We recently noted that the UK Financial Conduct Authority (FCA) published the outcome of a review into the factors that determine failure or success when implementing technology change in the financial services sector and discussed the importance of this review for firms seeking to improve the operational resiliency of their technology change management process.
On March 29, the FCA, Bank of England, and Prudential Regulation Authority (PRA) jointly issued a policy summary and a number of consultation papers on operational resilience in financial services, reaffirming the focus of these financial services supervising authorities on operational resilience.
These newly published documents include FCA Policy Statement PS21/3, which was prepared to reflect and, where appropriate, incorporate the feedback received in response to a consultation conducted by the FCA in December 2019 regarding proposed changes to how firms approach operational resilience, and to set out the final rules that firms will be required to follow.
These final rules come into force on March 31, 2022, and will affect UK banks, building societies, designated investment firms, insurers, Recognised Investment Exchanges, enhanced scope senior managers’ and certification regime firms, and entities authorised or registered under the Payment Services Regulations 2017 or the Electronic Money Regulations 2011.
The detail of the policy statement and the final rules themselves set out the processes that firms should follow to develop and improve their operational resilience:
- Identification of “important business services” as those services that if disrupted, could potentially cause either intolerable harm to consumers or risk to the integrity of the market. The list of important business services should be reviewed by firms on an annual basis, or in the event of a relevant change to the market or their particular business.
- Setting impact tolerances (measured using time/duration metrics) at the first point at which a disruption to an important business service would cause intolerable levels of harm to consumers or risk to market integrity. These impact tolerances should also be reviewed by firms on an annual basis, or in the event of a relevant change to the market or their particular business.
- Mapping people, processes, technology, facilities, and information necessary to deliver each of the important business services, enabling firms to identify and address potential vulnerabilities.
- Regularly testing the firm’s ability to remain within the impact tolerance to ensure that firms are better prepared for any potential real-life disruption.
- Setting clear communication and self-assessment strategies to enable firms to respond quickly to any disruptions and effectively manage communications during an operational incident.
By focusing on the above, the FCA’s expectation is that firms will have a clear picture of the resources that enable an important business service to function, the impact if any of these are disrupted, and a clear escalation path in the event of any disruption.
Impact on Outsourcing
The FCA is clear in the policy document that the ultimate responsibility for operational resilience lies with the financial services firm, irrespective of whether it is outsourcing any of the important business services. Firms should work together with their third-party providers to (1) monitor the relationships with outsourcing partners and all of the third-party providers within the chain; (2) set and remain within impact tolerances; (3) identify potential vulnerabilities and map whether these occur within a third party or further out in the outsourcing chain; and (4) facilitate testing, whether undertaken by the business or the outsourcing partner.
If firms cannot satisfy themselves that their third-party providers can support each of these activities, the FCA encourages firms to reconsider their outsourcing arrangements and make changes where necessary, although the final rules do not require financial services firms to include such provision in their contracts with outsourcing partners. This is clear messaging regarding the expectations that financial services firms will place on their third-party service providers and that a failure to comply could lead to a termination of the relationship.
By March 31, 2022, financial services firms must have (1) identified their important business services; (2) set impact tolerances for the maximum tolerable disruption; and (3) identified any vulnerabilities in their operational resilience. Any mapping undertaken to this date is only required to a level of sophistication required to achieve items 1–3.
Firms will then have until March 31, 2025, to perform mapping and testing to ensure that they are able to remain within impact tolerances for each of the identified important business services.