Introduction
This guide provides an overview of the new rules and guidance from the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA), which came into force on 31 March 2022. The guide provides context about the financial services sector and the requirements to strengthen the operational resilience of firms. The guide considers the road map to full compliance by 31 March 2025 for in-scope firms. It is aimed at in-house lawyers and compliance professionals to aid compliance when advising impacted firms in their operational resilience strategy and approach.
This guide covers:
- Introduction to operational resilience
- New rules and guidance
- Delivering operational resilience
This guide can be used in conjunction with the following How-to guides: Introduction to the UK financial services regulators, Corporate governance in financial services and Checklist: Running an effective board meeting.
Section 1 – Introduction to operational resilience
1.1 What is operational resilience?
An operationally resilient financial system is, in the words of the FCA, ‘one that can absorb shocks rather than compound them’. The ability to absorb shocks and to ensure the UK financial sector is operationally resilient ‘is important for consumers, firms and the financial markets’.
Operational disruptions are not just threats such as a pandemic like Covid-19 or natural disasters but extend to ‘human-led’ threats associated with cyberattacks, data breaches or third-party operational incidents that cause disruption to others. These exposures can impact systems, people and processes, and actively putting robust measures in place can help to protect the delivery of key services for clients.
1.2 Recent examples
Recent operational incidents flagged by the PRA include the ‘July 2024 worldwide IT outage caused by a flawed update distributed by CrowdStrike (a cyber-security technology firm), a July 2024 outage at Swift (a global messaging service) impacting wholesale payments in the UK and other countries, as well as cyber-attacks on ICBC Financial Services (a US broker-dealer) and ION (a third-party provider of derivatives clearing services) in November and February 2023 respectively’. See Financial stability paper no. 50 – Operational resilience in a macroprudential framework.
1.3 Why does operational resilience matter?
The PRA and the FCA define operational resilience as ‘the ability of firms, financial market infrastructures and the financial sector as a whole to prevent, adapt and respond to, recover and learn from operational disruption’. Firms include financial institutions such as banks, building societies, insurance companies and certain large investment firms. Financial market infrastructures (FMIs) include the entities that allow the clearing, settlement and recording of financial transactions, such as central counterparties, payment systems and central securities depositories.
The concept of operational resilience in UK financial services is not new. Regulatory obligations already exist in the sector – for example, the FCA Principle 3 and the PRA’s Fundamental Rule 6 where firms must take reasonable care to control their affairs with adequate risk management processes and the Senior Management Arrangements, Systems and Controls sourcebook of the FCA Handbook (SYSC) set out the requirements for firms to establish risk management and governance framework arrangements.
Recently however, the FCA, PRA and the Bank of England (BoE) have placed a spotlight on operational resilience and the prioritisation of compliance within their respective regulatory priorities to bolster requirements in the financial sector. This message is reiterated in the FCA Business Plan 2024/5 and PRA Business Plan 2024/5.
Firms must also comply with obligations on operational resilience at an EU (eg, Regulation (EU) 2022/2054 on digital operational resilience for the financial sector (DORA) that applies as of 17 January 2025) and obligations at an international level; however, these are not discussed in any more detail in this guide. See Quick views: Understanding the application and scope of DORA and DORA compliance – regulatory requirements, technical standards and guidelines.
Section 2 – New rules and guidance
2.1 Background
TheBoE, the PRA and the FCA published a discussion paper in 2018 Building the UK Financial Sector’s Operational Resilience (see here) where they noted that the operational resilience of firms and FMIs was a priority and ‘viewed as no less important than financial resilience’. The discussion paper reinforced the need for firms and FMIs to improve responses and communications in the face of disruption.
In December 2019, a suite of consultations sought industry feedback on the proposals:
- PRA Consultation Paper (CP29/19) on operational resilience and impact tolerances for important business services;
- FCA Consultation Paper (CP19/32) on building operational resilience and impact tolerances for important business services;
- PRA Consultation Paper (CP30/19) on outsourcing and third party risk management;
- BoE individual consultation papers and draft Supervisory Statements (SSs):
- Expectations for central counterparties (CCPs);
- Central Securities Depositories (CSDs); and
- Recognised payment system operators and specified service providers (RSPOs and SSPs).
