[INSIGHTS] Operational Resilience Regulation

Interesting discussion with Frank Brown this morning around the FCA Operational Resilience regulation that is currently live.

The regulation has required compliance from March 2022, with an expectation of full adoption by March 2025.

The details and scope of this seems to have really gone under the radar, and Frank did stress this is not BCP, but this does seem like business continuity planning, but with added guidance and compliance requirements. It is, like consumer duty, in some ways just good business practice.

The video will touch on this, and Consumer Duty, it should be out soon. (sign up to get notified here )


Summary of the documents and review below

Summary

Operational resilience is crucial for firms, financial market infrastructures, and the overall financial sector to effectively prevent, adapt to, respond to, recover from, and learn from operational disruptions. The Financial Conduct Authority (FCA) has set new operational resilience requirements for various types of financial institutions, such as banks, insurers, and investment firms. These requirements include mapping and testing important business services, operating within impact tolerances, and investing in resilience. The FCA has also observed the progress of insurance firms in implementing these requirements and provided guidance on reporting operational incidents. Additionally, potential measures to oversee critical third parties and the Authorities’ Response Framework for joint response coordination are discussed.

Key Points

  • Operational resilience is vital for the financial sector to absorb shocks and prevent harm to consumers, firms, and market integrity.
  • The FCA has established new operational resilience requirements for banks, insurers, investment firms, and other authorized entities.
  • Firms must identify important business services, set impact tolerances, conduct mapping and testing, and develop communication plans for disruptions.
  • The FCA has assessed insurance firms’ progress in implementing operational resilience requirements and shared observations for good practice.
  • Reporting material operational incidents, such as data loss or IT system unavailability, to the FCA is required under Principle 11 of the FCA’s Principles for Businesses.
  • Firms may need to report incidents involving criminal activity, data breaches, or cyber incidents to relevant authorities.
  • Potential measures are being considered to oversee the resilience of services provided by critical third parties.
  • The Authorities’ Response Framework facilitates joint coordination among financial authorities in responding to major operational disruptions.
  • The FCA offers self-assessment questionnaires (CQUEST and ORQUEST) to help firms evaluate their cyber and operational resilience capabilities.
See also  [INSIGHTS]: Guideline on Existing Consumer Mortgage Loans in Exceptional Circumstances - Canada

Key Takeaways

Operational resilience is a key focus for financial institutions, and the FCA has established requirements to enhance it. Firms need to identify their important business services, set impact tolerances, and invest in resilience measures. The FCA expects firms to report material operational incidents promptly and cooperate openly. Insurance firms should take note of the FCA’s observations and strive for good practice. The potential oversight of critical third parties and the Authorities’ Response Framework aim to strengthen the overall resilience of the financial sector. Firms can assess their cyber and operational resilience capabilities using the FCA’s self-assessment questionnaires (CQUEST and ORQUEST).

Recommendation Summary from Guidance

  • Identify important business services that could cause harm to consumers or market integrity if disrupted.
  • Document the people, processes, technology, facilities, and information that support each important business service (mapping).
  • Set impact tolerances for each important business service (i.e., thresholds for maximum tolerable disruption).
  • Test your ability to remain within your impact tolerances through a range of severe but plausible disruption scenarios.
  • Conduct lessons learned exercises to identify, prioritize, and invest in your ability to respond and recover from disruptions as effectively as possible.
  • Agree with the proposed guidance on identifying important business services.
  • Consider other factors beyond the proposed guidance when identifying important business services.
  • Agree with the proposals for firms to set impact tolerances.
  • Provide feedback on the proposals outlined in this document.
  • Develop policies and frameworks based on the proposed approach of identifying important business services and setting impact tolerances for those services.
  • Dual-regulated firms should set up to 2 impact tolerances per important business service, while solo-regulated firms should set 1 impact tolerance per important business service.
  • Implement transitional arrangements and communication plans for implementing the policy framework.
  • Consider the cost-benefit analysis provided in Annex 2 when developing policies and frameworks.
  • Ensure compliance with regulatory requirements related to operational resilience in the financial sector.
  • Continuously monitor and improve your operational resilience based on feedback and lessons learned.
See also  INSIGHTS ¦ Consumer vulnerability webinar: sharing vulnerability data – the pros and cons

RO-AR insider newsletter

Receive notifications of new RO-AR content notifications: Also subscribe here - unsubscribe anytime