The Financial Conduct Authority has announced that it will require 20,000 regulated companies to begin reporting on their financial (operational) resilience as part of its plan to minimise harm to customers.
In its business plan for 2023/24, published on April 5, the regulator said in the next year it is planning to introduce a new “regulatory return” requiring solo-regulated financial services firms to provide a base level of information about their financial resilience. Firm’s Operational Resilience Framework was introduced form 31st March 2022 for UK Electronic Money License, Small Electronic Money Institutions, UK Payment Institutions, Small Payment Institutions, Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs), banks, investment firms, insurers, and building societies.
The regulator stated while all firms will always carry a risk of failing, it would be inconsistent with its new secondary objective (to promote competitiveness in the sector) to seek to operate a “zero-failure” regime.
“Firms with weak financial resilience are more likely to fail,” the FCA confirmed. “Our job is to minimise the harm and loss to customers and markets when they do.”
The FCA said it wanted to make absolutely sure that firms are meeting their financial resource requirements so that they can conduct business, wind down, and even fail without causing harm to consumers and other market participants.
It also wants to be able to identify firms at risk of failure, and ensure the companies are able to rectify their weaknesses, wind down solvently or enter insolvency in a way that minimises harm to consumers and the wider market.
Nikhil Rathi, chief executive of the FCA, said: “We set out a bold vision last year of what we wanted the FCA to be, and we are well underway to achieving our objectives thanks to our talented colleagues and the better use of technology and data across our organisation.
“With many consumers across the UK struggling with the cost of living and markets events causing concern, we have put in place vital changes over the past few years which mean we’re better set up to face these challenges.”
Building Your Operational Resilience Framework
You should note that the FCA obliges firms to have a separate document, which you can call the FCA Operational Resilience Assessment, approved by the board of directors or equivalent management body.
Link: Operational Resilience PS21/3 https://www.fca.org.uk/publication/policy/ps21-3-operational-resilience.pdf
The FCA requires firms to have an assigned senior level employee responsible for operational resilience. This employee would need to review the FCA Operational Resilience Assessment document at least yearly to improve existing standards or embed new standards of resilience. While you don’t have to submit this document to the FCA after preparing it, you will need to show it to the FCA upon request.
Step 1. Identify important business services for the purposes of operational resilience
According to the operational resilience framework FCA requirements, regulated firms must identify important business services in the context of their business models. To do this, you should make a list of all your services and identify those services that must not be disrupted at all times as their disruption may cause harm to your clients that are impossible to tolerate or even cause harm to the UK financial system as a whole.
To understand levels of harm to consumers that you cannot tolerate, you should think about what may happen to your consumers in the short term if the service is not available. For example, if you provide e-money services to consumers who use your firm as their primary payment service provider, the inaccessibility of the firm’s payment card may be pretty painful for them, while the inaccessibility of currency exchange service may not be that important for them.
When you do your assessment, you should also recognise which of your consumer base use a certain important business service because it is critical to identify whether a certain customer base is more vulnerable than the other. In a similar vein, you should consider disruption of which services may pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.
Step 2. Understand how important business services can fail
In a nutshell, an important business service is not operational (i.e., it fails) when a customer cannot access it or use it correctly. To understand how a service can fail, you should list all the processes and points of failure applicable to a specific service. You should also identify human and financial, information resources, the technology needed for the service to be operational.
For example, you have identified that making payment transfers (e.g., GBP transfers via Faster Payments) is a business service that if it fails, will cause intolerable harm to consumers. There are many ways how this service may fail — some of these ways you can control while some are not under your control. For instance, you may lose access to the API of a PSP that provides you with access to Faster Payments. If you are a digital-only payment service provider, one more example is when your clients cannot access their payment accounts to make a payment order. If you have only a mobile app, your service may not be operational if your mobile app (either Android or Apple app) is not accessible because it is a single point of failure. But if you have a functional web app, it may mean that your payment transfer service is still operational.
We know that, most likely, your mobile and web app are literally the same thing, and they will fail together.
Step 3. Setting impact tolerance level
You should identify the point at which an important service failure would cause harm to consumers that cannot be tailored or hinder UK financial market integrity. Thus, you should understand the amount of time you can tolerate the inoperability of a service. For instance, a PSP that does not offer a payment card service may consider that inaccessibility of a money transfer service for more than 6 hours causes intolerable harm to its customers, while a non-bank PSP offering a payment card service may consider that inaccessibility of its money transfer service for more than 24 hours significantly harms consumers.
FCA Operational Resilience Framework impact tolerance
To identify what is intolerable harm to consumers and what is your impact tolerance you should consider the number and types (e.g., vulnerable clients) of your clients that are affected, their financial loss, impact on their lives, their data affected, your financial and reputational losses (relevant if your losses can affect your ability to provide services or negatively affect the UK financial market).
Step 4. List procedures and measures to be taken to avert, adapt, and address business services failures
Once you have come up with various scenarios of how your important business service may fail, you must identify measures that you will take to prevent these scenarios from happening. You should also think about what measures you can take to adapt to the failure and fix it. You must identify human and financial, information resources, the technology needed to restore them.
Don’t forget to make sure that your response and recovery scenarios correspond to reality. Our experience shows that only a firm that is prepared beforehand can effectively deal with service disruption. For example, in theory, if your money-transfer app is dysfunctional, you may take payment instructions over the phone. However, in practice, without training your employees beforehand on taking payment instructions via phone calls, they will not be able to do it during a service disruption.
One of the goals of the FCA Operational Resilience Framework Assessment is to make sure that your firm can always remain within the impact tolerance level. If your firm is audited by the FCA and the tolerance level for money transfer service is 6 hours, you must show the FCA how you will make sure that in case of a service failure, it will not affect the consumers for more than 6 hours. Thus, you or a third party that you employ must test scenarios and test your prevention, adaptation and problem resolution measures. Always remember that, according to the FCA Operation Resilience Framework policy statement, your resilience must be proven by practice, not by theory! Our experience shows that real-life simulations always uncover some unnoticed residual risks and resilience gaps that you may fix.
Don’t forget that when you provide your services through a third party (e.g., an EMD Agent), you should note that you are fully responsible for the third party and that your operational resilience planning must take this fact into consideration. Depending on your relationships with such third parties, you may oblige them to conduct their own FCA Operational Resilience Framework Assessment or to include them in your firm’s assessment.
Step 5. Create a communication strategy
You must have internal and external communication strategies to respond quickly and effectively to reduce the harm caused by important business services failures. In case of an operational disruption, you must know whom you will contact and what channels you will use.
You should also have a call tree and a detailed escalation process. The FCA also recommends thinking beforehand about vulnerable customers and whether you may require special communication strategies to address vulnerable customers’ needs.
Step 6. Create a process that allows you to learn from failures and improve your FCA Operational Resilience Framework
Apart from testing your FCA Operational Resilience Framework, you should have a procedure in place to ensure that after an operational risk materialises, you would make an FCA Operational Resilience Framework assessment taking into consideration how your company was able to react to disruption and update the Framework.
Step 7. Review the FCA’s Operational Resilience Framework
You should review the Operational Resilience Framework you created at least annually to understand whether anything was missed and to account for changes in your business model that may include the provision of new services, new software providers or any other third-party providers you may outsource certain functions to, significant changes to your existing service or characteristics of your customers (e.g., during the last year you could onboard more vulnerable customers).