.svg)
With 2026 set to be a critical transition year for payments, it is vital to ensure operational resilience is about more than completing a compliance checklist.
For payments organisations, operational resilience has long been a crucial topic, given the potential impact of outages on firms’ reputations and the risk of subsequent enforcement activity.
The operational resilience Memorandum of Understanding (MoU) between the UK and the EU, signed in January 2026, underscores the issue’s importance to regulators.
In addition, an October 2025 outage at Amazon Web Services (AWS) that disrupted several organisations, including Lloyds Banking Group, prompted the UK’s Treasury Select Committee to intervene.
Resilience was a notable theme of City & Financial Global’s Payments Regulation and Innovation Summit 2026, held in London in early February 2026.
In a keynote address, Sarah Breeden, the Bank of England’s (BoE) deputy governor for financial stability, noted that the UK Payments Vision Delivery Committee’s goal is “a resilient, fair, trusted, competitive payment system that supports a multi-money ecosystem”.
Breeden made clear that the central bank is committed to ensuring the availability of a multiplicity of payment options as a means of ensuring a resilient payment system.
This reflects concerns that UK consumers’ overreliance on cards creates significant concentration risk and can lead to major problems in the event of outages.
The BoE intends to promote increased competition and choice, including the adoption of digital assets and the long-term retention of cash.
This could lead to a system in which stablecoins, open banking, cards, cash, tokenised money, account-to-account (A2A payments) and central bank digital currencies (CBDCs) coexist, ensuring alternative options are available should one method experience failure.
A broader perspective
Also speaking at the summit, Anil Toraty, VP of risk strategy, supervisory and optimisation at Visa, argued that operational resilience is broadening from merely preventing incidents to ensuring continuous business operations even when events occur.
He added that organisations must think more holistically about the way the system works in order to be able to provide payment services for end users 24/7/365.
This could involve coordination and collaboration with other parties in the value chain to build a picture of threats and identify potential attacks as early as possible.
Justin Jacobs, Pay.UK’s chief policy and engagement officer, reminded the audience at the summit of the imperative to stay one step ahead of the criminals, particularly in relation to cyber attacks, which he noted are a more significant threat than ever.
This may mean the adoption of AI and other advanced tools, which can be valuable enablers of resilience, helping with early detection through capabilities such as pattern recognition for early detection. However, Toraty warned that technology is not a “silver bullet” and more comprehensive, end-to-end approaches are vital.
For compliance professionals, this means coordinating with colleagues across the ecosystem to share best practices and identify points of weakness that could be exploited by bad actors to take down systems.
A culture of resilience
A further area in which payment firms’ approach to operational resilience may need to evolve is that of culture.
Visa’s Toraty told the Summit that it is vital for organisations to develop a culture that surfaces bad news at the earliest possible point. This requires what he called a sense of “psychological safety” within the firm, where individuals at all levels feel empowered to speak up when they identify an issue or make a mistake.
When an incident occurs, it is crucial to act early, and organisations where employees are afraid or unwilling to flag problems and there is no habit of learning when things go wrong will be vulnerable to repeated failures.
Compliance teams should seek to build relationships throughout their organisations to ensure that colleagues from across the business feel comfortable asking questions and raising concerns.
This will increase firms’ resilience in the face of attack and reduce the impact of and fallout from incidents.
Third-party risk
A major industry concern in terms of operational resilience is concentration risk across third-party providers, especially niche ones.
Financial organisations often rely on a small number of third-party providers for core ICT services, meaning any failure can affect large parts of the banking and finance sector.
Firms may also struggle with a lack of visibility into sub-outsourcing arrangements and their relative priority among a provider’s client base. Just as it is important for organisations to identify issues quickly at the internal level, so they must be able to rely on partners acting swiftly to resolve issues.
Building clarity in these areas can significantly increase operational resilience and ensure that the impact of outages is minimised.
For compliance professionals, operational resilience is evolving into a dynamic, strategic imperative that must embrace a multi-money ecosystem.
The mandate is clear: firms should move beyond the checklist to proactively mitigate concentration risk in third-party reliance, foster a culture of psychological safety for early incident detection and ultimately secure a robust, continuously adaptable payment system for the critical transition ahead.
