5 things to know about operational resilience rules in the UK
Operational resilience has now been firmly and clear on the radar for UK financial regulators for a few years. In March 2021, the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA) and the Bank of England have confirmed that new regulations will come into force on 31 March 2022.
Here are the 5 key things you need to know about the new rules and how they’ll impact enterprises operating in financial services:
1. Who will the new regulations apply to?
The new operational resilience rules will apply to a wide range of financial institutions, such as banks, investment firms, insurance companies, building societies, payment services providers and insurers.
It’s worth noting that companies who are regulated both by the FCA and PRA may have to meet additional requirements to comply with the rules set by both bodies.
2. Identifying and mapping important business services and impact tolerances
By the time the new regulations come into force on 31 March 2022, financial services firms will have had to identify their important business services and set impact tolerances for the maximum tolerable disruption they can endure. They will also be expected to have started mapping disruption scenarios and developing testing programmes to ensure they meet those impact tolerances.
Within the following three years, financial firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service they have identified and made any necessary investments to enable them to operate reliably.
3. Putting processes and controls in place
In order to comply with the new regulations, firms must have effective and comprehensive processes and systems in place that are proportional to the scale and complexity of their business operations. Additionally, they will have to complete a self-assessment document which demonstrates how they meet the operational resilience requirements set by the rules.
Financial services firms will also be required to develop adequate testing programmes to test their ability to meet the establish impact tolerances and take steps to mitigate the impact of any future operational disruptions.
4. The role of senior management & communication
Financial companies operating in the UK will need to either use existing roles or create new ones, where needed, to demonstrate clear accountability for the management of operational resilience within the business.
Board and senior management will be accountable for approving the list of important business services, the established impact tolerances and the information provided in the self-assessment document.
For enhanced firms, the SMF24 role – usually the chief officer in charge of operations – will continue to be personally responsible for operational resilience under the new regulations.
Financial services firms also need to have adequate internal and external communication strategies in place, to respond to the impact of operational disruption. These strategies must include guidance for communicating with vulnerable customers, as well as all other relevant stakeholders and their wider customer base.
5. What about third parties?
When working with third-party companies, financial firms will be accountable for mapping any relationships with an external provider and be aware of any operational vulnerabilities that may impact their ability to stay within their established impact tolerances.
In a nutshell, it is their responsibility to assure themselves of a third party’s operational resilience and they will be solely responsible for remaining complying with regulatory requirements.
Financial firms will have three years from the date the rules come into force to perform mapping and testing to guarantee they are able to remain within impact tolerances for each important business service they have identified, as well as made any necessary investments to enable them to operate reliably within those impact tolerances.
It’s worth noting that the definition of important business services and impact tolerances set by the upcoming UK regulations will broadly have the same definition around the world, so similar requirements will most likely apply to financial services companies globally.
To learn more about how operational resilience guidance is shaping financial services in the UK and beyond, read our whitepaper.