New requirements on strengthening Operational Resilience set across the UK financial sector
The FCA in partnership with the Bank of England have developed and set out the final rules and guidance to promote a stronger regulatory framework and promote operational resilience for firms and the financial market infrastructures across the UK financial sector.
The rules set by the FCA and Bank of England apply to:
- Building societies
- PRA-designated investment firms
- Recognised Investment Exchanges
- Enhanced scope SM&CR firms
- Entities authorised and registered under the Payment Services Regulations 2017 or Electronic Money Regulations 2011
The new rules and guidance will come into force on the 31st March 2022. A key change to the rules, has been the revision of the FCA’s definition of 'important business service'.
This means a service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could:
- Cause intolerable levels of harm to one or more of the firm’s clients
- Pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of financial markets
Firms will now be required to review its 'important business services' at least annually, or whenever there is a material change to their business or the market in which they operate.
Key areas of change under the new rules:
- Setting impact tolerances across your business
Firms will be required to remain within their impact tolerances at the first point at which a disruption to an important business service would cause intolerable levels of harm to consumers or risk to market integrity, as soon as reasonably practice, but no later than the 3 years after the rules come into effect.
The FCA have provide clarity in PS21/3 in order to assist firms on what is meant by ‘intolerable harm’ as this will vary from firm-to-firm and also across various sectors.
- Carry out mapping across your business
Firms will be required to carry out a mapping exercise across their business. This is integral to identifying and address vulnerabilities that impact the firm’s ability to remain with its impact tolerances. Firms need to consider any relationship with a third party an outsourcing relationship and accurately map these to the relevant people, processes, technology, facilities and information supporting important business services.
Firms will also need to ensure their mapping covers, people, processes, technology, facilities and information which are key areas that support the operation of important business services.
Where there is a material change to the firm’s business, the important business services identified, and impact tolerances should be assessed and updated within 1 year after it last carried out the relevant assessment.
- Carrying out scenario testing
Firms previously were expected to test the ability to remain within their impact tolerances annually. The FCA now expect Firms to undertake scenario testing where there is a material change to the firm and on a regular basis.