Article:

Building operational resilience: Summary of the FCA final guidance PS21/3

01 April 2021

Background 

A key priority of the PRA and FCA (“the regulators”) and the Bank of England is to put in place a stronger regulatory framework to promote operational resilience of firms and financial market infrastructures (FMI). On the 29 March 2021 the regulators published their final guidance as set out in PRA PS6/21 and FCA PS21/3. This article will focus on the key changes in PS21/3. 

Overview 

The final rules include changes made as a result of the 73 responses to the consultation paper, published in December 2019. The new rules make clear any firm not making reasonable efforts to remain within their impact tolerances during the three year embedding period will be in breach of the rules. 

Who this applies to: 

The  guidance apply to banks, building societies, designated investment firms, insurers, Recognised Investment Exchanges (RIEs), enhanced scope senior managers’ and certification regime (SM&CR) firms and entities authorised or registered under the Payment Services Regulations 2017 (PSRs 2017) or the Electronic Money Regulations 2011 (EMRs 2011). Core Firms under SMCR not in scope may want to familiarise themselves with the rules, given increased regulatory focus.  

Summary of Key changes: 

Important Business Services

The FCA have revised the definition for an ‘important business service’. This means a service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could: 

  1. Cause intolerable levels of harm to one or more of the firm’s clients
  2. Pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of financial markets

Firms will then need to review their important business services at least annually, or whenever there is a material change to their business or the market in which they operate. Guidance on a material change can be found within the paper. 

Impact Tolerance 

Firms must be able to remain within their impact tolerances as soon as reasonably practicable, but no later than 3 years after the rules come into effect on 31 March 2022. Guidance on a material change can be found within the PS21/3 (page 12).

The Final Guidance expects Firms to take into consideration central shared services - the failure of related important business services when setting individual impact tolerances, i.e. IT related services.

Further clarity is provided on page 17 to define what is meant by intolerable harm. The FCA have removed the reference to ‘intolerable levels of risk’ when referring to impact tolerance definition, instead refer to ‘risk’. This aligns with the PRA’s proposed approach.  

Mapping 

Additional guidance for Mapping is included on page 29 of PS21/3. Firms as part of the mapping exercise must now consider any relationship with a third party/ outsourcing relationship and accurately map these to the relevant people, processes, technology, facilities and information supporting important business services. 

Where there is a material change to the firm’s business, the important business services identified and impact tolerances should be assessed and updated within 1 year after it last carried out the relevant assessment.

Scenario testing 

Firms previously were expected to test the ability to remain within their impact tolerances annually. The FCA now expect Firms to undertake scenario testing where there is a material change to the Firm and on a regular basis.

Communication 

Further clarity has been shared around communication strategies. (page 39).

Please note: For dual-regulated firms, the position has been maintained that these firms should set up to 2 impact tolerances. This is to ensure that firms consider their impact tolerances in line with the statutory objectives of each authority.

Next Steps 

By 31 March 2022, firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption and carried out mapping and testing to a level of sophistication necessary to do so. Firms must also have identified any vulnerabilities in their operational resilience. 

As soon as possible after 31 March 2022, and no later than 31 March 2025, firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances.

How BDO can assist

As experienced financial services and technology experts, we have the breadth and depth of expertise to assist firms in developing their resilience capabilities.