UK financial services in countdown to meet new rules for operational resilience

The Financial Conduct Authority (FCA) introduced new rules and guidance on operational resilience at the end of March 2022, with a three-year transition period for certain types of UK financial services firms to implement the new requirements.

The FCA previously in its policy statement of March 2021 set out the main requirements with which in-scope firms – including banks, insurers, electronic money institutions and payment institutions – must comply.

The intention of the UK regulator's new regime is for firms to be better able to prevent, react to and recover from operational disruptions. With the three-year transition period ending on 31 March, what measures will in-scope firms have needed to have taken to ensure full compliance?

What to do to comply

Firms will have needed to have carried out a range of specific measures by 31 March 2025.

• Identify 'important business services'. These are services provided to clients by the firm (or by another person on behalf of the firm) that, if disrupted, could cause intolerable levels of harm to one or more of the firm’s clients or pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.
• Set impact tolerances and keep these under review. An "impact tolerance" is the first point at which a disruption to an important business service would cause intolerable levels of harm to consumers or risk to market integrity.
• Perform initial mapping and testing of operational resilience. Firms must map out how they will deliver their important business services, detailing the people, processes, technology, facilities and information necessary to do so (this includes any relevant third-party relationships).
• Conduct scenario testing. Firms must detail how they will remain within their impact tolerances and identify severe but realistic scenarios that align with their risks and vulnerabilities. By gauging the point at which they are unable to remain within their impact tolerances, firms will be able to understand the full impact of any disruption and their resilience and remediation capabilities.
  
  Firms are expected to have identified vulnerabilities during the testing phase. They then will need to have approved, implemented and fully funded a remediation plan to resolve each vulnerability. The FCA, following the CrowdStrike outage in 2024, noted that firms that had conducted detailed scenario testing were better able to respond to the incident.
   
• Build-up communications, governance and self-assessment. Firms must maintain internal and external communications strategies to act quickly to reduce harms and to provide clients with clear and timely communications in the event of operational disruptions. They are expected to have pre-approved communication templates and up-to-date stakeholder contact details and to provide the FCA with timely incident notifications. 
  
  They should detail vulnerabilities, scenarios tested and remediation plans in a self-assessment that is regularly reviewed and approved by their governing body. The FCA noted that firms with communications plans were better able to return to business as usual and to minimise disruption after the CrowdStrike outage. These practices are expected to be integrated within firms' risk frameworks and culture from April 2025.

Operational incidents and third-party reporting

At the end of 2024, parallel consultation papers were published by the FCA, PRA and Bank of England proposing a new framework for reporting operational incidents and material third-party arrangements to bolster the existing operational resilience regime.

The proposals provide further clarity on how and when to inform the regulators of incidents, as well as assisting the regulators in obtaining information on important third party suppliers. The consultations remain open for comment until 13 March. 

Osborne Clarke comment

Operational resilience is an increasingly important and multi-faceted area for firms and – particularly in light of recent high-profile IT outage incidents – preventing these is a priority for the FCA.

As firms approach the 31 March deadline, they will likely have made good progress in their preparations. The FCA will expect firms to have identified vulnerabilities through testing, be clear on an approach to remediation and to have conducted lessons learnt exercises to identify, prioritise and invest in quick and effective recovery from disruptions.

Firms must have documented every stage of their analysis, especially during the testing phase in order to confirm any vulnerabilities identified and how these are to be mitigated. If vulnerabilities have not been identified, evidence of successful testing should be recorded – particularly if several rounds of testing have been undertaken.

Firms may benefit from reviewing the FCA's insights and observations, which provide guidance on whether a firm's current approach is likely to meet the regulator's expectations.

With the introduction of the rules now just weeks away, firms will want reasonable assurance that their methodologies are sufficient to meet the requirements of operational resilience. Senior management should have visibility of these so they are comfortable that these requirements will be met by 31 March.

Osborne Clarke works with firms across financial services with particular experience supporting during regulatory change. We would be delighted to discuss the implications of any aspect of the new operational resilience regime on your business.

Flora Stafford, a trainee solicitor with Osborne Clarke, assisted with this Insight.