| Link(s): https://www.fca.org.uk/publications/policy-statements/ps21-3-building-operational-resilience |
Context
In December 2019 the FCA released CP19/32 which proposed changes to how firms approach their operational resilience. The consultation received 73 responses.
The disruption caused by coronavirus (Covid-19) has further outlined why it is critically important for firms to understand the services they provide and invest in their resilience.
The FCA has now issued its policy statement PS21/3 which outlines the final rules which come into force on 31st March 2022 and whilst these apply to enhanced scope firms it is considered that both core and limited scope firms should use the rules as guidance.
Key points to note
- In PS21/3, the FCA sets out its final rules and notes that it has:
- made changes to the policy position to provide firms with more time and flexibility to meet mapping and scenario testing requirements.
- clarified how the rules fit with the broader domestic and international regulatory landscape and other FCA policy initiatives, such as the treatment of vulnerable consumers.
- set out how it will further support firms in implementing the rules on operational resilience; and
- included more varied examples of how different types of firm might apply the proposals.
- High level view of key elements:
- Identification of business services – the FCA recognises that firms may find it helpful to identify all their business services before proceeding to identify which of these are ‘important’. However, the rules only require firms to identify their important business services for the purposes of operational resilience.
- Capturing internal processes – while internal processes (such as payroll) are important for maintaining a firm’s operational resilience, they do not ofthemselves constitute important business services. Instead, such processes which are necessary to the provision of important business services and should be captured by firms as part of their mapping exercises, where they identify and document the people, processes, technology, facilities, and information that support their important business services.
- Granularity and proportionality when identifying important business services – firms are best placed to identify which of their services should be classed as important business services in the context of their business models. Firms can identify important business services in the way they consider most appropriate and effective, but ultimately must comply with the new rules (SYSC 15A.2.1R–2R). Handbook guidance is available to help firms in identifying their important business services.
- Definition of important business services – The FCA has made a minor revision to the definition of ‘important business service’ to clarify that the definition only refers to ‘intolerable levels of harm’ to consumers and not to ‘intolerable levels of risk’ to market integrity. The definition is now: “a service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could:
- cause intolerable levels of harm to one or more of the firm’s clients; or
- pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of financial markets.”
- Reviewing important business services – Firms should, from 31st March 2021, begin identifying their important business services. Firms will need to have completed this exercise before the rules take effect, on 31st March 2022. After 31st March 2022, firms will then need to review their important business services at least annually, or whenever there is a material change to their business or the market in which they operate.
- Material changes – The FCA considers a ‘material change’, which would require a firm to review their important business services, to include:
- the firm beginning to carry out a new activity/ceasing to provide an existing activity, or
- the firm outsourcing a new/existing service to a third-party service provider, or
- changes to an existing service in terms of scale or potential impact
- The FCA will also require firms to set out impact tolerances which will include identifying intolerable harm. To identify intolerable harm firms ought to consider various factors including:
- the number and types (such as vulnerability) of consumers adversely affected, and nature of impact
- financial loss to consumers
- financial loss to the firm where this could harm the firm’s consumers, the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets
- the level of reputational damage where this could harm the firm’s consumers, the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets
- impacts to market or consumer confidence
- the spread of risks to their other business services, firms, or the UK financial system
- loss of functionality or access for consumers
Next actions
The rules and guidance will come into force on 31st March 2022. By 31st March 2022 firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption, and carried out mapping and testing to a level of sophistication necessary to do so. Firms must also have identified any vulnerabilities in their operational resilience.
As soon as possible after 31st March 2022, and no later than 31st March 2025, firms must have undertaken mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances.