Initiatives for operational resilience help businesses with risk appetite and risk tolerance, preparing them for any disruptions to the delivery of their products and/or services to stakeholders. The FCA (Financial Conduct Authority) has recently published a press release setting out their final rules and guidance on new requirements to help companies in the UK financial services sector to strengthen their operational resilience. Negotiations for these requirements began in December 2019. The FCA developed their proposals with the Bank of England and Prudential Regulation Authority (PRA). To help clarify with our customers what the new FCA consultation on operational resilience means, we have outlined some of the basic principles in our blog today. Here they are:
Who Will This Apply To?
The FCA consultation will impact any businesses in the UK financial services sector. This includes banks, insurers, building societies, recognised investment exchanges, enhanced scope SM&CR firms, PRA-designated investment firms, and any business entities that are authorised and registered by the Payment Services Regulations 2017 or Electronic Money Regulations 2011. These new requirements do not apply to EEA (European Economic Area) firms. The FCA is optimistic that their proposed changes will positively impact financial services providers in the long term.
What Are the Changes?
Important Business Services
For starters, the FCA proposes that firms should identify their important business services at least once per year or whenever there is a relevant change to their business or market. Each business service should be clearly identifiable, not presented in a collection.
Next, the FCA proposes that firms should set their impact tolerances at the first point at which disruption to one of their important business services would cause intolerable harm to consumers or risk market integrity. They suggest using metrics (such as time/duration) to measure their impact tolerances.
Regarding transactional agreements for firms to execute and meet the newly proposed requirements, the FCA said that businesses would have a 1-year implementation period. In addition to this, firms would need to demonstrate 3 years later that they can remain within their impact tolerances.
Mapping and Scenario Testing
The FCA also outlines the importance of mapping and scenario testing. They suggested that financial firms should identify and document all the people, processes, technology, information, resources, and facilities that they need to deliver their important business services. This could help companies to pinpoint their vulnerabilities and keep them within impact tolerances. The FCA proposes that firms should conduct testing to ensure this, too.
Finally, the FCA proposes that firms should have internal and external communication strategies in place to reduce harm to stakeholders in the case of an operational disruption. Internal communication strategies should include escalation paths, whilst external communication strategies should consider how to provide important warnings/advice to customers. The FCA suggests that firms create a self-assessment document that demonstrates how exactly they have met operational resilience requirements. This document needs to be available upon request. It must also be regularly reviewed.
These are the main changes the FCA consultation on operational resilience has proposed for UK financial service providers. If you need any help with compliance or understanding the changes, don’t hesitate to contact Neopay today.