Global menu

Our global pages

Close

Final rules and guidance on operational resilience

  • United Kingdom
  • Financial services disputes and investigations
  • Financial services

29-03-2021

The Bank of England, PRA and FCA announced today the publication of their final rules and guidance on operational resilience for financial institutions and financial market infrastructures.  This follows an extended 18-month consultation with the industry on the proposed rules.  The final rules include changes in response to feedback received from firms and industry bodies.  Most of these changes involve tweaks to the original proposals published in December 2019, including amending key definitions and providing further examples that will assist in understanding how the rules apply.  Helpfully, for firms already dealing with the extended disruption caused by the pandemic, there has been a key shift of emphasis in the regulatory expectations for the first phase of work firms will be required to undertake to achieve compliance. 

Specifically, the regulators have concluded it would be appropriate to give firms more time and flexibility around how they perform mapping and scenario testing. During the implementation period which runs to 31 March 2022, firms will only need to carry out mapping and scenario testing to a level of sophistication necessary to accurately identify their important business services, set impact tolerances and identify any vulnerabilities in their operational resilience.  That said, the FCA says firms should not wait until the end of the 3-year transitional period to be able to remain within their impact tolerances, but rather remain within them as soon as reasonably practicable within the 3-year period. The 3-year period is a hard deadline. A firm that is not making reasonable effort to remain within its impact tolerances during the 3-year period will be in breach of the FCA’s rules.

The new rules are designed to ensure financial firms and market infrastructures are better prepared to deliver and maintain ‘important’ business services in the face of a significant disruption event (such as a cyber-attack or a major IT failure).  Financial institutions are expected to map the services they deliver and identify those which are most important. They are also expected to define risk-tolerances and test their ability to respond to and recover from a range of severe but plausible events. Regulators expect these services to be delivered (or quickly restored), no matter the cause of the disruption: this applies to firms (large or small) controlling access to capital for millions of consumer and business customers, as well as the firms which form part of the underlying fabric (or “plumbing”) of the UK financial services ecosystem. 

Firms will now have 31 March 2022 to complete the first phase of changes to their internal structures and external arrangements in order to meet regulatory expectations and take the first step towards compliance with the rules.  There is then a hard stop date of 31 March 2025 for firms to achieve full compliance.  In the interim, we expect both the PRA and FCA will proactively engage with firms, using a combination of informal supervisory dialogue and more formal information-gathering (e.g. unannounced reviews of a sample of firms), to monitor implementation of, and ultimately adherence to, the rules.  Any firms found to be wanting in their arrangements could run the risk of formal regulatory action, ranging from the imposition of a skilled person’s review of their systems and controls through to the commencement of investigation or enforcement in the event a firm is failing to meet regulatory expectations, particularly in the 3 year period leading up to the 2025 deadline.