|Our operational resilience survival guide is here! Simon Hill, Compliance Manager at FinTech Compliance, details the FCA’s expectations to help you comply with the new rules and guidance which come into force on the 31st of March 2022.|
|In December 2019 the FCA, Bank of England (BoE), and PRA (aka the Holy Trinity of regulation), joined forces and consulted on proposed changes to improve the operational resilience of the UK financial sector. From their findings the FCA published ‘PS21/3 – building operational resilience’, the BoE then published a ’shared Final Policy Summary’, and the PRA published an additional paper on ‘outsourcing and third party risk management’.|
Who do the new rules and guidance apply to, you ask?
Banks, building societies, PRA designated investment firms, insurance firms, Recognised Investment Exchanges, enhanced scope SM&CR firms, entities authorised and registered under the Payment Services Regulations 2017, or Electronic Money Regulations 2011. Firms which are dual regulated will need to apply both the FCA and PRA’s rules, including the potential requirement to set different impact tolerances to comply with the regulators different drivers.
So, what exactly is operational resilience?
Put simply, operational resilience is about putting measures in place in order to manage and prevent operational disruptions with as little impact to business services as possible. This is different from ‘business continuity planning’ which focuses on managing operational risks in order to protect a firm’s own commercial interests.
To paraphrase the FCA, ‘disaster is inevitable.’ Just look at the past few years, the pandemic, Covid-19, the possibility of a zombie apocalypse! The new operational rules and guidance are intended to protect business services in order to prevent disruption, or mitigate disruption, to customers and markets in the event of said zombie apocalypse, or other catastrophic disaster.
What you need to do…
By 31 March 2022, firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption and have carried out mapping and scenario testing to a level of sophistication necessary to do so.
Let’s break that down.
Important business services – the FCA define important business service as a service, which, if disrupted, could potentially cause intolerable harm to customers or risk to the financial markets integrity.
It is important to note that when defining services, that ‘services’, are not grouped together. A product may contain a ‘group of services’ which together constitute the product. For example; lets say the product is a mortgage, then the services which make up that product are (a) providing of finance, and (b) advising customers (communication).
The FCA and the PRA then require firms to identify and set ‘impact tolerances’ for each of their ‘important business services’.
Setting Impact Tolerances
Impact tolerances should be set at the first point at which a disruption to an important business service would cause intolerable levels of harm to clients, or risk to the UK financial system. The FCA has proposed that firms use metrics in order to measure their impact tolerances. The metrics which firms decide to use have not defined, however, the FCA has stated that a time metric is mandatory.
In practice, the main question you need to ask is: how long can an important business service be unavailable before it causes intolerable levels of harm to customers, or the integrity of the UK financial markets?
An important factor to consider when setting impact tolerances is a consideration for substitutability. This is essentially how easy it is for customers or users to find an alternative service or activity which enables them to avoid intolerable harm.
The FCA has proposed that firms should have internal and external communication strategies in place to respond quickly and effectively to reduce the harm caused by operational disruptions. Firms should consider the relevant escalation paths required internally during an incident, as well as how they would communicate to advise or warn customers of a disruption.
Firms must take steps to ensure that they can remain within the impact tolerances they set for each important business service in the event of ‘a severe but plausible disruption to operations’ – in laymen’s terms, that zombie apocalypse mentioned earlier. The FCA and the PRA have expressly stated that they expect firms to notify them if they fail to meet an impact tolerance, pursuant to Principle 11 and Fundamental Rule 7.
Mapping and Scenario Testing
In order to have a complete view of resilience, firms are required to identify, document and keep under review, the resources required to deliver each of their important business services. These include: the people, processes, technology, facilities (such as location and 3rd party services), and information necessary to deliver each important business services. It is relevant to add that internal services such as human resources, payroll systems, and zombie fighters, are not included in the FCA’s definition of ‘important business services’.
Firms are required to have in place ‘sound, effective and comprehensive strategies, processes and systems’ which must be ‘comprehensive’ but ‘proportionate to the nature, scale and complexity of the services provided’. Firms are also required to produce a self-assessment document which shows how they meet the operational resilience requirements and which is to be made available to the regulator on request. The self assessment will require approval and sign-off at Board level and the regulators expect the self-assessment document to show the firms ‘resilience journey, testing, and lessons learned.’
The FCA Handbook details what must be included within the self-assessment document and other important information > SYSC 15A.6 Self-assessment and lessons learned exercise documentation
Firms must also have identified any vulnerabilities in their operational resilience. The aim is to review and amend/improve systems and controls so that by March 2025, firms can ensure they remain within the impact tolerances set – in other words, are ready and prepared to keep clients happy and not impede the integrity of the UK financial markets in the event of World War Z!
You thought that was it!
We still need to cover outsourcing and third party risk management – the PRA published a whole paper on the topic so it would be rude to completely skip over it!
When using a third-party provider, in the provision of important business services, the regulators have made it clear that the third-party should work effectively with that provider to set and remain within impact tolerances. Likewise, with mapping, the regulators expect firms to be responsible for accurately mapping any relationship outsourced to an external third-party. If firms are unable to obtain sufficient information from the third-party to satisfy that they can operate within the tolerances set, then the firm should review and where necessary change their arrangements. The level of assurance firms receive from third-party suppliers should be proportionate to the size and complexity of the firm, and reflect the materiality and risk of the outsourcing/third party arrangement. Ultimately, the requirements to set and remain within impact tolerances remain the responsibility of the firm, regardless of whether it uses external parties for the provision of important business services.
From 31st March 2022, applicable firms must have completed the following:Identified important business servicesSet impact tolerancesmapping of resources required for the execution of those important business servicesScenario testing in order to identify vulnerabilities in a firm’s own operational resilienceThe aim is that once this is done initially, firms then review and amend/improve systems and controls so that by March 2025 they can ensure they remain within those impact tolerances.
Need help? Expert assistance is just a click away…
Our team of knowledgeable consultants have been working with a range of clients across the FinTech spectrum to assist in identifying their important business services, as well as advising on how best to map the resources required to deliver each service. Our template OR document provides firms with the ‘starting point’ to begin this process, and includes prompts and tips on the information which needs to be considered. Not only this, but it also enables firms to comply with the requirement to document their ‘Operational Resilience journey’.
One2one sessions with a dedicated compliance professional (not a compliance zombie), will allow us to apply scrutiny to your firm’s OR work, enabling your firm to iteratively improve the depth and robustness of their Operational Resilience program.
Unfortunately, we can’t help you with actual flesh eating zombies, but we can help with all things compliance.
Don’t be complacent, be compliant!