Building Operational Resilience – FCA Policy Statement PS 21/3
Ensuring the UK financial sector is operationally resilient is important for consumers, firms and financial markets. It ensures firms and the sector can prevent, adapt, respond to, recover and learn from operational disruptions. In December 2019, the Financial Conduct Authority (FCA) consulted – in CP19/32 – on proposed changes to how regulated firms, including payments and e-money service providers, approach their operational resilience. On 29 March 2021, the FCA published a Policy Statement 21/3 (PS 21/3) which (i) summarises the feedback that they received to CP19/32 and their response, and (ii) sets out the final rules that firms will be required to follow. This article contains the key points firms should take into consideration.
Identifying important business services
Regulated firms should now begin identifying their important business services, and will need to have completed this exercise before the rules take effect, on 31 March 2022.
The FCA revised the definition of “important business service (IBS)” in the PS 21/3 and specifies that this service
“means a service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could
- cause intolerable levels of harm to one or more of the firm’s clients; or
- pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of financial markets”.
Firms should furthermore take into account that:
- The IBS is a separate service and not a collection of services;
- Users of the IBSs should be identified;
- It is helpful to identify all business services but only their IBSs are subject to these FCA Operational Resilience rules;
- Internal processes are not IBSs but should be captured as part of “mapping” (see the explanation below of what is meant by “mapping”); and
- Central shared services (e.g. IT, audit or 2nd line, operational processes such as risk management and transaction booking, technology provided centrally) are unlikely to be IBSs, as IBSs need to be provided to one or more consumers.
Firms do not need to undertake the whole exercise at once. They, however, need to review their existing identification against changes to their business or operating market over the course of the year. Where there have been no material changes, the FCA expects this to be straightforward.
Firms must complete this exercise of identifying the IBSs before the rules take effect on 31 March 2022. After 31 March 2022, firms will then need to review their IBSs:
- at least once per year, or
- whenever there is a material change to their business or the market in which they operate.
Setting impact tolerances
Another point the FCA elaborates on in its PS 21/3 is that firms should set “impact tolerances” for each IBS at which a disruption to this service would cause an “intolerable level of harm” to consumers or risk market integrity. Factors that should be taken into account to decide whether this disruption would cause an “intolerable level of harm” are:
- the number and types (such as vulnerability) of consumers adversely affected, and the nature of the impact;
- financial loss to consumers;
- financial loss to the firm where this could harm the firm’s consumers, the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets;
- the level of reputational damage where this could harm the firm’s consumers, the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets;
- impacts to market or consumer confidence;
- the spread of risks to their other business services, firms or the UK financial system;
- loss of functionality or access for consumers; and
- any loss of confidentiality, integrity or availability of data.
Intolerable harm is more severe than inconvenience and constitutes harm from which consumers cannot easily recover. These disruptions comprise of disruptions inside and outside of the firm’s control. Firms need to test their impact tolerance in a range of severe but plausible scenarios. If, despite testing it, firms are unable to stay within their impact tolerance, it should report the issue to the FCA.
Other points that should be taken into account when setting impact tolerances are that:
- Firms should recognise when multiple business services rely on the same underlying system;
- Time/duration should be used as a mandatory metric to measure Impact Tolerance;
- Dual regulated firms need to set up two impact tolerances; and
- Smaller firms will not need to consider an impact tolerance for financial stability. The PRA will set thresholds to clarify those firms that fall within this scope.
Firms must be able to remain within their impact tolerance as soon as reasonably possible, but no later than 3 years after the rule comes into effect on 31 March 2022. Firms should furthermore set and review their impact tolerances at least once per year, or if there is a relevant change to the firm’s business or the market in which it operates.
The last important point the FCA discusses in its PS 21/3 is that firms should identify the people, processes, technology, facilities and information necessary to deliver each of a firm’s IBSs. The objective of this is to identify vulnerabilities, gain assurance that an IBS can remain within their Impact Tolerance and to enable firms to conduct scenario testing.
Scenario testing should be done by firms by 21 March 2022 to identify their IBSs, set their Impact Tolerance and identify vulnerabilities in their operational resilience.
Further things to take into account:
- The mapping exercise should be approved at Board level;
- If third party providers supplying IBSs fail to remain within the Impact Tolerance, that failure is the responsibility of the firm;
- Firms must adopt Internal and External strategies; and
- Firms must adopt a self-assessment document which shows how the firm meets operational resilience requirements. The earliest date that the FCA can ask for this is 31 March 2022.
These new Operational Resilience requirements do not apply to:
- EEA firms under temporary regime; and
- Third country branches.
If you have any questions on what these new Operational Resilience requirements will mean for your firm, please do not hesitate to contact us.