2.2 FCA and PRA operational resilience framework
Feedback on the consultations and final rules and guidance were published by the FCA, PRA and BoE on 29 March 2021 alongside a joint covering document: Operational Resilience: Impact tolerances for important business services setting out how firms should build out their strategy and a time frame for implementation. The approach assumed that disruptions are inevitable with the objective for firms and FMIs to plan and deliver improvements to their operational resilience to enable them to respond effectively in the event of a disruption. This signalled a renewed focus on the regulation and supervision of operational resilience in the UK.
2.2.1 FCA requirements
FCA rules and guidance are set out in a new chapter of SYSC - SYSC 15A.
See, Building operational resilience (PS21/3), FCA webpage – Operational Resilience. and Operational resilience: insights and observations for firms published by the FCA following a review of firms in March 2024.
Applicable to: banks, building societies, designated investment firms, insurers, UK-recognised investment exchanges, enhanced scope firms within the Senior Managers and Certification Regime, and entities authorised or registered under the Payment Services Regulations 2017 or Electronic Money Regulations 2011. The regime does not apply to firms that have their registered offices (or head offices) outside the UK (eg, third-country branches of UK regulated firms).
Firms not subject to these rules should continue to meet their existing FCA obligations. These are set out in Annex 4 of CP19/32 and Annex 2 of PS21/3.
2.2.2 PRA requirements
The PRA requirements are in the Operational Resilience parts of the PRA Rulebook, namely Operational Resilience – CRR Firms; Operational Resilience – Solvency II Firms; and Chapter 22 in the Group Supervision Part of the PRA Rulebook.
PRA guidance for firms is outlined in PS6/21 and SS1/21 on Operational resilience: Impact tolerances for important business services. See also Statement of Policy – Operational Resilience which clarifies what operational resilience means for firms and how the PRA’s operational resilience policy affects its approach to other regulatory areas – governance, operational risk management, business continuity planning and the management of outsourced relationships.
Applicable to: UK banks, building societies, PRA-designated investment firms, UK Solvency II firms, the Society of Lloyd’s and its managing agents.
Outsourcing and third-party risk management
Alongside, the PRA published a policy statement on outsourcing and third-party risk management (PS7/21) which also contained the PRA’s final Supervisory Statement SS2/21. Effective from 31 March 2022, SS2/21 enhances operational resilience by complementing existing operational resilience policies and facilitating ‘greater resilience and adoption of the cloud and other new technologies.’ The framework includes measures around robust governance, undertaking risk assessments and due diligence during the pre-outsourcing phase. It also outlines expectations for written agreements covering data security, audit and information rights and business continuity and exit strategies.
Applicable to: UK banks, building societies, PRA-designated investment firms, insurance and reinsurance firms and groups in scope of Solvency II, including the Society of Lloyd’s and managing agents (insurers) and UK branches of overseas banks and insurers.
2.2.3 Operational incident and third-party reporting
On 13 December 2024, the FCA and PRA (and the BoE) published consultation papers setting out proposals for firms how and when to report operational incidents and providing details of material third-party arrangements. The consultation sets out regulatory expectations for reporting incidents assessed against certain specified thresholds’ and determining which operational incidents meet these criteria will be a matter of firm’s judgment.
- PRA - Operational resilience: Operational incident and outsourcing and third-party reporting (CP17/24)
- BoE - Operational resilience: operational incident and outsourcing and third-pary reporting for financial market infrastructures
- FCA – Operational Incident and Third-Party Reporting (CP24/28)
The closing date for responses was 13 March 2025 and regulatory policy statements are expected in the second half of 2025 (with projected date for compliance expected in the second half of 2026). Firms should monitor these developments alongside existing incident reporting obligations.
2.2.4 BoE requirements
The Bank of England policy on Operational Resilience of FMIs aims to enhance the stability and robustness of critical entities to protect the wider financial sector from the impact of operational disruptions. Detailed policy statements and supervisory statements applicable to each individual FMI type are set out below however these are not discussed further in this guide:
- CCPs
- CSDs
- RPSOs and SSPs
Section 3 – Delivering operational resilience
3.1 Implementation time frame
The first milestone to compliance was 31 March 2022 when firms were required to have identified important business services, set impact tolerances and carried out mapping and testing and identified vulnerabilities in their operational resilience. This date marked the start of a three-year transitional period for firms which ended on 31 March 2025.
3.1.1 Identified important business services
Important business services are the key external services provided by a firm, or by another person on behalf of the firm that if disrupted could pose a risk to the firm, harm to clients or the soundness, stability or resilience of the UK financial market. Both regulators state this should not include internal business services such as staff payroll as the focus is on those important business services that deliver specific outcomes to external end users.
An important business service for one firm may not be appropriate for another – they will vary firm by firm and regulators expect firms to take an outcomes-based approach. By now, firms (with engagement from boards and senior managers) should have identified important business services at a level of granularity that enables an impact tolerance to be applied (see 3.1.2 below). Getting the parameters right within the ‘pool’ of business services is a critical first step in shaping the policy.
The PRA note that important business services deliver a specific outcome or service to an identifiable user and should be distinguished from business lines, such as mortgages, which are a collection of services and activities.
The definitions of ‘important business services’ as set out by the FCA (see Glossary of FCA Handbook) and PRA (see Operational Resilience parts of the PRA Rulebook) vary:
| An important business service is a service provided by a firm to one or more clients where a disruption to the provision of the service could: (paraphrased) | ||
| FCA/PRA | PRA | FCA |
|
|
|
Neither regulator sets out an exhaustive list of factors for firms when considering important business services, but they have provided some examples including:
Example
FCA – the nature of the client base, including vulnerabilities that would make the person more susceptible to harm from a disruption; the ability of clients to obtain the service from other providers; the time criticality for clients receiving the service and the number of clients that would be affected. See SYSC 15A.2.4G.
PRA – financial stability and the impact on the wider financial sector and UK economy; the firm’s safety and soundness ie, the impact on the firm itself including profit and loss, potential to cause reputational damage and/or legal or regulatory censure. See SS1/21.
See also CP19/32 and PS21/3 (FCA) and CP29/19 and PS6/21 (PRA) provide more explanation of considerations and approach when making the assessment.
For dual-regulated firms (ie, those regulated by both the PRA and the FCA) firms should have considered the distinction in the respective rules noting the FCA ‘conduct’ focus is on the assessment of failures that are likely to lead to customer harm and the PRA ‘prudential’ focus is on the disruption causing harm to the stability of the sector. See How-to guide: Introduction to the UK financial services regulators.
The FCA has emphasised that firms should consider vulnerable customers when identifying important business services (see SYSC 15A.2.4G(1) and firms are encouraged to consider the examples of good practice and areas for improvement to take account of outcomes for customers in vulnerable circumstances and consult the finalised guidance on the fair treatment of vulnerable customers.
All (in-scope) firms will have at least one important business service and identifying it will be a matter of judgment as to what is appropriate for them. In all cases important business services should be kept under review:
Example
FCA – at least on an annual basis, or if there is a material change to the business or the operating market eg, new outsourcing arrangements. Firms should review their existing important business services and assess whether there are any changes during the year. When choosing to remove an important business service following an annual review, firms should carefully consider the rationale and justification for doing so.
PRA – firms should review their important business services annually at a minimum, or sooner if a significant change occurs, and firms need to assess whether any changes are required to their list of important business services.
3.1.2 Setting impact tolerances
Firms must set impact tolerances once they have identified their important business services. Impact tolerances are the maximum level of disruption that core business services can withstand without causing intolerable harm to customers or risk to market integrity. To identify what constitutes ‘intolerable harm’ see examples set out in CP19/32 - for example, the number and types (such as vulnerability) of consumers adversely affected and nature of impact, financial loss to the firm or the level of reputational damage if this could harm the firm’s consumers. The FCA considers that what this constitutes will vary from firm-to-firm and across sectors; however, ‘intolerable harm’ constitutes harm from which consumers cannot easily recover – for example, where a firm is unable to restore a client’s financial position to what it should be or where there have been serious non-financial impacts that cannot easily be remedied.
