Author: James Borley, Director of Payment Services
As noted in the Financial Conduct Authority’s (FCA’s) Regulatory Priorities Report for Payments operational resilience framework is now moving decisively beyond implementation planning and into active supervisory scrutiny. For Payment Institutions (PIs) and Electronic Money Institutions (EMIs), the 31 March 2025 transition deadline marked the end of the mobilisation phase and the beginning of a new era of evidencing resilience in practice.
While many firms approached operational resilience initially as a regulatory project driven by Policy Statement PS21/3: Building Operational Resilience, the FCA increasingly expects firms to demonstrate that resilience considerations are embedded into governance, outsourcing oversight, product design, technology decision-making and incident response frameworks on an ongoing basis.
For firms operating under the Payment Services Regulations 2017 (PSRs) or Electronic Money Regulations 2011 (EMRs), the challenge is no longer whether an operational resilience framework exists on paper, but whether it can withstand severe but plausible disruption without causing intolerable harm to customers or the wider financial system.
Regulatory Background
In March 2021, the FCA, alongside the Bank of England and Prudential Regulation Authority, published PS21/3. The framework already applied to a number of regulated firms but was now extended to entities authorised under the PSRs and EMRs. Firms were required to identify their ‘Important Business Services (IBSs)’, establish impact tolerances and conduct mapping and testing by 31 March 2025.
The FCA defines operational resilience as the ability of firms and the financial sector to prevent, adapt, respond to, recover and learn from operational disruptions. Importantly, the regime focuses less on preventing all disruption and more on ensuring that firms can continue delivering critical services within acceptable tolerances during disruption events.
This distinction is particularly significant for payments firms whose business models are heavily reliant on technology infrastructure, cloud providers, APIs, card processors and outsourced operational functions.
Why Payments Firms Remain a Supervisory Focus
The UK payments sector has experienced rapid growth, increasing technological complexity and heightened customer reliance over recent years. At the same time, regulators continue to observe incidents involving payment outages, cyber-attacks, third-party failures and migration-related disruptions.
The FCA and Bank of England have repeatedly highlighted concerns around firms’ dependency on concentrated technology providers and the systemic implications of operational failures within payments infrastructure. Recent industry incidents, including large-scale cloud outages and software failures, have reinforced supervisory concerns that even short-term disruption can result in significant consumer harm and reputational damage.
For payments firms, operational resilience is therefore closely linked to several wider regulatory themes, including:
- Consumer Duty;
- outsourcing and third-party risk management;
- cyber resilience;
- operational incident reporting;
- governance and senior management accountability; and
- financial crime controls continuity.
Increasingly, the FCA appears to view operational resilience as an indicator of overall organisational maturity rather than a standalone compliance requirement.
Important Business Services: Avoiding Overly Broad Definitions
One of the most common weaknesses identified by regulators relates to the identification of IBSs. The FCA has cautioned firms against defining IBSs too broadly or by reference to internal business lines rather than customer outcomes.
For payments firms, examples of IBSs may include:
- execution of outbound customer payments;
- safeguarding and access to customer funds;
- card transaction processing;
- customer authentication services;
- onboarding and account access functionality; and
- fraud monitoring and transaction screening.
A common supervisory issue arises where firms classify virtually all business activities as ‘important’, thereby diluting management focus and undermining meaningful scenario testing.
The FCA expects firms to identify those services where disruption could cause ‘intolerable harm’ to consumers, threaten market integrity or undermine confidence in the UK financial system. The emphasis remains on external impact rather than internal operational significance (which is more the domain of business continuity).
Mapping and Third-Party Dependencies
Mapping remains one of the most resource-intensive aspects of operational resilience compliance. For many payments firms, the complexity arises not from internal systems but from interconnected outsourcing arrangements and technology dependencies.
The FCA has specifically emphasised the importance of understanding vulnerabilities arising from third-party providers, including cloud hosting providers, payment processors, fraud systems, telecommunications infrastructure and software vendors.
In practice, firms should be capable of demonstrating:
- end-to-end mapping of IBS delivery chains;
- identification of single points of failure;
- documented dependency inventories;
- resilience assessments of material suppliers;
- exit and substitution planning; and
- escalation and communication protocols during disruption events.
FCA is increasingly sceptical of firms that rely solely on contractual assurances from providers without independently assessing operational resilience capabilities.
This is particularly relevant where firms rely heavily on a small number of critical cloud or infrastructure providers. Regulators continue to signal concerns regarding concentration risk across the financial sector and the potential systemic implications of outages affecting critical technology providers.
Scenario Testing: Demonstrating Credibility
Scenario testing remains central to the FCA’s expectations. Firms must demonstrate that they can remain within impact tolerances during severe but plausible disruption scenarios.
