Operational resilience: UK policy statements set out new requirements for financial institutions
The FCA and PRA have unveiled final rules reflecting new operational resilience obligations, with initial milestones to be reached by March 2022.
On 29 March 2021, the FCA and PRA each published policy statements (PS21/3 and PS6/21) setting out their final rules on how regulated firms are to approach their operational resilience arrangements. These statements followed consultation papers issued in December 2019 (CP19/32 and CP29/19), as detailed in our previous blog post.
As anticipated in the consultation papers, the policy statements confirm changes which will be made to the Senior Management Arrangements, Systems and Controls (SYSC) sourcebook, FCA Supervision Manual and PRA Rulebook. Firms in scope will be required to:
- identify and map important business services;
- set impact tolerances;
- conduct scenario testing;
- produce self-assessments; and
- ensure appropriate governance arrangements.
Firms will have until 31 March 2022 to identify and map important business services, set impact tolerances for disruptions to these services and commence a programme of scenario testing. Firms will then have until 31 March 2025 to implement strategies, processes, and systems that enable them to address risks to their ability to remain within their impact tolerance for each important business service in the event of a severe but plausible disruption.
The policy statements broadly track the approaches set out in the consultation papers. Key points addressed in the statements include the following:
- Business services: the authorities agree that requirements focus on the delivery of services to external users. Internal services such as HR or payroll are unlikely themselves to comprise in-scope services.
- Impact tolerances: the authorities agree that a "time-based metric" is the appropriate starting point for setting impact tolerances, though additional metrics may be used. Firms must also consider the impact of failure of other related important business services when setting impact tolerances.
- FCA/PRA alignment: changes have been made to certain definitions, e.g. of impact tolerances, to ensure that the FCA and PRA approaches are aligned.
- Principles-based approach: while the authorities have included more detailed examples of how the requirements might apply to different businesses, they have refrained from being overly specific with respect to areas such as business services, scenario testing and self-assessments. This flexibility is deliberate given the requirements relate to a large spectrum of firms.
- Proportionality: firms should adopt a proportionate approach when implementing requirements depending on the size, nature and complexity of the business.
- Senior managers: senior management must understand their firms’ key business services, operating model and impact tolerances. They are expected to take an active role in shaping the response to the forthcoming regulatory changes and to take responsibility for delivering the policy outcomes. Operational resilience is identified as falling within the remit of the SMF24 function (Chief Operating Officer).
- Cross-border: the UK authorities recognise that several international regulators are currently developing frameworks around operational resilience and acknowledge that standards may vary depending on jurisdiction. However, their view is that if principles are aligned, operational resilience should operate efficiently across borders.
While the authorities have allowed a reasonable length of time for firms to demonstrate their ability to remain within set impact tolerances, significant steps will need to have been completed by March 2022. These include mobilising a wide range of relevant stakeholders, identifying and then comprehensively mapping important business services, formulating appropriate impact tolerances, developing specific scenario testing plans and lessons learned exercises and assess existing governance frameworks.
These steps will need to be framed in the context of the new legal requirements and to be compatible with existing cyber, operational risk and crisis response processes. Firms in scope will also need to ensure that their arrangements take into consideration any other operational resilience requirements to which they might be subject, such as the new EU Digital Operational Resilience Act (see our previous blog post for further information in this respect).