FCA and PRA publish operational resilience materials

FCA and PRA have each published a number of documents addressed to firms across a range of sectors on the subject of operational resilience.

FCA and PRA have each issued policy statements (PS21/3 and PS6/21) which summarise the responses received to consultation papers CP19/32 and (CP) 29/19 respectively. The policy statements also set out the changes FCA and PRA will be making to their respective handbooks as a result, including:

  • new definitions of “important business service” and “impact tolerance”;
  •  an obligation on firms to identify their “important business services” as well as guidance to assist in this identification;
  • an obligation on firms to set an “impact tolerance” for each of its “important business services” and guidance on the factors to be considered when doing this;
  • a requirement that firms ensure that they can remain within these “impact tolerances” in the event of a severe but plausible disruption to their operations;
  • a requirement on firms to perform ‘mapping’ exercises to identify the people, processes, technology, facilities and information necessary to deliver each of its “important business services”;
  • a requirement on firms to both plan and carry out testing to ensure that it is able to ensure it can remain within its “impact tolerances”; and
  • a requirement that firms ensure they have adequate governance and internal communications policies in place to ensure compliance with the rules on operational resilience.

PRA has also published a related policy statement on “Outsourcing and third party risk” which provides feedback on consultation paper (CP)30/19. The final policy adopted by PRA is designed to be aligned with FCA’s activity in this area and while it covers broadly the same issues as recent EBA guidance PRA has emphasised that UK firms no longer need to consider European Union regulators in respect of their UK operations. The statement covers:

  • PRA expectations in respect of firm’s management of third party arrangements which are not ‘outsourcing’;
  • guidance on whether cloud arrangements amount to ‘outsourcing’ and the concepts of ‘materiality’ and ‘proportionality’;
  • a restatement of PRA’s expectations of the role of a firm’s board as a collective as well as of the specific senior manager responsible for a firm’s outsourcing arrangements (SMF24);
  • PRA’s intention to consult on the establishment of an online portal that banks and insurers would need to populate with information on their outsourcing and third party arrangements to satisfy record keeping requirements;
  • a table of criteria firms should consider when determining the materiality of their outsourcing arrangements;
  • PRA’s notification requirements in respect of both “material outsourcing” arrangements and other third party arrangements;
  • how PRA’s rules apply to ‘sub-outsourcing’; and
  • PRA’s plans to give further consideration to the issue of systemic concentration risk.

Separately, the bank of England has also issued policy statements addressing its specific operational resilience expectations of central counterparties, central securities depositaries and recognised payment system operators and specified service providers.

The rules introduced by each of these FCA, PRA and Bank of England policy statements come into effect on 31 March 2022.

Duncan Scott