Operational regulatory changes: What the new FCA policy statement means for your business
When Covid-19 hit, the uncertainty which followed knocked the financial sector into a period of instability. Firms that paused their business lost out on revenue. Profits dropped. It was a challenging time, but valuable lessons were learnt. Namely, Covid-19 underlined the critical importance of investing in a robust operational resilience strategy.
In March 2022, the Financial Conduct Authority, Bank of England and Prudential Regulation Authority’s policy statement ‘PS21/3 Building operational resilience’ came into force. The final rules and guidance aim to strengthen operational resilience in the financial services sector by requiring firms to scrutinise their business services and consider the consequences if these were to be disrupted. Over the next three years, all financial services firms in the UK must have stress tested to check whether their key business services can operate within an agreed impact tolerance.
Given the importance of identifying and addressing vulnerabilities in a service provision before a disruption can occur, firms must complete a detailed mapping process to make the necessary investments to stay within their tolerances. All of this must happen before the end of transitional period in 2025 – otherwise, firms will risk falling into non-compliance at both great financial and reputational cost.
Expect the unexpected
Impact tolerance means the maximum tolerable level of disruption that a business service can withstand before the customer is unacceptably affected. If a banking platform goes down, for example, this would qualify as intolerable harm to the customer: they can’t access their money, and their direct debits aren’t paid.
To comply with the new policy statement, firms will need to produce a detailed self-assessment document that records every step of their review process, as well as proof of planned communications strategies in the event of a system failure. In addition, firms must start working inside their impact tolerances as soon as reasonably practicable – but no later than three years after the rules come into force on 31 March 2022.
But how to go about this?
Third-party consultants can be useful in assisting with the creation of a robust plan that is designed around each company’s unique business objectives. They look at the services provided and work out a bespoke definition for intolerable harm for each firm on a case-by-case basis. For instance, for some banks and building societies, it doesn’t matter too much if a banking app suddenly stops working at 3am. It’s an off-peak time for activity, and users can still access their money and login online. Life goes on.
However, for other banks, a 3am shutdown could be disastrous. Perhaps that’s the time when all of their customers' direct debits go through. If that customer’s payments are abruptly stopped, they could miss monetary commitments such as mortgage or loan repayments, potentially affecting credit scores and jeopardising their trust in the lender. Financial firms impacted by the new policy statement must be willing to probe their technical architecture for weak spots that could cause a disruption later down the line.
When a firm depends on a third-party provider to deliver important business services, it is the firm’s responsibility to work with the provider to establish and stick within impact tolerances. In the end, it is the firm’s responsibility to operate inside its impact tolerances , regardless of whether it outsources the delivery of important business services to external partner.
Mapping and scenario testing
Compliant firms will need to develop a more complete understanding of their operational resilience. To achieve this goal, the FCA’s new policy statement proposes that firms should identify and document the people, processes, technology, facilities, and information resources necessary to deliver a business service. This process of mapping will enable firms to identify vulnerabilities and gain assurances that every key aspect of their service can operate with the agreed impact tolerance.
Another way of checking a firm’s resilience is chaos testing. This test introduces chaos into a dummy version of a business service to gather data, measure the impact on the customer, and prepare for the future. These rigorous tests help firms to assess the resilience, redundancy, scalability, and security of their core business services.
A firm could either conduct these stress tests inhouse, reach out to an external consultant, or draw insight from both. The point is the same. By carrying out these tests, firms will learn much more than just their threshold for risk and can make robust remediation plans for when things go wrong. This could involve a communications plan, a backup server, or a strategy for making good with affected customers.
The building operational resilience policy statement has wide ranging implications for all UK financial firms. However, these changes can be bridged if firms plan ahead. In a post-pandemic world, investing into operational resilience has rarely been more important than it is today.