Operational Resilience: What The FCA Expects From Your Firm
From 31 March 2022, banks, building societies, PRA-designated investment firms, insurers and enhanced scope SM&CR firms will have to comply with the Financial Conduct Authority’s new operational resilience rules. The requirements have been designed to guide firms to better prevent, adapt, respond to, and recover from operational disruptions, which in turn should minimise potential harms to consumers.
While firms are already obligated to work to high standards of operational resilience in existing FCA rules, the argument from the regulator was that the existing regime contained weaknesses that had allowed disruptions, and the Regulator is keen to ensure that more major disruptions are caught and mitigated to protect consumers from further harms. As a result, the new rules require firms to put in place measures to be able to continue to provide key services for consumers during a severe but plausible disruption.
Firms that the operational resilience requirements apply to will need to:
Identify important business services that, if disrupted, could cause harm to consumers or market integrity
Map key people, processes, technology, facilities and information that support the firm’s important business services
Set impact tolerances; in other words, the thresholds for the maximum disruption that each important business service can manage
Test the ability to remain within impact tolerances. Testing scenarios must be severe but plausible
Conduct lessons learned exercises.
The FCA has confirmed that firms should be defining important business services as those that will impact customers and do not need to include ancillary services or internal functions. What does need to be included is a clear, documented rationale around why each important service has been designated, and why other services are not considered to come under the ‘important business services’ designation. One way that this could be achieved is through data analysis – the FCA have stated that firms that are doing well in working towards compliance with the rules are those that understand how many customers might be affected by disruption in each service, and how these customers might be harmed.
In identifying and mapping important business services, firms should ensure that the titles and descriptions of those services are clear enough for someone who is not directly involved in the business to understand what they are.
Other guidance helps to explain how the FCA expects firms to interpret the requirements practically. The subject of impact tolerances has been widely discussed, and the FCA have clarified that some initial assumptions firms have made are wrong. In particular, the FCA states that approaches to impact tolerances should start from the perspective of ensuring the tolerances are not breached, rather than focusing on what should happen if they are. Although post-breach approaches are important, the clarification from the FCA demonstrates that the new requirements should represent a sea-change in approach, and that proactive prevention should be the standard, and reactive actions should be a backup, rather than the basic process.
In setting these tolerances, firms need to consider in some detail what the definition of ‘intolerable harm’ should be for their customers. This activity should put customers first and foremost, and standard objectives internal to the firm, such as recovery time objectives (RTOs) would not be suitable; instead, the impact on the customer, potential harms, and how easily the customer can recover from any issues arising. Importantly, while this clearly includes the customer’s financial position, the FCA have clarified that from their perspective, they expect to see firms considering non-financial effects as well. A good starting point is to clearly define the term ‘harm’ used in each scenario, and document what the potential effects are.
From the date of implementation, firms must make sure that the self-assessment document will be readily available from 31 March 2022; the FCA have made clear that they will be getting in touch with firms from that date to understand how firms have implemented the requirements.
We offer a number of online training courses that support operational resilience in your firm through preparing staff to understand and work within the FCA and other regulators’ rules and expectations.
Our Complaints Handling course provides all the skills needed to engage with the complainant, and to investigate, resolve and respond to complaints.
We also offer courses on the fair treatment of vulnerable customers, and Data Protection and Information Security course which delivers the background to applicable legislation and how to avoid security breaches.
Our training is accessible online, so staff can complete the learning and assessment at their convenience, ideal for those who want to complete the course in their own time, and to come back to it to refresh later on. Upon successful completion, a certificate will be provided, allowing firms to track and record each user’s progress.
For large groups, we can offer a simplified enrolment service and pricing, simply email Robert.email@example.com.