Insights ¦ Building operational resilience: Feedback to CP19/32 and final rules

Published by: Financial Conduct Authority
Search for original: Link

Key Take Aways

  1. The FCA’s final rules build upon proposed frameworks to enhance operational resilience across the UK financial sector, focusing on important business services and impact tolerances.

  2. Firms are required to identify their important business services, with an emphasis on services that could cause intolerable harm or threaten market stability if disrupted.

  3. The policy applies to a broad range of firms, including banks, investment firms, insurers, RIEs, and certain authorised payment and electronic money institutions, but explicitly excludes overseas firms outside the UK jurisdiction.

  4. Firms must set impact tolerances for each important business service, reflecting the maximum disruption they can tolerate before harm becomes intolerable.

  5. Impact tolerances are to be determined based on severity of harm, duration of disruption, and other metrics, with the mandated metric of time/duration.

  6. The rules require firms to review their important business services at least once a year, or following material changes, ensuring continuous adaptation.

  7. Mapping exercises should be detailed but proportionate, enabling firms to pinpoint vulnerabilities by documenting people, processes, technology, and supporting information for each service.

  8. Scenario testing is mandatory, assessing the ability to remain within impact tolerances during severe, plausible disruptions; exercises should be updated when changes occur or at least annually.

  9. Conducting lessons learned exercises post-testing or disruption is crucial for continuous improvement and preparedness optimisation.

  10. Communication strategies, both internal and external, must be in place to manage incidents effectively, with particular attention to vulnerable consumers and stakeholders.

  11. The implementation transition is flexible, with firms having until 31 March 2025 to demonstrate they can operate within impact tolerances, despite the rules coming into force on 31 March 2022.

  12. The framework aligns with international standards and previous legislative guidance, reinforcing global consistency while allowing proportional application based on firm complexity and size.

See also  Insights ¦ 20241017-Standards-consultation-response-v3

Key Statistics

  • The FCA’s policy comes into effect on 31 March 2022, with a maximum transition period extending to 3 years, ending 31 March 2025.

  • Firms must complete mapping exercises to a sufficient level of detail by 31 March 2022, with ongoing updates required.

  • Impact tolerances are to be reviewed and set for each important business service at least annually or upon material change.

  • The consultation received 73 responses, of which most supported the proposed framework, with some requesting clarifications on granularity, vulnerable consumers, and implementation timelines.

  • Firms are expected to carry out impact tolerance assessments so that they can operate within these thresholds at all times, even during severe but plausible scenarios.

  • A detailed list of non-confidential respondents includes over 40 organisations spanning financial infrastructure, banking, insurance, legal, and consultancy sectors.

Key Discussion Points

  • The importance of clarity in identifying important business services that could cause harm or threaten market stability if disrupted.

  • The necessity for proportional mapping exercises, tailored to firm size and complexity, enabling vulnerability identification without unnecessary burden.

  • The significance of impact tolerances as a cornerstone, prescribing the maximum acceptable duration and severity of service disruptions.

  • The emphasis on ongoing review, ensuring impact tolerances and mapping are updated regularly and following material changes.

  • The role of scenario testing in validating resilience, including the use of severe but plausible scenarios, with consideration for external dependencies and third-party reliability.

  • The importance of lessons learned exercises for continuous process improvement, following tests or operational disruptions.

  • The mandatory use of time/duration as a core metric, with flexibility for additional metrics based on firm-specific circumstances.

  • The delineation of multiple impact tolerances for dual-regulated firms, with expectations for managing and justifying different thresholds.

  • The tailored transitional arrangements offering flexibility for firms to demonstrate capacity within impact tolerances by March 2025.

  • How firms should manage dependencies on third-party providers, including mapping cross-company supply chains and infrastructure.

  • The integration of operational resilience with existing regulatory frameworks and international standards, promoting consistency and clarity.

  • The explicit expectation that firms develop and maintain effective internal and external communication strategies, especially to vulnerable consumers and during systemic incidents.

See also  [INSIGHTS]: Vulnerability - Adviser Support Toolkit

Document Description

This article provides a comprehensive overview of the FCA’s final policy rules aimed at strengthening operational resilience within the UK financial sector. It builds on earlier proposals and clarifies requirements for firms to identify critical services, set impact tolerances, map operational dependencies, conduct scenario testing, and ensure effective communication. The article also covers transitional arrangements, regulatory alignment, and the ongoing evaluation of firms’ resilience measures, highlighting the importance of continuous improvement in an evolving operational landscape.

RO-AR insider newsletter

Receive notifications of new RO-AR content notifications: Also subscribe here - unsubscribe anytime