Managing the Risk to Your Firm & Dealing with the Regulatory Changes in Operational Resilience

The release of the FCA’s Operational Resilience Policy (PS 21/3) outlines new rules coming into force on 31 March 2022. Firms that fall within scope must have identified their important business services, set impact tolerances for the maximum tolerable disruption, and conducted adequate mapping and testing.

Operational Resilience Framework

The FCA reminds firms that maintaining operational resilience is important for consumers, firms, and financial markets. It ensures that firms can prevent, adapt, respond to, recover, and learn from operational disruptions. The FCA’s new policy goes beyond the traditional Business Continuity and disaster recovery management with a streamlined mandate focused on those processes that matter most from the client’s perspective and the financial markets in general.

The new rules and guidance relating to operational resilience will apply to a broad range of firms including banks, building societies, designated investment firms, insurance firms, e-money, and payment services firms. These rules and guidance will come into force on the 31 March 2022.

What does the FCA expect

  • In its Dear CEO letter, the FCA reminded firms that they expect firms to invest in their systems to ensure that they keep pace with the growth of their business and remain fit for purpose.
  • Firms are expected to identify all significant harms related to the activities they undertake. The FCA provide some examples of potential harms caused by the activities of different firms in its finalised guidance on assessing adequate financial resources FG 20/1 , including:
    • Firms advising on corporate finance deals may fail to apply appropriate due diligence
    • Non-bank lenders may fail to check customer’s affordability, inappropriately chase them when in arrears, or have practices not in line with the customer’s best interest
    • Payment services firms failing to have resilient systems and controls
  • Firms must have contingency and/or response plans in place to deal with operational disruptions and ensure that the plans have been tested.

Summary of PS21/3 and what should firms do

In March 2021 the FCA released the PS21/3 which set out the final rules on operational resilience. The FCA expect the policy statement to promote three main objectives:

  • Build the resilience of the market to continue to function as effectively as possible and quickly return to full operations following a disruption and reduce risk to market integrity.
  • Firms can look at improving their operational resilience as a way of retaining customers and promoting effective competition.
  • In identifying their important business services, setting impact tolerances, and restoring their important business services quickly after a disruption, firms can ensure a greater level of consumer protection.

The proposals outlined in the policy statement for the purposes of operational resilience, among others, require firms to:

  • Identify their important business services at least once a year, or whenever there is a relevant change to their business or the market in which they operate
  • Set their impact tolerances at the first point at which a disruption to an important business service would cause intolerable levels of harm to consumers or risk to market integrity
  • Have internal and external communication strategies in place to respond quickly and effectively to reduce the harm caused by operational disruptions
  • Compile a self-assessment document which shows how they meet the FCA’s operational resilience requirements
  • Make sure the plans in place are tested and lessons learned are utilised for the readjustment of the impact tolerances and improvement of the operational resilience of the firms.

Upcoming milestones for Operational Resilience include

  • Implementation of new requirements and expectations to strengthen operational resilience in the financial services sector by 31 March 2022
    • Firms will then have a further period to show that they can remain within their impact tolerances for each important business service by 31 March 2025
  • Publication of Discussion Paper in 2022
  • Consultation Paper to set out policy proposals that outline what information should be submitted by banking and insurance firms when operational incidents occur, planned for the first half of 2022

How can Complyport help?

If the information above has raised any questions or you think your firm may require assistance with complying with the relevant requirements of the new Operational Resilience framework, please contact Jonathan Greenstein now, via jonathan.greenstein@complyport.com, and book in a free consultation.

Our teams are ready to guide and support your firm in numerous ways, namely in:

  • Identifying important business services
  • Setting impact tolerances
  • The transitional arrangements
  • Scenario testing
  • Compiling a self-assessment document
  • Any collateral service pertaining to the resilience of your processes and systems namely physical and digital security, operational risk management and data protection

About Complyport

Complyport is a market leading consulting firm supporting the UK financial services industry for over 20 years. We specialise in providing Governance, Risk and Compliance services to support the regulated financial services industry to raise standards and thrive.

Complyport advises and assists firms to become authorised and to comply with the rules and requirements of regulators on an ongoing basis. Our vision is to be there for our clients every step of the way, helping them change, grow, and excel through expertise, insight, and innovation, and in so doing to become our clients’ most valued supplier and trusted advisor.

We have successfully assisted over 1000 firms to become authorised with the FCA and EU and are providing regulatory support to over 600 regulated firms on an ongoing basis globally. With presence in the UK and EU, as well as via our Associates Network, Complyport can assist firms across multiple jurisdictions.

Complyport’s multidisciplinary consultants possess deep expertise in their field, having acted in FCA skilled person reviews, as expert witnesses in legal cases and as expert investigators for firms or their legal advisers.

Day to day, we conduct audits and reviews of a firm’s products, systems, processes, policies, and procedures to identify scope for business, to determine the impact of regulatory developments and to verify compliance with local regulations. Our clients tell us we live our values; we are driven, agile and collaborative.