FCA Final Rules on Building Operational Resilience
The FCA has published their final rules on how firms should approach operational resilience. The rules aim to ensure the financial sector is resilient and can prevent, adapt, respond to, and recover from, operational disruptions. The changes apply to banks, building societies, designated investment firms, insurers, RIEs, enhanced scope SM&CR firms and entities authorised or registered under the PSRs 2017 or the EMRs 2011.
The FCA argue that the coronavirus pandemic has highlighted why it is so important that firms understand the services they provide and that they invest to protect themselves and their consumers from disruption. Aspects of the rules, such as mapping important business services, will, they say, mean that should an event occur, the firm will have a clear picture of the resources that an important business service needs to function.
In short, the new rules require firms to:
Identify important business services
Identify and document the people, processes, technology, facilities and information necessary to deliver each of these services
Set an impact tolerance for each of its important business services
Develop a testing plan that shows how it can remain within the impact tolerances for each of the important business services
Carry out regular scenario testing to assess its ability to remain within the impact tolerances in the event of a ‘severe but plausible’ disruption
Where weaknesses have been identified, make the necessary improvements
Have effective and comprehensive strategies, processes and systems to enable it to comply with these obligations
Keep a written record of the assessment of compliance with these requirements, which the governing body must approve and regularly review
Provide clear, timely and relevant communications to stakeholders in the event of a disruption
In response to respondent concerns, the FCA made some changes to the draft rules to allow more time and flexibility to meet mapping and scenario testing requirements. Initially firms were to be allowed a year-long implementation period after which the rules would take effect. Instead, during the implementation period which ends on 31 March 2021, firms will now only need to carry out mapping and scenario testing to “a level of sophistication necessary to accurately identify their important business services, set impact tolerances and identify any vulnerabilities in their operational resilience”. The total 3-year transitional period after which firms will be expected to show that they can remain within their impact tolerances is unchanged, with the final date for this phase being 31 March 2025.
The first step here is the identification of important business services. The FCA identify these as ‘services which, if disrupted, could potentially cause intolerable harm to the consumers of the firm’s services or risk to market integrity’. There is some scope for interpretation here, and what this means in practice will depend on the size and type of business. However, important business services should be clearly identifiable as a ‘separate service’, and not as a collection of services. The FCA has confirmed that firms are best placed to identify which of their business services are classed as important based on their business models, but the identification must be a justifiable one, and take into account ‘intolerable levels of harm’ to one or more of the firm’s clients, and ‘risk to the soundness, stability or resilience of the UK financial system or the orderly operation of financial markets’.
The publication highlights the importance of understanding the components of important business services. For the mapping exercise, further guidance is provided on what the Regulator means by ‘people, processes, technology, facilities and information’:
People – firms need to understand which people are responsible for processes, technology and implementing and monitoring controls; senior management accountability and understanding who is responsible for training/education, hiring practices, personnel succession planning, etc
Processes – ‘a structured set of activities designed to produce a specific output’. The ability to define which processes are responsible for delivering which outputs is key to the mapping exercise
Technology – the underlying systems and architecture to support the provision of the service
Facilities – office locations, printing facilities, mailing, credit card production/client communications
Information – any data, feeds or material that is required by a firm to deliver a service.
For affected firms, the rules and guidance will come into force on 31 March 2022, meaning that firms must be able to remain within their impact tolerances as soon as reasonably practicable, and no later than 31 March 2025.
We offer a number of online training courses that support operational resilience in your firm through preparing staff to understand and work within the FCA and other regulators’ rules and expectations. Our Complaints Handling course provides all the skills needed to engage with the complainant and to investigate, resolve and respond to complaints. We also offer courses on the fair treatment of vulnerable customers, and our Data Protection and Information Security course delivers the background to applicable legislation and how to avoid security breaches. Our Understanding Data Protection Regulation courses have two options – one for front-line staff, and one for senior staff.
Our training is accessible online, so staff can complete the learning and assessment at their convenience, ideal for those who want to complete the course in their own time, and to come back to it to refresh later on. Priced at just £15 per user, the course is accessible at the delegate’s convenience and provides a certificate upon successful completion, allowing firms to track and record each user’s progress. For large groups, we can offer a simplified enrolment service and pricing, simply email Robert.firstname.lastname@example.org.