Firms were expected to have set at least one ‘impact tolerance’ for each important business service by 31 March 2022, which should relate to a single disruption. SYSC 15A.2.3 notes that firms should treat each distinct relevant service separately and should not identify a collection of services as a single important business service. Firms must have taken steps to ensure they can remain within the impact tolerances in the event of ‘a severe but plausible disruption’ to operations.
Whilst the FCA and the PRA have used slightly different definitions of ‘impact tolerance’ in line with their respective statutory objectives and legal frameworks, they have made it clear that their policy and outcomes are aligned.
Example
FCA – ‘the maximum tolerable level of disruption to an important business service as measured by a length of time and any other relevant metrics, reflecting the point at which any further disruption to the important business service could pose intolerable harm to any one or more of the firm’s clients or risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets’.
Note the FCA considers intolerable harm in this context as harm from which consumers cannot easily recover. It is more severe than mere inconvenience or minor harm as it implies that the disruption has long-lasting or irreversible effects on consumers.
PRA – ‘the maximum tolerable level of disruption to an important business service or an important group business service as measured by a length of time in addition to any other relevant metrics’.
In SYSC 15A.2.7G, the FCA notes factors that firms should consider when setting their impact tolerances and advises firms to take account of the fluctuations in demand for their important business service at different times of the day and throughout the year to ensure that the impact tolerances reflect these variations and are appropriate.
The regulators stress the scenarios presented must be sufficiently severe and expect firms to consider previous incidents or ‘near misses’ within the organisation, across the financial sector and within other sectors and jurisdictions. In the event of being asked to explain the choice of ‘impact tolerances’, senior managers are likely to be challenged if their impact tolerances are set very high as the regulators may view this as inappropriate risk-taking in the running of the business. Impact tolerances should be kept under review. The respective definitions for impact tolerances are set out in the Glossary of the FCA Handbook and the Operational Resilience parts of the PRA Handbook.
Measuring impact tolerances
Firms should assess impact tolerances using clear metrics and (at a minimum) should include a ‘time-based’ metric: what is the maximum tolerable duration of a disruption in addition to any others depending on the type of important business service in question? For example, the extent of disruption to an important business service with reference to the value and types of transactions or types of customers affected. Where recovery is not possible within a given timeframe consider the mitigating responses however the FCA note that ‘impact tolerances are different from recovery time objectives’.
For dual-regulated firms this can be challenging when managing the hierarchy of impact tolerances for each of their important business services (the impact tolerances could be the same or they may differ). Dual-regulated firms are expected to set and manage up to two impact tolerances for each of their important business services in line with the regulatory objectives ie, one at the first point where there is an intolerable level of harm to consumers or market integrity (FCA) and another at the point where financial stability, the firm’s safety and soundness, or policyholder protection is put at risk (PRA).
Dual-regulated firms can set their impact tolerances at the same point if they are sure that this is suitable or they may differ; however, the decision should be ‘explainable’ upon request.
The PRA and FCA expect that work done to meet the requirements of one regulator should be leveraged to meet those of the other, viewing the design and goal of their respective policies as the same. In practice, both regulators note that firms may concentrate their efforts to remain within the most stringent tolerance point provided they can show they have fully considered their regulatory objectives and their response and recovery arrangements in line with periods of disruption, and that scenario testing has been performed with the longer impact tolerance in mind.
Remaining within impact tolerance levels
The aim of the regime is for all firms to remain within the impact tolerance levels set for all important business services should a ‘severe but plausible’ disruption occur. Both the FCA and the PRA expect firms to review this obligation at least annually and consider whether they remain compliant if there is a change to the business or the market in which they operate.
Whilst a firm must ensure it is able to remain within its impact tolerance, the FCA guidance at SYSC 15A.2.10G outlines it should generally not do so if this would put the firm in breach of another regulatory obligation, conflict with the proper exercise of a discretion granted to it under any rule or regulation or result in increased risk of harm to its clients or the integrity or stability of the sector.
The FCA and the PRA expect firms to notify them if they fail to meet an impact tolerance, pursuant to obligations in Principle 11 of the FCA’s Principles for Business and Fundamental Rule 7 of the PRA’s Fundamental Rules as applicable.
