Impact tolerances for important business services

Home / FINANCIAL CRIME / Impact tolerances for important business services

On 5 December, the Bank of England (the Bank), in its capacity of supervising financial market infrastructures, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) published a shared policy summary and co-ordinated consultation papers (CPs) on new requirements to strengthen operational resilience in the financial services sector. Putting in place a stronger regulatory framework to promote operational resilience of firms and financial market infrastructures (FMIs) is a common priority for the 3 supervisors, and this follows up on a joint discussion paper in July 2018.

Operational resilience is defined as the ability of firms and FMIs to prevent, adapt, respond to, recover, and learn from operational disruptions.  

On the same day Megan Butler, Executive Director of Supervision: Investment, Wholesale, and Specialist at the FCA, delivered a speech about the FCA’s view on Operational Resilience. In her speech, Ms Butler summarises the content of the FCA CP19/32 and notes that, while the consultation period is running, the FCA will continue to engage with industry and the wider public on its proposals. It will remain a key focus for the FCA in the future.

The FCA proposes that firms:

  • Identify their important business services that, if disrupted, could cause intolerable harm to their consumers (retail and wholesale), or market integrity (e.g. soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets)
  • Set impact and disruption tolerances (defined as the maximum tolerable level and duration of disruption to an important business service) for each important business service so to help achieve consumer protection and market integrity
  • Identify and document the people, processes, technology, facilities, and information that support their important business services (mapping)
  • Test their ability to remain within their impact tolerances through a range of severe, but plausible, disruption scenarios – instead of waiting to happen to see if everything works as expected
  • Make investment choices that increase their ability to provide important business services, even when severe disruptive events happen
  • Conduct lessons learnt exercises to identify, prioritise, and invest in their ability to respond and recover from disruptions as effectively as possible
  • Develop internal and external communications plans for when important business services are disrupted

Thinking about operational resilience should be informed to and driven by the public interest: this means preventing operational incidents from impacting consumers, financial markets, and UK financial system. Andrew Bailey, FCA Chief Executive, said that “it is in the public interest that a resilient financial system is able to supply the most important services with minimal interruption even during severe operational events. The proposed new requirements are aimed at achieving this outcome.”

In its Business Plan 2019/20, the FCA identified operational resilience as a cross-sector priority. In the year to come, the FCA is planning to assess how effectively firms respond to cyber and technology resilience incidents. This includes considering how promptly firms notify the regulator (or any other relevant authorities) of incidents, and the quality of firms’ overall handling of incidents, including communication with customers and markets, and remedial actions.

The FCA will consider all the responses to the CP which are received by 3 April, and publish its final rules in a policy statement in the second half of 2020.

Why is this important to you?

The FCA made it clear that firms are expected to take ownership of their operational resilience and that they will need to prioritise plans and investment choices based on their impacts on the public interest. Whilst the CP is addressed to banks, PRA-designated investment firms, enhanced scope SM&CR firms, payment services providers and e-money institutions, other participants in the industry should watch this space and monitor which good practices the FCA expects to develop.

Ms Butler made it clear that, in case of a regulatory visit, the FCA would ask a Chair or a CEO what strategic decisions and investment choices they are making to build operational resilience, and to maintain the supply of important business services in the event of a major incident. Operational resilience is an area the FCA will pay close attention in supervising firms. Instead of considering this as a tick-box exercise, the FCA expects that firms have planned for the worst and are able to continue to deliver important business services when the worst does happen. Impact tolerance requires firms to think about services from the perspective of their consumers, as well as the wider UK financial system and financial markets.

Should you require any assistance in better understanding how regulatory requirements and expectations apply to your business, please do not hesitate to contact us.