On 29 March 2021, the FCA published its final rules and guidance on new requirements to strengthen operational resilience in the financial services sector – PS21/3. In December 2019, the FCA consulted – in CP19/32 – on proposed changes to how firms approach their operational resilience. The FCA developed these proposals in partnership with the Bank of England – in its capacity of supervising financial market infrastructures – and the Prudential Regulation Authority to improve the operational resilience of the UK financial sector.
This Policy Statement (PS) summarises the feedback the FCA received to CP19/32 and its response, and sets out final rules.
These changes will affect banks, building societies, designated investment firms (i.e. firms that have been designated by the PRA under Article 3 of the PRA-Regulated Activities Order), insurers, Recognised Investment Exchanges (RIEs), Enhanced scope senior managers’ and certification regime (SM&CR) firms and entities authorised or registered under the Payment Services Regulations 2017 (PSRs 2017) or the Electronic Money Regulations 2011 (EMRs 2011).
The new rules and guidance will come into force on 31 March 2022.
By 31 March 2022, firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption and carried out mapping and testing to a level of sophistication necessary to do so. Firms must also have identified any vulnerabilities in their operational resilience.
As soon as possible after 31 March 2022, and no later than 31 March 2025, firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances.
https://www.fca.org.uk/publication/policy/ps21-3-operational-resilience.pdf