In March 2021, the Financial Conduct Authority (FCA), in partnership with the Bank of England (BoE) and the Prudential Regulation Authority (PRA), published new rules and guidance designed to strengthen the operational resilience of the UK financial services sector.
This article provides an overview of the key new requirements, and practical considerations, for boards and senior managers when preparing for, and implementing, the new rules, which come into force on 31 March 2022.
What is operational resilience?
Operational resilience is the ability of firms, financial market infrastructures and the financial sector to absorb and adapt, and recover and learn from, operational disruption. It extends beyond business continuity and disaster recovery, and is a strategic priority for regulators across the globe.
Why does it matter?
Operational disruption poses risks to the orderly operation of financial markets, and can threaten the viability of financial services firms and the provision of services to consumers. The coronavirus pandemic has highlighted the interconnectedness of the financial sector. While many firms have successfully adapted, disruption can (and is likely to) happen at any time. The acceleration of the digitalisation of the financial services industry, increasing cloud-usage, and the drive for innovation and automation, creates new challenges for firms and new expectations for consumers.
Which firms are in scope of the new rules?
The new rules apply to UK authorised financial services firms - banks, building societies, investment firms, insurers, recognised investment exchanges, enhanced scope firms in the senior manager and certification regime, payment services firms, electronic money firms and registered account information services providers.
What are the new operational resilience requirements?
1. Identify important business services
Firms must identify their 'important business services' that, if disrupted, could cause 'intolerable levels of harm' to the firm's clients, or pose risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.
'Important business services' are services provided by the firm, or by another person on behalf of the firm, to clients of the firm. This does not include internal services, such as human resources or payroll.
'Intolerable harm' is harm from which consumers cannot easily recover. It is more than inconvenience.
When identifying their important business services, firms should, as a minimum, consider the nature and number of their client base (including any vulnerabilities that would make a client more susceptible to harm from disruption), and the time criticality for clients receiving the service
2. Set an impact tolerance for each important business service
Firms must set impact tolerances for 'severe but plausible' disruptions to each of their important business services, and ensure they can remain within these. The impact tolerances, and the range of severe but plausible scenarios, are likely to evolve over time.
When payment service providers are setting impact tolerances, they must consider their obligations under the European Banking Authority (EBA) Guidelines on Information and Communication Technology (ICT) and Security Risk Management.
3. Carry out a mapping exercise
The mapping exercise will vary from firm-to-firm, depending on the size, scale and complexity of the firm's business model. It must be sufficiently granular to allow the firm to identify (and document) the people, processes, technology, facilities and information necessary to deliver each of its important business services, and remediate any vulnerabilities that could stop the firm from remaining within its impact tolerances.
4. Carry out scenario testing
Firms must carry out scenario testing to assess whether they can remain within the impact tolerances they have set for each of their important business services in the event of a severe, but plausible, disruption to their operations.
Firms must identify an appropriate range of adverse circumstances of varying nature, severity and duration relevant to their business and risk profile, and consider the risks to the delivery of the firm's important business services in those circumstances.
Potential sources of disruption could include cyber-attacks, telecommunications/power outages, third-party supplier failure, the unavailability of key people or natural hazards such as fire, flood or severe weather.
5. Consider lessons learnt
After carrying out scenario testing, or after an operational disruption, firms must conduct a 'lessons learned' exercise to identify weaknesses, and take action, to improve their ability to effectively respond and recover from future disruptions.
6. Communications strategy
Firms must develop a strategy for internal and external communications, which enables it to act 'quickly and effectively' to reduce the anticipated harm caused by operational disruptions.
The regulators expect firms to consider how they would provide important warnings or advice quickly to clients and other stakeholders (including where there is no direct line of communication) and gather information about the cause, extent, and impact of operational incidents.
Firms should also consider their reporting obligations to the FCA (under Principle 11), the PRA (where dual-regulated), Action Fraud (if the incident is criminal), the Information Commissioner's Office (if the incident involves a data breach), and the National Cyber Security Centre and the Cyber Security Information Sharing Partnership (for cyber incidents).
7. Prepare self-assessment documentation
The FCA has created an operational resilience self-assessment questionnaire called ORQUEST, which has been designed to help firms understand their operational resilience capabilities, including their cyber capabilities. The self-assessment questionnaire is available from the FCA.
Other practical considerations
Firms must keep written records of their compliance with these operational resilience requirements. This includes documenting the rationale for decisions made in relation to the identification of important business services, impact tolerances, mapping, scenario testing, lessons learned, and the firm's communication strategy. Firms must retain each version of their records for at least 6 years, and provide these to the FCA on request.
Firms must keep their compliance with these operational resilience rules under regular review, particularly if there is a material change to the firm's business or the market in which it operates.
Strategies, processes and systems
Firms must have in place 'sound, effective and comprehensive' strategies, processes and systems to enable them to comply with the new operational resilience rules. The strategies, processes and systems must be proportionate to the nature, scale and complexity of the firm's activities.
Firms that outsource important business services must have a sufficient understanding of the people, processes, technology, facilities, and information that support the third party provider in its provision of services to the firm. Firms must also work with the third party service provider to set (and remain within) impact tolerances and include them in mapping and scenario testing exercises. Firms are expected to conduct due diligence on third party service providers, and satisfy themselves of that third party's operational resilience.
Firms must ensure their governing body approves, and regularly reviews, written records made in connection with the firm's compliance with operational resilience requirements. This includes identification of their firm's important business services and impact tolerances, and more broadly, formulation of the firm's operational resilience strategy.
What is the implementation deadline?
The new operational resilience requirements come into force on 31 March 2022. Firms will need to consistently remain within their impact tolerances for each important business service as soon as reasonably practicable after 31 March 2022, and by no later than 31 March 2025.
With the implementation deadline fast approaching, it is important for firms to prepare and be ready before the new rules and guidance come into force. While firms are likely to have many of the elements already in place (or in plan), it is reasonable to assume that effort and resource will need to be deployed to fully meet regulatory expectations.
If you have any questions regarding this article or require any assistance with understanding the new requirements around operational resilience, please contact Kam Dhillon.