In December 2019, the FCA consulted in its consultation paper CP19/32 on proposed changes to how firms approach their operational resilience. These proposals had been developed in partnership with the Bank of England, in its capacity of supervising financial market infrastructures, and the Prudential Regulation Authority, to improve the operational resilience of the UK financial sector.
In general, the FCA has implemented the proposals as consulted and has made amendments to reflect the feedback received. It has set out the feedback and its response in Policy Statement PS 21/3. With the Bank of England and the PRA, the FCA has published a shared final policy summary on these requirements to strengthen operational resilience in the financial services sector. The rules and guidance will come into force on 31 March 2022. This affects:
By 31 March 2022, firms in scope of the Policy Statement must have identified their important business services (these are services which, if disrupted, could potentially cause intolerable harm to the consumers of the firm’s services or risk to market integrity), set impact tolerances for the maximum tolerable disruption and carried out mapping and testing to a level of sophistication necessary to do so. Firms must also have identified any vulnerabilities in their operational resilience. This process should begin now.
As soon as possible after 31 March 2022, and no later than 31 March 2025, these firms must have performed mapping and testing so that they are able to remain within their impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances.
Firms authorised within the three-year transitional period up to March 2025 will be expected to use the time up to the three-year deadline to show they can remain within their impact tolerances.
Firms should have internal and external communication strategies in place to respond quickly and effectively to reduce the harm caused by operational disruptions. As part of their external communications strategy, firms will need to consider how they would provide important warnings or advice to consumers and other stakeholders, including where there is no direct line of communication They should also compile a self-assessment document that shows how they meet the requirements. The document will not need to be submitted to the FCA, but it should be made available on request. Boards, or the firm’s management body, should review and approve the self-assessment document regularly.
If you’d like to know more about how we can help you with your operational resilience arrangements, or any other regulatory compliance issues, our expert team is here to help.
Contact us today on 0207 436 0630 or email info@thistleinitiatives.co.uk.