The FCA has provided a key update to their operational resilience protocol with an aim to reduce harm to the consumer and wider markets, whilst providing the right level of service to customers in spite of the threats that the business might be facing. This FCA update will affect many regulated businesses, so it is key that all firms know how to implement it moving forward to ensure compliance by the deadline.
What does the FCA want?
The FCA wishes to stress the importance of providing the right customer service levels regardless of disruptions. After all, disruptions are inevitable for many firms. If these are not planned for and managed effectively, they could harm market integrity and threaten the viability of firms overall. This is a line of futureproofing to help the businesses help themselves and their customers.
The policy was initially launched in March 2021, with a deadline of the 31st of March, 2022 to ensure that compliance has been met. By this date, firms must have:
1. Identified your important business services (IBS)
Firms need to identify the key services that they provide to their customers and markets. These will not include the internal business services that then enable the rest of the business to operate, such as payroll. Identifying these IBS will require end-to-end mapping from an end-point perspective.
2. Set an impact tolerance for the IBS
Firms will need to establish what level of disruption the IBS can receive that will not cause any intolerable harm to their customers or risk to their markets.
3. Mapped and tested to level of sophistication to identify vulnerabilities
With this FCA update, the regulator does not expect firms to map and test to full sophistication by the March 2022 deadline. However, they do expect mapping and testing to have gone ahead far enough to identify IBS, impact tolerances, and vulnerabilities across operations. At this point, a firm should have a clear idea of its operational resilience capacity.
4. Implemented learned lessons
Following the March 2022 deadline of the FCA update, the regulator expects its firms to analyse the lessons learnt from these exercises and implement them into internal and external communication plans.
5. Prepared a self-assessment document
The self-assessment document must be ready for the deadline of the 31st of March 2022. It should be a snapshot of the existing operational resistance of the firm on this date, and will be used by the FCA to assess progress.
The structure of this document has not been set by the FCA update, but it has been made clear that the points mentioned above all need to be contained within it. In addition to this, the document and the wider operational resilience protocols should be approved by the Firm’s board or governing body. They will also be required to review the self-assessment on a regular basis.
The FCA has also set out the next major milestone as being in March 2025. The three-year period is referred to as the transitional period. Firms need to continue mapping and testing throughout this period to ensure that they can establish and meet their tolerances, whatever those might be.
The implementation of operational resilience so far
With this latest FCA update, they have also provided a report from the changes 25 high impact firms have made in the summer of 2021. These firms were able to confirm their IBS, their methods for identifying them, and the impact tolerances for each.
Some firms did try to include internal services such as payroll in their IBS as the company shall be affected if this service goes down. However, the FCA has made it clear that IBS are services that are provided to external customers and must not be considered as any internal ones.
Another clear area of the FCA update was the need to provide sufficient rationale for the IBS. Firms cannot simply label a service as being IBS without a metric such as the ability of customers to get the service from a competitor, or the transaction volumes typically seen.
Though the FCA update came with limited feedback regarding impact tolerance, they still had some key areas that they wanted their firms to target. It is vital that firms prioritise the effect that impact will have on the customer and markets rather than that on the firm itself. This is a proactive exercise to help firms avoid ever breaching impact tolerance rather than focusing on how to recover. The FCA also wants to see why firms have chosen to set their tolerances to the level that they have, similar to what is expected for the IBS.
This is a clear issue of compliance that firms simply can’t ignore. A clear plan and understanding of tolerances and IBS is needed. Should your firm require guidance on how to respond following the FCA update and as the deadline approaches, contact our experts at Neopay today.