able to absorb, respond and adapt to them. And, importantly, to recover from them. 

New rules

Operational resilience is not a new concept for regulated firms.  However, following the coronavirus pandemic and the regulatory learnings from that in relation to the importance of firms understanding the significance of the services that they provide and investing in the resilience of those services, new rules and guidance came into force at the end of March 2022 with a transitional period reaching to the end of March 2025. The resulting improved and strengthened regulatory framework is intended to ensure that financial services firms can:

  • to the extent possible prevent disruption from occurring in the first place;
  • in the event of an incident be adaptive to enable continuous service provision;
  • once a disruption is over to be able to quickly return to normal operation; and
  • to learn from incidents and experiences and use them to further improve their operational resilience.

Increasing regulatory focus on this area, and drive to strengthen the regulatory framework, was inevitable given the increasingly complex and difficult levels of disruption that firms face in a world of rapid technological change. The difficulties that firms face are further exacerbated by a hostile cyber environment and many cross-border global interconnections which increase their dependence on third parties for significant activities, products and services. 

Who does this apply to?

These rules have wide reach and affect all UK banks, building societies, investment firms, insurers, recognised investment exchanges, enhanced scope SM&CR firms, payment services and electronic money firms (payment and e-money institutions and registered account information service providers).

What should firms have done by now?

Firms should have already:

  • identified their important business services;
  • set impact tolerances for these important services;
  • carried out mapping and testing to support the calibrating of impact tolerances; and
  • identified vulnerabilities in their operational resilience. 

Sitting behind these cornerstone operational resilience requirements are other more general good governance requirements which firms will need to have in place and without which they will struggle to comply with their other wider regulatory obligations, these include:

  • sound and effective strategies, policies, processes, communications and controls;
  • a well-informed, engaged, suitably skilled and experienced, and pro-active senior management and board; and
  • good habits of self-assessing for weakness and vulnerability, including scenario testing and acting on lessons learned, to generate iterative improvement.

How else should firms do by no later than 31 March 2025?

31 March 2025 is the longstop date, at the end of the transition period, by which firms must have invested to the extent necessary to enable them to operate consistently within their impact tolerances, and to operate effective and comprehensive strategies to enable them to remain within their tolerance levels for all their important services in the event of foreseeable disruption. 

Identification of important services

The regulators expect firms to be in the best place to, and to exercise their own judgement to, identify their important business services and to take an outcomes-based approach when doing so. Boards and senior management are expected to play a central role in the thinking and the decision making around this. Some of the key considerations that firms make will need to focus on include:

  • the impact and knock-on effects that a failure might have on the wider financial system and on other parties;
  • the impact that a failure might have on the firm itself including, for example, reputational and legal risks; and
  • the impact on customers and clients including those who may have characteristics of vulnerability.

Setting of impact tolerances

Firms need to set an impact tolerance for each of their identifiable important business services based on the assumption that disruption will occur. Impact tolerances must be set by reference to clear metrics with due consideration given to variables such as how long an important business service can be interrupted in terms of length of time (hours or days) and point of time, demand (for example, at different times of the day), frequency of disruption, and the possible failure of additional related services. Once a firm has set impact tolerances, it must be able to remain within them in the event of disruption (meaning a severe but plausible disruption). While this requirement is currently subject to the longstop date of 31 March next year, firms have been advised not to wait until then to ensure that their resilience is sufficiently robust for them to remain within their impact tolerances.

Mapping

Mapping is the process of identifying and documenting the resources (including the people, strategies, processes, technology, facilities and information) required to deliver important business services. Resources may well include outsourced resources. By undertaking a detailed mapping exercise, a firm will be able to identify the resources that are critical to its important business services. Mapping will enable a firm to focus on its vulnerabilities and weaknesses, creating a gap analysis, and to effect remedies or strategies to enable it fill gaps and to remain within its impact tolerances.

The nature of any firm’s mapping exercise will depend on its business characteristics including size, scale and complexity. As such, there is no one size fits all approach to mapping. Each firm will be required to undertake and evolve a mapping exercise that is bespoke to and proportionate to its own business. It is vitally important that every aspect of the mapping exercise is well documented so that evidence can be provided promptly in response to any regulatory request for it.

How can a firm demonstrate efficient scenario testing?

Scenario testing is about measuring a firm’s response to an identified disruption. There is no detailed regulatory guidance in this space and firms are expected to determine a range of suitable adverse scenarios against which to assess their ability to deliver their important business services. Firms could consider their own previous incidents or operational failures and any learnings from these, disruptions that are known to have occurred in the wider sector and economy, and known horizon risks (such as those relating to geopolitical tensions and cyber threats). Known factors that firms should embed into their scenario testing include:

  • corruption, deletion or manipulation of critical data; 
  • unavailability of key facilities or key people;
  • unavailability of critical third-party services;
  • disruption to other market participants; and 
  • loss or reduced provision of key technology.

It is reasonable to expect that any firm’s ability to scenario test will evolve and improve over time, with this in mind, firms should be continuing to perform scenario testing with next year’s deadline in mind with a view to being able to evidence that they have worked towards and can remain within tolerance for each of their important business services. All firms should have evolved their mapping capabilities since 2022’s deadline, completing gap analyses to enable them to work on any identified shortcomings and shore up their vulnerabilities, both in response to any material changes to business and annually relative to the regulatory requirement for that as a minimum. Firms will need to keep clear, accurate, comprehensive and up to date records of all their mapping, scenario testing and lessons learned activities with a view to being able to demonstrate to the regulator that they take a suitably bespoke and tailored approach to their compliance with the operational resilience requirements. 

Conclusion 

Operational resilience is one of the most important regulatory priorities. Firms should expect the regulators to consider operational resilience as equally as important as financial resilience and to expect supervisory engagement around this regulatory priority. Firms should also expect to be able to demonstrate and evidence effective and embedded operational resilience frameworks. Any firms that need to implement changes to their regimes can expect the regulators to use regulatory tools to drive positive change forward by for example, requirements to invest in relevant improvements to processes, infrastructure, training, systems and to overall strategy.

The FCA published a webpage in May this year which provides numerous useful and practical insights and observations on the progress made by firms across the industry to get ready for the March 2025 deadline. The regulator will expect firms to have considered and used these insights and observations to assist them to assess their own state of preparedness for this deadline. The webpage an easy to read and useful resource giving clear guidance on what the regulator is focused on and what is and is not acceptable relative to what the regulator is seeing in its engagement with industry in this important and multi-faceted area. 

You can meet our team of financial services lawyers by clicking this link. You can read a related article on the proposed regime for critical third parties here.

With thanks to our current team trainee, Mopé Akinyemi, for helping to prepare this summary.