FCA Resilience rules and guidance

Regulation scope

In early 2021, the Financial Conduct Authority (FCA), in partnership with the Bank of England (BoE) and the Prudential Regulation Authority (PRA), published new rules and guidance designed to strengthen the operational resilience of the UK financial services sector.

Below, you will find an overview of the key requirements and practical considerations for boards and senior managers when preparing for, and implementing the rules, which came into force on 31 March 2022.

These rules apply to banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, Enhanced scope Senior Managers and Certification Regime firms, and entities authorized and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011.

However, financial services firms not in scope for these rules should also consider this policy framework, as they may find it beneficial to support their operational resilience and strengthen their infrastructure.

At Cognition Shared Solutions LLC, we have been helping our clients meet and exceed these requirements via process mapping and building a resilience framework.

What is operational resilience?

FCA created the new rules to increase the oversight of resilience planning and management in the UK financial sector. Operational resilience is the ability of firms, financial market infrastructure, and the financial sector to absorb, adapt, recover and learn from operational disruption. It extends beyond business continuity and disaster recovery and is a strategic priority for regulators across the globe.

Why is it important?

Operational disruptions and the unavailability of essential business services can cause wide-reaching harm to consumers and/or risk to market integrity, threaten the viability of firms and cause instability in the financial system.
Like previous examples of disruptions, the coronavirus pandemic has again highlighted the interconnectedness of the financial sector across the globe. Disruptions can and are likely to happen and will likely take as yet unseen forms. While preparing for known threats is important, true resilience means being ready to withstand impacts yet unknown.

• Process mapping

  As the first step, firms must identify and map their essential business processes, which could cause ‘intolerable levels of harm’ to the firm, its clients, or the markets.
  The mapping will vary across firms, depending on their size, scale, and complexity. However, it must be sufficiently granular to allow firms to enumerate and document the people, processes, data, and systems necessary to deliver the identified essential business services.

• Setting impact tolerances

  Companies must set impact tolerances for 'severe but plausible' disruptions to each of their essential business services. The impact tolerances, and the range of severe but plausible scenarios, must be monitored and should evolve over time to match the economic, technological, and socio-political conditions.
  When defining their impact tolerances, payment service providers must also consider their obligations under the European Banking Authority (EBA) Guidelines on Information and Communication Technology (ICT) and Security Risk Management.

• Scenario testing

  Companies must carry out scenario testing to assess whether they can remain within the impact tolerances they have set for each of their essential business services in a severe but plausible disruption to their operations. Firms must identify an appropriate range of adverse circumstances of varying nature, severity, and duration relevant to their business and risk profile and consider the risks of delivering the firm's essential business services. Potential sources of disruption could include cyber-attacks, telecommunications/power outages, third-party supplier failure, the unavailability of key people, or natural hazards such as fire, flood, or severe weather.
  If any issues are identified through audits, after carrying out scenario testing, or after an operational disruption, firms must remedy any vulnerabilities which would prevent them from staying within the defined tolerances.
  Companies must develop internal and external communication strategies to enable acting “quickly and effectively” to reduce the anticipated harm caused by operational disruptions. The regulators expect firms to consider how they would promptly provide important warnings or advice to clients and other stakeholders and gather information about the cause, extent, and impact of operational incidents.
  Companies should also consider their reporting obligations to the FCA (under Principle 11), the PRA (where dual-regulated), Action Fraud (if the incident is criminal), the Information Commissioner's Office (if the incident involves a data breach), and the National Cyber Security Centre and the Cyber Security Information Sharing Partnership (for cyber incidents).

How can we help?

At Cognition Shared Solutions LLC, we have extensive experience helping clients implement resilient business processes across different business models, geographies, and conditions. With the final implementation deadline fast approaching, we can help your business be ready with 'sound, effective and comprehensive' documentation, governance, and review frameworks.