3.1.3 Mapping and scenario testing
Firms must have sound, effective and comprehensive strategies, processes and systems to enable them to comply with the operational resilience requirements, which must be comprehensive but proportionate to the nature, scale and complexity of activities.
Mapping
Firms must map out and identify the necessary people, processes, technology, facilities and information (referred to as ‘resources’) necessary to support delivery of each of the important business services. See PS21/3 for a steer on what these are.
The level of detail must identify both the necessary resources and the level of criticality. Firms had until 31 March 2025 to address any gaps or weaknesses identified in the ‘mapping’ exercise and progress remediation activities and investment to improve systems and processes for vulnerabilities and weaknesses identified (eg, single points of failure or dependencies on third parties).
The level of granularity will vary (and the supervisory authorities expect firms to meet the outcomes of the policy and document their mapping proportionate to their size, scale and complexity). Firms should also consider where resources are provided via third-party service providers, whether intra-group or external and if these arrangements pose a threat to their operational resilience. Failure to stay within an impact tolerance is the responsibility of the firm and relationships with third parties should be managed and reviewed.
In all cases, the mapping exercise should be updated at least annually or following a significant change (if earlier).
Scenario testing
It is not enough to show the desktop methodology for compliance. Firms must conduct rigorous programmes which regularly test their ability to remain within impact tolerances in a range of ‘severe but plausible’ scenarios and they were expected to have outlined the testing performed to identify important business services, set impact tolerances and identify any vulnerabilities in findings.
To assess how robust their approach is, firms should develop test scenarios relevant to their business and risk profile across a diverse range of adverse scenarios, consider these risks against delivery of the firm’s important business services, and vary the circumstances and scenarios. Firms should understand their risks and vulnerabilities, understand the impact of disruption on them and have a plan to respond to operational incidents.
The FCA requires firms to regularly carry out testing if there is a material change to their business, important business services or impact tolerances or following enhancements made because of gaps identified.
The FCA has set out considerations at SYSC 15A.5.6G for firms when carrying out scenario testing including:
- corruption, deletion or manipulation of data critical to the delivery of its important business services;
- unavailability of facilities or key people;
- unavailability of third-party services, which are critical to the delivery of its important business services;
- disruption to other market participants, where applicable; and
- loss or reduced provision of technology underpinning the delivery of important business services.
See also Operational resilience: insights and observations for firms which provides useful guidance for firms and practical tips for compliance based on an FCA review on the preparations firms have made.
The PRA expects firms to develop a testing plan that details how they will gain assurance that they can remain within impact tolerances for important business services. The PRA also provides a list of considerations for firms when developing a testing plan, which should be undertaken on a regular basis - the expectation being that firms making changes to their operations will do so more regularly. See chapter 6 – SS1/21.
Ongoing requirements
Where findings indicate that a breach in impact tolerance will occur, it is worth noting how this has been addressed by the board or senior managers (eg, whether remediation actions are possible or whether a level of risk acceptance has been agreed). This is not a tick-box exercise, and requirements should be reviewed on an ongoing basis. The regulators recognise this as an evolving process. The format and type of mapping and testing is an iterative process and best practice will mature and evolve over time. Firms should set realistic time frames for scenario testing and continue testing during the transition period.
Lessons learned
Lessons learned should be documented, prioritised and fed back into plans and policies to improve the ability to respond (ie, ability to rapidly identify the scale of the impact) and recover from future operational disruption as effectively as possible. These could arise from scenario testing or via practical experience in the event of an operational disruption and should be included in the self-assessment document (to the FCA or the PRA) – see section 3.1.6 below.
Communications
Under SYSC 15A.8, the FCA requires firms to maintain effective internal (consider upward reporting and methods of decision-making) and external communications strategies to act quickly to reduce the anticipated harm and risks caused by operational disruptions. Firms should provide the FCA with timely incident notifications (see also section 2.2.3).
As part of a firm’s communications strategy, the firm should:
- consider, in advance of a disruption, how it would provide important warnings or advice quickly to clients and other stakeholders, including where there is no direct line of communication;
- use effective communication to gather information about the cause, extent and impact of operational incidents; and
- ensure that their choice of communication method takes account of the circumstances, needs and vulnerabilities of their clients and other stakeholders.
