Introduction
Financial services firms required to comply to the Operational Resilience requirements must do so by 31 March 2025. These requirements stem from the Financial Conduct Authority’s (FCA) Policy Statement PS21/3, which integrated new rules into the FCA Handbook. Additionally, entities regulated by the Prudential Regulation Authority (PRA) must comply with the PRA’s Supervisory Statement SS1/21.
The transitional period provided for firms to implement these requirements will conclude on 31 March 2025, at which point the FCA and PRA will expect full compliance.
Key Steps Firms Must Complete by 31 March 2025
To meet the Operational Resilience standards, firms within scope must take the following actions:
- Identify Important Business Services
Firms must determine their “Important Business Services” (“IBS”), defined as services that, if disrupted, could cause severe harm to clients or threaten the stability of the UK financial system.
- Establish Impact Tolerances
Each identified IBS must have a clearly defined impact tolerance, specifying the maximum acceptable level of disruption. These tolerances should be measured in terms of time and other relevant metrics, reflecting the threshold beyond which further disruption could lead to significant harm to clients or financial market stability.
- Conduct Mapping and Scenario Testing
Firms must thoroughly document all people, processes, technology, facilities and data necessary to deliver each IBS. In addition, firms must perform scenario testing to ensure they can remain within their established impact tolerances during severe but plausible disruptions.
- Update Internal Policies and Governance
To align with the regulations, firms must establish internal policies and governance structures that support Operational Resilience, including maintaining written records of compliance assessments.
- Develop a Communication Strategy
Firms are required to establish internal and external communication plans to mitigate the impact of operational disruptions.
FCA Observations and best practices
Key takeaways from the FCA’s observations on firms’ progress with the implementation of the Operational Resilience requirements include:
- Firms must consider all relevant factors when identifying important business services rather than relying on a single criterion.
- Interdependencies between services, particularly those involving third-party providers, should be evaluated and managed proactively.
- Responsibility for maintaining impact tolerances remains with the firm, even when outsourcing service delivery.
- Third-party resilience testing should be scrutinized to ensure it meets the firm’s operational resilience requirements.
- Remediation plans should be well-funded, properly governed, and subject to ongoing scenario testing to verify effectiveness.
Future Regulatory Developments and next steps for firms:
On 13 December 2024, the PRA and FCA released consultation papers on operational incident reporting and third-party risk management. These proposals introduce additional reporting obligations, requiring firms to notify regulators of operational incidents even if they do not breach impact tolerances. Firms will also need to disclose disruptions to important business services in their incident reports.
To ensure compliance with the operational resilience requirements, firms should:
- Conduct a thorough assessment of their operational resilience framework, identifying any gaps or weaknesses;
- Align resilience strategies with existing risk management, business continuity and recovery planning;
- Review and update outsourcing agreements to effectively manage third-party risks; and
- Train staff and Senior Management on operational resilience responsibilities and best practices.
Considerations for Firms Operating in the EU
Firms that provide services within the European Union should also assess whether they fall under the scope of the EU Digital Operational Resilience Act (DORA), effective from 17 January 2025. Whilst there is some overlap with UK requirements, the UK and EU regulatory frameworks have diverged in certain areas, necessitating separate compliance efforts for each jurisdiction.
How Complyport can help
At Complyport we can help you assess and develop your Operational Resilience systems and controls. Our expertise in Operational Resilience, IT and Cybersecurity will help you establish a robust operational resilience framework, ensuring compliance with the FCA rules.
Complete the form below to book a FREE consultation.
Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today!
