Banks, insurers and enhanced-scope SMCR firms will have to comply with the operational resiliency requirements that come into force on 31 March 2022. I attended the FCA’s operational resilience webinar last week which explored key themes and observations from the FCA, as well as questions from attendees.
In summary, in-scope firms need to:
- identify their important business services (i.e. services provided to clients which if disrupted could cause intolerable levels of harm to one or more clients or pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of financial markets);
- set impact tolerances (i.e. the maximum tolerable level of disruption to an important business service);
- undertake a mapping exercise (i.e. identify and document people, processes, technology, facilities and information necessary to deliver each of its important business services, including third parties providing outsourced services);
- develop a testing plan and undertake testing taking into account a number of different factors; and
- prepare a self assessment document which the board/governing body must have approved by 31 March 2022.
Overarching FCA observations
The FCA said that firms were making good progress and that most firms have identified their important business services. The FCA identified the following key observations.
- Important business services should be services that impact consumers. Some firms have misunderstood the requirements and have included support functions, e.g. payroll, as important business services. The FCA was clear that internal functions are not important business services (although they may be included as part of a firm’s mapping exercise).
- The FCA wants to see detailed reasoning as to how a firm has determined its important business services. In particular, there should be a distinct rationale for each important business service and detailed methodologies/metrics are helpful to demonstrate the rationale. For example, some firms who demonstrate good progress have obtained metrics on the numbers of consumers that might be affected, the ability of consumers to go to an alternative provider, and the way in which consumers could be harmed.
- Important business services should be named appropriately so that it is clear on their face what service is being referred to and to ensure that a third party would understand what is meant by a reference to that service.
Impact tolerances: shift in focus from inward looking to outward looking
The FCA encouraged firms to change their approach to impact tolerances. Firms should focus on what they can do to avoid breaching their impact tolerances, rather than what happens if they are breached. This is a critical distinction and means that firms need to shift their focus from an inward-looking perspective to an outward-looking one.
In particular, firms need to consider in detail the point at which any further disruption to the important business service could cause intolerable harm to any one or more of the firm’s clients or pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.
Firms need to think first of the impact on consumers and the market and consider at what point it would cause a consumer “intolerable harm” or pose a risk to the financial system/market. The FCA made it clear that “recovery time objectives” or “RTOs” were not appropriate to use as the metric as these are inward-looking and reflect an internal objective, rather than being outward-looking.
The FCA also wants firms to demonstrating their rationale in detail, including how and why they have set impact tolerances. By way of example, if the impact tolerance for an important business service is 12 hours, then what is happening at the 11th hour and how has a firm determined that customers are not harmed at this point.
Key questions asked in the session
1. How can small companies implement these requirements with limited resources?
The FCA emphasised proportionality. In particular, the rule in SYSC 15A.3.2 says that the requirement to have in place sound, effective and comprehensive strategies, processes and systems to enable it to comply with its obligations must be “comprehensive and proportionate to the nature, scale and complexity of the firm’s activities”.
In addition, the mapping process is intended to be an iterative process over the next three years, and firms can spread costs. However, the FCA made it clear that small firms do need to make an investment to ensure that these operational resilience requirements are complied with.
2. How will the FCA supervise these requirements after 1 April 2022?
The FCA stated that it will be reaching out to firms for feedback on how they have/are implementing the requirements. In particular, the self-assessment document must be available on request from 31 March 2022.
The FCA also mentioned that it is possible that in the future it may expect self-assessment documents to be included as part of the application pack needed for an FCA authorisation application.
3. What is the FCA’s plan to deal with concentration risk?
There is increased reliance on critical third parties and the concentration on a small number of providers could pose a threat to financial stability.
The FCA acknowledged that it is likely that additional policy measures will be needed. The FCA is developing its thinking on these measures and particularly on the definition of “critical or important” functions. We should expect to hear more from the FCA on this later this year.
4. How far along the supply chain should firms assess operational resilience risk?
Mapping must be done on service providers (including critical or important functions that are outsourced). It is critical that firms understand risks across their chain of suppliers. Firms must do appropriate testing and mapping across all processes to ensure they remain within their impact tolerances at all times.
It is worth noting that the PRA and FCA requirements on outsourcing (including the cloud outsourcing) and the EBA outsourcing guidelines should be seen as supplementing the operational resilience requirements, although there is an overlap in some areas.
5. Can the FCA provide guidance on intolerable levels of customer harm?
This will vary from firm to firm and across different sectors and business models. The FCA does not provide a precise definition but intolerable levels of customer harm constitutes harm from which consumers cannot easily recover – for example, where a firm struggles to put the consumer back into correct financial position post-disruption. It is also acknowledged that there can be non-financial impacts too that cannot be remediated. However, it should be more than an inconvenience and must relate to actual harm.
6. How is the FCA working with other regulators to ensure consistency across major financial jurisdictions?
The FCA’s view is that its principles are aligned with most regulators of major financial jurisdictions. Whilst there will be differences in the way in which rules are implemented, the FCA considers that the outcomes of the rules are aligned to other regulatory bodies.
The FCA made the point that operational resilience is not a new topic. Many major financial jurisdictions have rules contributing to resilience, for example, around business continuity and disaster recovery.
7. How should firms notify the FCA of a breach of an impact tolerance?
There are no special arrangements as a result of these requirements. The firm should go through their normal well-established breach notification channels.
We are increasingly being asked by clients for input into their operational resilience work as we come up to the 31 March 2022 deadline. In particular, firms are wanting guidance as to whether their self assessment document is aligned to market standard and the FCA’s expectations. This is of course a new area and different firms are taking different approaches, but we can help in reviewing self assessment documents to ensure they are aligned with the approach which other firms of a similar size are taking.
Firms are also increasingly concerned about the definition of “critical or important” or “material” outsourcings and how they oversee their supply chain generally. This, again, is not a new area but is of increasing concern and interest from the regulators. Although the internal support functions may not be customer-facing, and as such constitute and important business service, it is critical that firms consider their supply chain as part of their operational resilience requirements and particularly as part of their mapping exercises.