Operational resilience: final policies from UK regulators

The FCA, PRA and Bank of England (BoE) on 29 March 2021 published their final and long-awaited policy papers on 'Building operational resilience'. This article highlights the key requirements and some of the challenges as firms look to implement the requirements.

Background and the concept of 'operational resilience'

When the FCA, PRA and BoE published their suite of consultation papers on operational resilience back in December 2019 (see our earlier article), Covid-19 was only just beginning to make headlines. The subsequent disruption caused by the pandemic has brought the issue of operational resilience to the fore, demonstrating why firms need to understand and invest in their resilience to enable them to protect themselves, consumers and the financial system from disruption. 

The simplest definition of operational resilience used by both the FCA and PRA is "the ability of firms, financial market infrastructures and the financial sector as a whole to prevent, adapt and respond to, recover and learn from operational disruption."

The regulators' approach to operational resilience is based on the assumption that disruptions will occur and will prevent firms from being able to operate as usual. The aim of embedding operational resilience in policy is to ensure that firms deliver improvements to resilience, so that they are able to respond effectively and continue to deliver key services when a disruption does occur. 

Central to the requirements is the idea that firms must identify their important business services and set an impact tolerance for each, based on the maximum tolerable level of disruption to an important business service. This represents a shift in thinking, away from thinking about the resilience of individual systems to instead considering the continuity of services that firms provide to their external users and customers.

What are the requirements and which firms do they apply to?

The regulators' expectations on operational resilience are set out in a number of documents, which apply to specific types of firm. Broadly these encompass:

• FCA Policy Statement (PS21/3), including the Final Rules. The FCA's new SYSC Chapter 15A on operational resilience will apply to UK banks, building societies, enhanced scope SMCR firms, PRA-designated investment firms, insurers, recognised investment exchanges, electronic-money institutions, payment institutions and registered account information service providers. It does not apply to EEA firms.
• PRA Policy Statement (PS6/21), including as appendices the PRA Supervisory Statement (SS1/21) and final revisions to the PRA Rulebook. The PRA's rules and guidance apply to UK banks, building societies, designated investment firms,  and Solvency II firms (plus Lloyds and its managing agents). Where a service is provided by a member of the firm's group outside of the UK, this might also be in-scope as an "important group business services" if disruption to those services could pose a risk of harm. Accordingly, firms may need to consider how the proposals would affect them on a consolidated group basis.  
• Bank of England suite of policy statements on operational resilience, which apply  for central counterparties, central securities depositories and recognised payment system operators.  
• The regulators have also published a Joint Paper from the FCA, PRA and BoE on building operational resilience.

For the purpose of this article, the firms identified above are referred to as "in-scope firms".  

When do they apply?

The final rules for the FCA, PRA and BoE all come into force on 31 March 2022. The requirements include a one-year implementation period until 31 March 2022, during which in-scope firms can identify their important business services, set impact tolerances and begin to operationalise the framework. After this, in-scope firms must be able to remain within their impact tolerances as soon as reasonably practical, but no later than 31 March 2025. 

The regulators recognise that mapping and scenario testing are ongoing and dynamic processes; in-scope firms are not expected to have performed these to the full extent of sophistication by 31 March 2022, but their approach should evolve over time. In-scope firms should also prioritise their implementation with the ultimate goal of delivering the outcomes of the policy. 

What do they require?

The proposals share a common overarching approach to operational resilience, which broadly, requires in-scope firms to:

What's changed since the initial consultations?

Respondents asked for clarity and the regulators have made some relevant amendments, in particular to improve consistency between the FCA's and PRA's supervisory approach.  For example, the definition of "impact tolerance" has been harmonised, with confirmation that dual regulated firms will need two impact tolerance statements.  Both regulators expect that time will be the primary metric for measuring impact tolerance, but the scope is open for in-scope firms to use additional metrics in their resilience planning.

Additional provisions have also been added to clarify the expectations where in-scope firms rely on third party service providers for the delivery of an important business service. For example in such cases, the FCA expects in-scope firms to have sufficient understanding of the people, processes, technology, facilities and information that support the third party provider's delivery of those services; this is likely to increase compliance arrangements and information exchange between in-scope firms and key vendors. 

How do the final papers fit with the EU's proposals on digital operational resilience?

The UK operational resilience framework shares similarities to the EU's proposals (known colloquially as DORA, see our article here), such as a focus on governance and risk management, testing, and overall resilience. However, whereas DORA focusses on ICT risk, the UK regulators' approach is very much led by the in-scope firms' own important business services and the underlying processes, people and technology supporting them (including but not limited to ICT services). 

Where there is overlap, the EU's proposals are more specific compared to the UK operational resilience framework, which grants wider flexibility to firms in how they implement the policy in line with the objectives. For example on testing, Article 23 of DORA sets out specific requirements for advanced threat-led penetration testing (TLPT) of ICT systems by certain firms, with further regulatory technical standards to specify details of the testing requirements. By contrast, the UK approach grants wider flexibility in how testing is conducted, leaving it to firms to assess the best way to implement policy. 

Opportunities for the industry and service providers?

The requirements may also present opportunities for the industry, in particular for Fintech and Regtech firms to help support operational resilience through effective technology (as highlighted in the recent Kalifa Review). This might include advisory and reporting services, helping in-scope firms improve communication channels, or helping build redundancies within networks to make them more resilient to disruption. 

Third party vendors that support in-scope firms with their important business services should anticipate customers approaching them for further compliance and contractual requirements, including in relation to testing assistance, recovery time objectives, and continuity planning in case worst-case scenarios happen.  

Whilst responsibility for operational resilience rests solely on in-scope firms, third party vendors will need to work with in-scope firms as part of their mapping, testing and contingency planning; enabling customers to meet their operational resilience requirements may therefore offer a competitive advantage compared to other providers. 

Help is at hand

If you would like to discuss any of the above points, please get in touch with one of the team.