Firms must provide clear, timely and relevant communications to stakeholders (ensure contact details are updated), and due to increasing regulatory scrutiny of communications with vulnerable customers, firms should consider this group of stakeholders together with consumers where there is no direct line of communication.
The PRA similarly emphasises the importance of effective internal and external communication to ensure timely and clear communication with stakeholders during and after operational disruptions and plans should include escalation paths and identify decision-makers eg, plans should address how to contact key individuals, operational staff suppliers, and the appropriate regulators.
3.1.4 Record-keeping
Keeping records of compliance with the rules is imperative – this includes the rationale for decision-making and decisions taken, identification of important business services, impact tolerances, mapping, scenario testing, lessons learned and the communications strategy. Record all decisions at the time they are taken (including the rationale for doing so) and any investments made by the firm to operate consistently within impact tolerances. Consider the method of recording to ensure it is clear. Meticulous record-keeping and having a robust audit trail will save time and money. Otherwise, at some point in the future, trying to figure out what happened could be very costly and risk sanction and reputational damage in the event of investigation and enforcement.
3.1.5 Governance and senior manager obligations
Good governance is inherent in all elements of the operational resilience strategy, and boards and senior managers are accountable for setting appropriate standards across the firm and ensuring that adequate systems and controls are in place.
Board members and senior managers should have the knowledge, skills and experience to identify and address vulnerabilities and gaps, approve the strategy eg, identification of important business services, setting impact tolerances and the self-assessment (see 3.1.6 below), prioritise improvements, consider allocation of resources and foster a culture of resilience.
Input will be required across multiple business functions and lines of reporting should be established so that boards have the appropriate board briefing papers and management information to inform their decisions. The board needs to not only understand what has been set but why.
Staff/employees should be aware of the procedures and policies in place. The correct messaging from the ‘top’ is key so that all staff/employees understand the importance of maintaining standards of resilience risk.
Board chairs must ensure that the board can provide constructive challenge to senior managers and that the board maintains a culture of risk awareness as part of their oversight function. Detailed board minutes should record discussions, and these should be retained as evidence of board strategy and input. See Checklist: Running an effective board meeting.
Where a firm does not have a board, senior management should assume responsibilities and buy-in from the senior management team is critical. Operational resilience is not a ‘once-off’ exercise, it should be embedded in day-to-day business as usual alongside firm’s enterprise -wide risk governance frameworks - the FCA note this includes change management and strategic planning. Failure to comply could risk sanction at entity or individual level.
Where applicable, organisational responsibility falls within the Chief Operations Senior Management Function (SMF24) (including that the board get the right information); however, the FCA notes that if there is no individual performing this function then it is up to the firm to decide and delegate who should have responsibility for operational resilience.
For senior managers, firms should reflect this role in their statement of responsibilities and provide training to senior managers (on induction and on an ongoing basis). Consider who within the firm is responsible for horizon scanning and monitoring the impact of key changes, preparing for compliance with any incoming standards, or keeping an eye on evolving risks to ensure that risks from ‘severe but plausible’ scenarios are kept under review.
Boards for all in-scope firms need to be alive to threats, keep self-assessment and lessons learned under review to ensure the firm can remain within impact tolerances. Operational resilience should feature regularly on the boardroom agenda. Getting input from legal and compliance teams is advisable from a governance perspective and firms need to ensure they have a comprehensive audit trail of all steps taken to implement the operational resilience requirements.
Example
FCA – boards and senior managers are responsible for oversight of the operational framework including review of important business services, impact tolerances and the self-assessment to ensure processes are robust and current. Boards and senior managers must ensure that adequate resources are dedicated to maintaining and improving operational resilience.
PRA – the PRA requires boards and senior management to approve important business services and impact tolerances; approve and review the self-assessment; and make decisions for the benefit of the firm’s operational resilience.
3.1.6 Self-assessment
All in-scope firms are required to prepare and update a written self-assessment document that documents a firm’s compliance with regulations and resilience. There is no specific template, but in all cases the document should be well structured and accurately reflect the approach taken.
The full rationale for selecting an important business service, clarification on impact tolerances and reliance on outsourcing arrangements should be evidenced in the self-assessment. Where changes occur that may impact operational resilience these should be noted. Consider who is charge of gathering the information and completing the different sections. Involve all relevant areas of the business early so that the board have all required information to enable sign-off.
