.svg)
The UK’s financial services industry is bracing for new enhanced operational resilience rules that will mean being better prepared for outages and disruptions.
From the end of March, financial services firms, including payments and e-money institutions, but also banks and insurers, will be required to be able to operate within their established impact tolerances during severe but plausible disruptions
To comply, firms need to identify important business services that, if disrupted, could significantly impact clients or the broader financial system.
They also need to establish impact tolerances, defining the maximum acceptable level of disruption for each critical service.
Firms are being urged to enhance their preparedness, particularly for third-party disruptions, with the Financial Conduct Authority (FCA) suggesting that boards should have approved resilience measures long before the March deadline.
The approaching deadline
"The FCA wants operational resilience to be embedded within firms' culture. That takes time and commitment from stakeholders across the business,” said Clare Reynolds, senior counsel at Taylor Wessing.
Reynolds added that with the March deadline “fast approaching”, it is necessary for firms to give their boards “sufficient rationale to properly understand the approach taken and have their plans approved".
Greg James, senior manager at FScom, said that these new rules mean firms must assess acceptable levels of disruption for these important business functions, and prove they can stay within this tolerance.
“To achieve this, firms need to examine interdependencies, including any critical third parties, identify vulnerabilities, and demonstrate how they will be mitigated,” he said.
“This must then be tested through scenario testing, to ensure the conclusions drawn are accurate,” he added. “Ultimately, firms must be able to evidence compliance and remain within their impact tolerances."
According to Reynolds, as things stand, although many firms do have their operational resilience plans and documentation in place, they are not yet testing or developing those plans to the maturity the FCA expects.
“For example, a recovery plan needs to be exercised and tested so a firm can properly understand whether they can remain within their impact tolerances or not, and identify relevant response plans in the event of disruption,” she said.
Reynolds added that risks also need to be reviewed and refreshed regularly as new threats emerge. “Operational resilience is not a 'one and done' check box."
Pain points and adaptation
According to James, a “fair few pain points remain, with some firms struggling to comply”.
“Typically, fintechs are confident in their technology and have technical resilience measures in place. However, they often fall short in the areas in between,” he said.
James added that the challenge is not always technology: “It can be key individuals, processes, third parties, or a lack of documented rationale. It can be the seemingly basic areas that firms overlook, such as crisis communication, like who to contact and how do you get in contact with them.”
Max Savoie, a partner at Sidley Austin, suggested that for firms that have not already done so, “there is no substitute for reading the rules and the accompanying ‘insights for firms’ published by the FCA”.
He suggested that reading the key information “tends to quickly dispel common myths like a UK firm being able to just copy what its EU affiliate did to comply with DORA or that only a ‘tick box’ exercise is required”.
“Once that’s understood by relevant internal stakeholders, it is worth spending some time considering which of a firm’s services fall within scope and how to determine appropriate impact tolerances,” he said.
Savoie joked that comparing the FCA operational resilience rules, at 13 pages long, with the EU’s Digital Operational Resilience Act (DORA), which runs to hundreds of pages if all the secondary legislation is included, “is a bit like comparing a wheel to a car”.
“DORA is a broad package of reforms, including detailed rules on governance, risk management, incident detection and reporting, resilience testing, oversight and management of ICT third-party service providers, and the designation of certain ICT service providers for direct regulatory supervision based on their criticality,” he said.
Savoie acknowledged that it is not that the UK is not covering most of these themes but rather that it is doing so in “a more selective manner” with different regimes for things like the direct regulation of critical third parties.
“Even in those areas where the FCA rules overlap with DORA, which includes things like risk management and resilience testing, the rules are quite different when you get into the detail,” he said.
He went on to explain that the focus needs to be on identifying and documenting the people, processes, technology, facilities and information necessary to deliver each important business service, and on designing and implementing a plan to test impact tolerances against severe but plausible disruptions.
“This all needs to be written down. It’s not enough to just have a few meetings and point to existing policies that have not been tailored to comply with the new rules.”
Ultimately, although firms can and should leverage some of their DORA implementation planning for their UK regulated entities, Savoie cautioned that it is a “dangerous fallacy” to assume that having prepared for DORA means that a firm will be prepared for the FCA rules.
“Firms should at least do a proper gap analysis before drawing any conclusions about their ability to rely on existing policies and procedures.”
