"Under these rules, firms must be able to demonstrate that they embed resilience-by-design within their businesses."
The FCA has recently published its final set of rules designed to establish operational resilience as a central regulatory requirement for regulated financial services businesses. These rules are accompanied by the FCA’s responses to feedback solicited from businesses during a consultation process last year.
The new rules put forward by the UK’s Financial Conduct Authority (FCA) – developed in partnership with the Bank of England and the Prudential Regulation Authority – represent its latest efforts to ensure that the important business services offered by the UK’s financial services sector run with sufficient resilience to enable them to be delivered despite operational disruptions.
These regulatory authorities have, of course, been dealing with these issues for some time both at the established end of the market (in relation to systemically important firms generally) and as newer business models emerge (such as introducing requirements to better ensure the operational resilience of lending platforms).
History has demonstrated that disruptions to the financial sector and the unavailability of services have the potential to harm customers and detrimentally impact market integrity. Such risks – whether related to cyber, supply chain, technology, systems or governance – are ever-increasing. It is hoped that the implementation of the new operational resilience framework will mitigate this by enabling firms to “better prevent, adapt, respond to, recover and learn from operational disruptions.”
The regulatory guidance has followed the wider industry recognition that these risks cannot be wholly avoided; focus must be on guarding against disruption but also being well-placed to navigate it as smoothly as possible as and when these risks inevitably crystallise.
Under these rules, firms must be able to demonstrate that they embed resilience-by-design within their businesses. Like GDPR placing accountability for privacy at the core of its compliance requirements, these rules similarly require firms to take ownership of operational resilience in an end-to-end manner.
We know that a good number of firms have established and sophisticated risk management frameworks dealing with these types of issues, but there are no doubt another cohort that need to up their game.
Who do the rules apply to?
The FCA’s new rules will affect banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges (RIEs), enhanced scope senior managers and certification regime (SM&CR) firms and entities authorised or registered under the Payment Services Regulations 2017 or the Electronic Money Regulations 2011.
What are ‘Important Business Services’?
The new operational framework will apply to important business services only and not to internal processes such as payroll (though they may be important for maintaining a firm’s operational resilience). In an effort to provide further clarity to businesses, the FCA has revised its definition of ‘important business service’ as follows:
“a service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could:
1. cause intolerable levels of harm to one or more of the firm’s clients; or
2. pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of financial markets.
The intention is that the operational resilience framework will be flexible enough to enable firms to self-identify which of their services should be classed as important, whilst also enabling them to comply with the requirements of other regulatory regimes – such as the Basel Committee for Banking Supervision’s (BCBS’s) proposed Principles for Operational Resilience and the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04).
Firms are encouraged to take a holistic approach to identifying their important business services. As part of this, they should consider both the size and nature of their customer base. A disruption may, for instance, have the potential to impact upon only a small number of customers but may be classed as important by the business in question in light of other relevant factors. Moreover, these important business services should be clearly and individually identifiable. For example, accessing an online mortgage account and telephone mortgage banking are to be regarded as two separate services.
How would a firm go about setting its ‘Impact Tolerances’?
As well as identifying Important Business Services, firms are also required to assess how much each of those areas could be impacted by disruptive events before customers suffer.
In setting their impact tolerances, firms should have regard to the considerations provided by the FCA to help inform their judgements. Key amongst these is the (mandatory) time/duration metric to measure a firm’s impact tolerances. The FCA is of the view that using time/duration as a mandatory metric will ensure that firms meet the requirement to set their impact tolerances at the point at which disruption would cause intolerable harm to customers or risk to market integrity. It is anticipated that this metric will also enable firms to amply plan for those threats which are time-critical.
The FCA has advised that intolerable harm is harm from which customers cannot easily recover. To identify intolerable harm, firms should have regard to a variety of factors such as:
1. the number and types (such as vulnerability) of customers adversely affected, and nature of impact;
2. financial loss to customers;
3. impacts to market or consumer confidence; and
4. the spread of risks to their other business services, firms or the UK financial system.
Firms are expected to manage their businesses to ensure they can operate within tolerances at all times including during severe but plausible scenarios.
There is a one-year implementation period followed by a three-year transition period.
Starting now, firms are required to identify their important business services in anticipation of the FCA’s new rules coming into force on 31 March 2022. Firms must be able to remain within their impact tolerances as soon as reasonably practicable, but no later than three years after the rules come into effect.
After 31 March 2022, firms will need to review their important business services at least once a year or whenever there is a material change to their business or the market in which they operate, so as to ensure that emerging vulnerabilities do not go overlooked. A firm will be deemed to have undergone a ‘material change’ for these purposes where, for instance:
1. It begins to offer new activities;
2. It ceases to carry out an existing activity;
3. It begins outsourcing a service to a third-party service provider; and
4. It makes changes to an existing service in a way which alters that service’s scale and/or potential impact.
Further information regarding the operational resilience framework can be found here.