The board and senior management will need to approve the information provided in the self-assessment document and keep it under regular review. The FCA note good self-assessment documents ‘allow governing body members to understand their firm’s position and roadmap to resilience. They include an overview of vulnerabilities found, scenarios tested (with the outcome of those tests), remediation plans, and the firm’s strategy to ensure they can remain within impact tolerances for all important business services no later than 31 March 2025’.
Firms will be expected to provide the self-assessment document to the FCA or PRA upon request (or make it available for inspection) and if not drafted with skill and care this has the potential to expose firms to risk in the event of an investigation or enforcement action.
Example
FCA – a firm must keep a written record of its assessment of compliance and lessons learned. Firms have discretion to include additional information and may wish to include internal or external audit reports, and the format can be in the form of a text document, slide-deck or spreadsheet and may also be presented in the form of multiple files of different types. A firm must retain each version of the records referred to in SYSC 15A.6.1R for at least six years and on request, provide these to the FCA.
PRA – firms must prepare and regularly update a written self-assessment of their compliance with the operational resilience regime including setting impact tolerances. The content and level of detail must be proportionate to the nature, scale and complexity of the firm’s activities. The PRA expects firms to document details of their scenario testing, including assumptions made in relation to scenario design and any identified risks to the firm’s ability to remain within impact tolerances. Firms must maintain and be able to provide to the PRA on request a current version of their written self-assessment, together with all versions produced during the preceding three years – see chapter 9 of SS1/21 (PRA).
3.2 Full compliance
By 31 March 2025, firms should have sound and comprehensive strategies, processes, systems and controls to fully embed their operational resilience practices that enable them to address risk and to operate consistently within impact tolerances for each important business service in the event of severe but plausible disruption.
3.2.1 Critical third parties
The UK regulators have introduced rules and obligations for critical third parties (CTPs) recognising the threats to the sector and potential impact caused by failure or disruption of services provided by them.
PS16/24 – Operational resilience: Critical third parties to the UK financial sector issued jointly by the BoE, PRA and FCA details the supervisory expectations and final operational resilience rules and obligations for CTPs. This followed consultation CP26/23: Operational resilience: critical third parties). PS16/24 is primarily relevant to CTPs but may also be relevant to firms even though the CTP regime does not impose additional, explicit requirements or expectations on them. See also joint supervisory statement (which sets out the regulators’ expectations for compliance) and memorandum of understanding.
The FCA and PRA are granted oversight powers under the Financial and Services Markets Act 2023 in relation to CTPs. CTPs are third-party service providers including cloud services and IT services (among others) of critical importance to the UK financial sector. The regime will enable the regulators to directly oversee the services provided by CTPs to financial services firms to ensure financial stability and manage systemic risks in the event of operational disruption.
HM Treasury has the powers to designate certain CTPs as critical on the recommendation of the FCA and PRA. HM Treasury has not yet designated any CTPs, but the criteria for identifying potential CTPs is set out in the regulators approach to oversight document and include assessing criteria such as the materiality of services, concentration and substitutability of services. CTPs can be based in the UK or abroad as the designation is not location specific.
The approach document provides further guidance on how the regulators intend to oversee CTPs in practice. The new rules do not change the responsibility of financial firms and FMIs to ensure they are resilient to operational disruptions and for managing their third-party suppliers in line with existing outsourcing and operational resilience rules.
Additional resources
PRA, FCA, Bank of England:
Operational Resilience: Impact tolerances for important business services
PS16/24 – Operational resilience: Critical third parties to the UK financial sector
SS6/24 – Critical third parties to the UK financial sector
FCA:
PS21/3: Building operational resilience
Operational Resilience webpage
Operational resilience: insights and observations for firms
PRA:
PS6/21: Operational resilience: Impact tolerances for important business services
SS1/21: Operational resilience: Impact tolerances for important business services
Statement of Policy: Operational Resilience
Related Lexology Pro content
How-to guides:
Introduction to the UK financial services regulators
Corporate governance in financial services
Checklists:
Running an effective board meeting
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.