Key Considerations for Payments Institutions
With under a year left until the Operational Resilience implementation deadline, firms caught under the FCA Operational Resilience requirements must take prompt action. Entities authorised and registered under the Payment Services Regulations 2017 or Electronic Money Regulations 2011 are firms affected by the FCA Policy Statement PS21/3.
All Payments Institutions (“PIs”) and Electronic Money Institution’s (“EMIs”) have until the 31st of March 2025 to have:
- Identified their important business services;
- Set impact tolerances for the maximum tolerable disruption; and
- Conducted adequate mapping and testing to a level of sophistication necessary to do so.
Operational Resilience is critical for maintaining the stability and functionality of payment systems, especially in an increasingly digitalised landscape. As payment infrastructures become more integrated and interdependent, they require a higher degree of resilience to withstand disruptions caused by power outages, cyber incidents and natural disasters.
Operational Resilience Challenges and Strategies for Payments Institutions and EMI’s
PI’s and EMI’s face a number of Operational Resilience challenges and issues to address to be compliant with the FCA Operational Resilience requirements. The issues to address may include:
Reliability Objectives: Payment systems must set robust reliability objectives to ensure uninterrupted service. This involves minimising downtime and swiftly recovering from operational incidents.
Redundancies: Implementing redundancies such as backup systems and alternative routing enhances resilience. Institutions should have contingency plans in place to switch seamlessly between primary and backup systems.
Assessment of Critical Service Providers: Institutions must assess the resilience of their critical service providers. Collaborating with third-party providers requires appropriate and proportionate due diligence to prevent systemic failures.
Endpoint Security: Strengthening endpoint security is crucial. Institutions should protect access points, endpoints and user devices to prevent unauthorised access and cyber threats.
Alternative Arrangements: Having alternative arrangements for critical services ensures continuity. Institutions should explore backup facilities, communication channels and cross-border cooperation.
Regulatory Reporting for Payment Service Providers
PI’s and EMI’s face further scrutiny in their regulatory reporting as the FCA requires Payment Service Providers to submit an annual report, REP018, regarding operational and security risks. This annual report is based on the 2017 EBA guidelines and must address areas such as:
- Evaluating risks and addressing mitigation, along with any identified shortcomings in mitigation measures;
- Actions taken to mitigate concerns highlighted in the latest audit;
- Customer complaints related to security matters; and
- Usage or not of the ‘corporate payment exemption’ (SCA-RTS Article 17 exemption) by the PSP.
The REP018 annual report requires the following assessments and documents to be attached:
- a risk assessment on operational and security risks; and
- the assessment of the adequacy of the mitigation measures and control mechanisms implemented as a response to the specific risks.
Next Steps
Firms are expected to use the time leading up to the deadline proactively, to show that they can remain within their impact tolerances and meet the FCA expectations. This applies for both authorised firms and newly authorised firms.
Firms should not wait until the end of this transitional period to stay within their impact tolerances, but rather take the necessary actions to remain within them as soon as reasonably practicable.
Any firm that is not making reasonable effort to identify their Important Business Services, remain within its impact tolerances and conducts adequate mapping and testing by the deadline of 31st March 2025 would be in breach of the FCA rules.
How Complyport Can Help
Complyport’s specialised team of consultants can help small Payments Institutions, Authorised Payments Institutions and Electronic Money Institutions by providing the following:
- Review and present an assessment of your Operational Resilience framework in line with FCA expectations and requirements
- Outline gaps within your existing Operational Resilience framework and recommend necessary solutions and enhancements
- Evaluate and support your definition/redefinition and approach towards the risk scenarios of operational disruptions and the optimisation of the continuity strategies and tactics to improve your operational resilience posture
- Provide an Operational Resilience Audit, as a standalone review or as part of a broader audit framework that covers Operational Resilience, IT and Cyber Security, Business Continuity and Disaster Recovery, Operational Risk Management and Supply Chain Management
- Conduct SOC 2 Audit and Compliance
- Prepare the REP018 report provide submission support
