The FCA’s final rules
On 29 March 2021, the Financial Conduct Authority (FCA) published final rules that will create a new operational resilience framework for banks, building societies, solvency II firms, recognised investment exchanges, enhanced scope senior managers and certification regime firms, and those authorised or registered under the Payment Services Regulations 2017 or Electronic Money Regulations 2011.
The new rules will apply from 31 March 2022 and will require firms to identify important business services and set maximum impact tolerances. Further, firms will need to have identified weaknesses within their operational resilience arrangements. In order to give firms additional time to comply with the new rules, firms will be required to perform the mapping and testing exercise as soon as possible after 31 March 2022 and no later than 31 March 2025 so that they are able to remain within impact tolerances for each important business service.
The PRA’s final policy
The Prudential Regulation Authority (PRA) also published its final Policy Statement (PS) 6/21 alongside the FCA. This includes new Operational Resilience Parts of the PRA Rulebook and a new Supervisory Statement (SS), both of which are also effective from 31 March 2022. The policy implementation section in the SS sets out that firms must have identified their important business services and set impact tolerances by this date, as well as having a prioritised plan in place which sets out how they will comply with the operational resilience requirements. The PRA has made amendments to align its policy with that of the FCA overall. For example, the Operational Resilience Parts have been amended to further align definitions and requirements with those of the FCA.
Key requirements: the new operational resilience framework
The new rules require firms to implement the following key components in order to prevent, adapt to, respond to and learn from threats to and vulnerabilities in their operational resilience. Firms must:
- Identify important business services: Firms must identify key business services that if disrupted could cause harm to consumers or market integrity, pose a threat to the firm or threaten the stability of the financial system. The PRA has encouraged firms to show flexibility in identifying their important business services.
- Set impact tolerances for each key business service: In setting impact tolerances, firms will identify the maximum tolerable level of disruption to the firm and its consumers.Dual-regulated firms will need to identify two separate impact tolerances for their important business services if these are within the scope of both FCA and PRA policies; however, these may be set at the same point where appropriate.
- Maintain sound, effective and comprehensive processes, strategies and systems to support key business services: Firms should ensure that internal processes and procedures enable compliance with the requirements of the new operational resilience rule.
- Perform mapping: Firms will be required to identify the people, processes, technology, facilities and information resources that are necessary to deliver each of the key business services.
- Undertake scenario testing: Firms are required to undertake scenario testing that will enable the firm to establish whether it can remain within its impact tolerances. Firms are required to maintain and update a self-assessment document in order to assess compliance with this requirement and other regulatory requirements.
Additionally, firms’ governing bodies must approve and undertake regular reviews of the self-assessment and ‘lessons learned’ exercise. This self-assessment does not need to be submitted to the FCA, but must be available on request. The FCA expects active and regular engagement from the board and senior management – so it will be important to ensure that any decisions taken are property documented and records are retained. This may require changes to be made to the statements of responsibility for certain senior managers, management information chains and audit trail systems.
Firms are required to review the operational resilience framework annually and, in the event of any material change to the firm’s business, to ensure the continued accuracy of the framework.
Next steps: preparation is key
Firms should act now to establish compliant operational frameworks. In preparation for 31 March 2022, firms need to consider the design and implementation of an operational resilience framework.
This will include:
- identifying and mapping important business services;
- drafting an impact tolerance framework;
- creating ae scenario testing and lessons learned framework;
- preparing the self-assessment document;
- establishing an internal and external communication operational resilience strategy;
- updating the governance framework to take account of the new rules and carrying out any required training for board members and other relevant personnel;
- identifying risks associated with firms belonging to a group;
- taking steps to achieve legal risk control over the firm’s supply chain; and
- identifying adjustments to existing reliance and dependency structures (which may require amendments to supply contracts).