However, many firms continue to approach testing as a theoretical desktop exercise rather than a realistic assessment of operational capability.
The FCA has indicated that effective testing should evolve into a business-as-usual discipline and should incorporate lessons learned from real-world incidents.
For payments firms, relevant scenarios may include:
- cyber-attacks impacting payment processing;
- ransomware incidents;
- cloud service outages;
- data centre failures;
- telecoms disruption;
- payment gateway failures;
- sanctions screening system outages;
- third-party supplier insolvency; and
- internal change management failures.
Importantly, firms should avoid assuming ideal recovery conditions. The FCA increasingly expects testing to consider degraded operating environments, staff unavailability, simultaneous incidents and communications failures.
The FCA also expects firms to identify vulnerabilities revealed through testing and demonstrate remediation planning supported by appropriate governance and funding.
Governance and Senior Management Accountability
Operational resilience cannot be delegated exclusively to Compliance or IT functions.
Boards and senior management are expected to understand the firm’s IBSs, impact tolerances, vulnerabilities and remediation priorities. Accountability for operational resilience should be clearly allocated and evidenced through governance arrangements.
The FCA has emphasised the importance of maintaining comprehensive self-assessment documentation capable of demonstrating the rationale behind resilience decisions, testing methodologies and investment priorities.
For many firms, operational resilience now forms part of broader prudential and conduct discussions during supervisory engagement.
Firms should therefore expect operational resilience evidence to feature increasingly within:
- FCA thematic reviews;
- section 166 skilled person reviews;
- authorisation assessments;
- change in control applications;
- outsourcing reviews; and
- Consumer Duty assessments.
Incident Reporting and the Evolving Regulatory Landscape
In March 2026, the FCA introduced new operational incident and third-party reporting requirements, with implementation expected from March 2027. These measures are intended to strengthen regulators’ visibility over disruption events and sector-wide vulnerabilities.
Payments firms should therefore anticipate heightened supervisory expectations around:
- incident classification;
- escalation timelines;
- root cause analysis;
- board reporting;
- third-party incident visibility; and
- post-incident remediation tracking.
The direction of travel is clear: operational resilience is becoming increasingly data-driven, evidence-based and supervisory intensive.
Operational Resilience as an Ongoing Regulatory Obligation
One of the most important messages emerging from recent FCA communications is that operational resilience is not a one-off implementation exercise. Important business services, impact tolerances and mapping should be reviewed regularly and updated following material business, technological or regulatory changes.
For rapidly scaling fintechs and payments firms, this presents a particular challenge. Business models, outsourcing structures and technology environments often evolve faster than governance frameworks.
Accordingly, firms should ensure operational resilience remains integrated into:
- product development;
- outsourcing approvals;
- acquisitions and integrations;
- cloud migration projects;
- cyber security governance;
- change management programmes; and
- enterprise risk management frameworks.
Conclusion
The FCA’s operational resilience regime has now entered a significantly more mature supervisory phase. For UK payments firms, the regulatory focus is shifting away from implementation plans and towards demonstrable operational effectiveness.
Firms that continue to treat operational resilience as a static compliance programme risk falling behind supervisory expectations, particularly as regulators intensify scrutiny of outsourcing dependencies, cyber resilience and customer outcomes.
Ultimately, operational resilience is no longer simply about avoiding disruption. It is about demonstrating that firms can continue delivering critical services, protect customers and maintain market confidence even when disruption inevitably occurs.
For payments firms operating in an increasingly interconnected and technology-dependent environment, that expectation is unlikely to diminish.
How Complyport Can Help
Complyport assists payment institutions, electronic money institutions and fintech firms in designing, reviewing and enhancing operational resilience frameworks that meet FCA expectations.
Our services include:
- Operational resilience gap analyses and independent reviews;
- Identification and assessment of Important Business Services and impact tolerances;
- Operational resilience self-assessment preparation and review;
- Outsourcing and third-party risk management assessments;
- Governance and Board effectiveness reviews;
- Business continuity and disaster recovery framework reviews;
- Regulatory authorisation and change-in-control support;
- Compliance monitoring and operational resilience testing reviews;
- Senior management training and regulatory workshops.
Whether you are preparing for FCA supervisory engagement, reviewing your Important Business Services or strengthening third-party oversight arrangements, Complyport can provide practical and proportionate support tailored to your business.
Contact Complyport today to book a meeting with one of our Subject Matter Experts and discuss how we can support your operational resilience programme.
Ask ViCA, your Virtual Compliance Assistant. Claim your complimentary 20 queries today! Register here: https://vica.chat
