Operational resilience should be at the forefront of the minds of UK-regulated entities (Firm(s)) given the imminent end to the transitional period for compliance with the Financial Conduct Authority’s (FCA) policy statement Building Operational Resilience (PS21/3) and the Prudential Regulation Authority’s (PRA) Supervisory Statement Operational resilience: Impact tolerances for important business services (SS1/21) quickly approaching. In particular, in-scope Firms, including banks, non-bank payment service providers (including payment institutions and electronic money institutions), building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, and Enhanced Scope Senior Managers and Certification Regime firms will, by no later than March 31, 2025, need to have:
- performed mapping and scenario testing (including for cyber-related disruptions) of important business services so that they can remain within impact tolerances for each important business service; and
- made the necessary investments to enable the Firm to operate consistently within its impact tolerances.
An important business service is a service provided by a Firm, or by another person on behalf of a Firm, to one or more clients of a Firm which, if disrupted, could: (i) cause intolerable levels of harm to any one or more of a Firm’s clients; or (ii) pose a risk to the soundness, stability or resilience of the UK financial system, or the orderly operation of the financial markets. Alongside this, an impact tolerance reflects the first point at which a disruption to an important business service would cause intolerable levels of harm to consumers or risk to market integrity. The PRA and FCA (together the UK Regulators) also expect Firms to identify a proportionate number of important group business services and respective impact tolerances at the level of the group.
The cross-functional nature of operational resilience and the interplay with other key programs (such as business continuity and disaster recovery) will require Firms to carefully consider how best to ensure their important business services remain within their defined impact tolerances.
In its Dear CEO letter on 2024 priorities for supervision of UK Deposit Takers, insurers and international banks, the PRA notes that it “expects Boards and senior management to actively oversee the delivery of their firm’s operational resilience programme.” The FCA has also made it clear that it is scaling up efforts to deal with Firms who cannot meet the new FCA standards on operational resilience (see the FCA Business Plan 2023-2024). In particular, the individual(s) holding the Chief Operations function (SMF 24) will need to ensure that adequate systems and controls are in place to comply with the operational resilience requirements (including PS21/3 and SS1/21), as failure to comply could result in the issuance of disciplinary measures or sanctions on a Firm or individual(s) (such as the SMF 24) by the UK Regulators.
While the end of the transitional period for PS21/3 and SS1/21 nears, the UK Regulators’ recent joint consultation paper, Operational resilience: Critical third parties to the UK financial sector (CP26/23), has sent a strong signal to the financial services industry that operational resilience remains a supervisory priority and that the landscape will continue to expand and evolve. The Financial Services and Markets Act 2023 granted the UK Regulators and HM Treasury powers to designate a service provider as a critical third party (CTP) by reference to: (i) the materiality of the service(s) which the third party provides to Firms and financial market infrastructures (FMIs), including payment systems in relation to essential activities, services or operations; and (ii) the concentration in terms of the number and type of Firms and FMIs to which the third party provides its service(s). CP26/23 proposes to broaden the criterion to include whether a failure in, or disruption to, the service(s) that a third party provides to Firms and FMIs could threaten the stability of, or confidence in, the UK financial system and market integrity or consumer protection.
CP26/23 is intended to address the systemic risk that CTPs present to Firms and FMIs by requiring CTPs that provide essential technology and other services to Firms to strengthen their operational resilience framework.
Under the proposals in CP26/23, CTPs will need to:
- meet the minimum resilience standards in respect of any material services that they are providing to Firms;
- comply with a set of six “Fundamental Rules” that will apply to all the services a CTP provides, including having effective risk strategies and dealing with the UK Regulators in an open and co-operative way; and
- comply with eight “Operational Risk and Resilience Requirements” that will apply to a CTP’s material services, such as the requirement to appropriately manage incidents that may adversely affect, or may reasonably be expected to adversely affect, the delivery of a material service.
There will also be a new phased approach to notifications in relation to incidents affecting CTP services, such as those that impact the availability, authenticity, integrity, or confidentiality of assets. A CTP will need to provide the initial notification without undue delay to the relevant Firms, FMIs, and regulator(s) after the CTP is aware that the relevant incident has occurred.
The proposed regime for CTPs is also designed to be interoperable with the EU’s Digital Operational Resilience Act (DORA) and the U.S. Bank Service Company Act, which highlights the increasing focus on improving operational resilience at an international level.
The consultation period for CP26/23 closes on March 15, 2024. Firms should consider responding to CP26/23, either directly or through a trade association. The UK Regulators also intend to publish a “CTP approach document” setting out how they will conduct their oversight roles as well as statements of policy on the use of disciplinary powers (in relation to CTPs).
Next Steps for Firms
In light of the evolving landscape, Firms need to take proactive steps to ensure ongoing compliance with operational resilience requirements (including PS21/3 and SS1/21), including:
- considering whether to respond to the CP26/23, either directly or through a trade association;
- ensuring operational resilience policies and procedures are up to date as well as tried and tested;
- monitoring and considering the impact of key changes on the horizon (such as CP26/23);
- preparing for a potential challenge on compliance with new standards in force and on the horizon by conducting a gap analysis of existing policies and procedures; and
- engaging with service providers, where appropriate, to assess whether they could be considered CTPs and, if so, ensuring that relevant contractual obligations are included in agreements with potential CTPs, as required.
Consideration should also be given by Firms as to whether they fall within scope of the EU’s DORA - applicable in full from January 2025 - which establishes cybersecurity requirements for information and communication technology systems supporting the business processes of Firms (and certain other financial entities not covered under the FCA’s rules on operational resilience). Whilst there is a degree of overlap in terms of the requirements set out in each, they are not entirely aligned, to the extent Firms do fall within scope of DORA, a review of the relevant requirements should be undertaken.
Thank you to Rhea Misra, trainee in Sidley's Insurance practice, for her significant contribution to this Sidley Update.
Attorney Advertising—Sidley Austin LLP is a global law firm. Our addresses and contact information can be found at www.sidley.com/en/locations/offices.
Sidley provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers. Sidley and Sidley Austin refer to Sidley Austin LLP and affiliated partnerships as explained at www.sidley.com/disclaimer.
© Sidley Austin LLP