United Kingdom (and EU regulation)

FCA policy statement on operational resilience

By Lisa Lee Lewis (UK) and Simon Lovegrove (UK) on March 31, 2021 Posted in Regulation and compliance, United Kingdom

In December 2019, the FCA published Consultation Paper 19/32: Building operational resilience: impact tolerances for important business services and feedback to DP 18/04 proposing changes to how firms approach their operational resilience. The proposals were built on the approach first outlined in Discussion Paper: Building the UK Financial Sector’s Operational Resilience published in July 2018.

On 29 March 2021, the FCA published Policy Statement 21/3: Building operational resilience: Feedback to CP19/32 (PS21/3).

In PS21/3, the FCA sets out its final rules and notes that it has:

made changes to the policy position to provide firms with more time and flexibility to meet mapping and scenario testing requirements;
clarified how the rules fit with the broader domestic and international regulatory landscape and other FCA policy initiatives, such as the treatment of vulnerable consumers;
set out how it will further support firms in implementing the rules on operational resilience; and
included more varied examples of how different types of firm might apply the proposals.

The FCA plans to apply these changes proportionately to firms, reflecting the impact on consumers and market integrity if their services are disrupted. The FCA states the proposed approach is proportionate and flexible enough to accommodate the different business models of firms.

The FCA rules and guidance will come into force on 31 March 2022. By 31 March 2022, firms must have identified their important business services, set impact tolerances for the maximum tolerant disruption and carried out mapping and testing to a level of sophistication necessary to do so. Firms must also have identified any vulnerabilities in their operational resilience.

The FCA also states that as soon as possible after 31 March 2022, and no later than 31 March 2025, firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances.

We have a number of resources available to help you develop and strengthen your firm’s operational resilience. We can partner with you at any point across your operational resilience journey including:

interpretation and application of the new rules;
assessing governance, accountability, committee structure and reporting lines;
helping you prepare for regulatory change and advising on the design and implementation of the overall operational resilience programme;
carrying out independent assurance reviews;
identifying any deficiencies in areas such as digital, outsourcing, and third-party resilience; and
simulating impact scenarios for key stakeholders in a testing environment, including developing a bespoke training module around lessons learned.

For further information please get in touch with Lisa Lee Lewis or Simon Lovegrove.