Operational resilience deadline approaches for payments and e-money

Operational resilience deadline approaches for payments and e-money

It’s less than a month until the FCA’s new operational resilience requirements take effect for various types of firms, including all FCA authorised or registered payment service providers and electronic money institutions. 

This means that firms holding FCA permission for one or more regulated payment services, even if payments are not the main client product offering, will need to comply with the new rules from 31 March 2022.  

It is worth noting that, as well as inserting a new chapter (SYSC 15A) into the FCA Handbook, the regulator is taking the slightly unconventional approach of also using the Handbook glossary to introduce the new requirements. 

A potted history of operational resilience 

A lot has happened since July 2018 when the Bank of England, the PRA and the FCA jointly published a Discussion Paper setting out their approach for ‘Building the UK Financial Sector’s Operational Resilience’. In December of the following year, the three supervisory authorities released a set of consultation papers proposing how to put their approach into practice. Then, before the consultation period was due to close, the world plunged headlong into the Covid-19 pandemic. It wasn’t until March 2021 that the final rules were published by the FCA for implementation a year later. 

Whilst the pandemic may have pushed out the implementation timeline for the new operational resilience requirements, it also reinforced the importance that the regulators are placing on these requirements. 

Preparing for the first milestone 

The FCA’s new operational resilience rules and guidance will come into force on 31 March 2022 for all authorised or registered Payment Service Providers (PSPs) and Electronic Money Institutions (EMIs). Also in scope of the new requirements are banks, building societies, insurance companies, Recognised Investment Exchanges and significant investment firms. Given the significant variation in complexity and sophistication between these different types of firms, it is particularly important for PSPs and EMIs to understand how the operational resilience requirements apply in the context of their activities. 

What needs to be done? 

By the time the new rules come into force on 31 March 2022 firms will need to have completed a number of steps, including:  

Identifying important business services  

These are services for which disruption presents an unacceptable risk to customers, the financial system or financial markets. Adopting the right approach for this identification process is key as it sets the foundation for building the firm’s operational resilience. Not all business services are necessarily important and, for firms undertaking both payments and non-payments related regulated activities, not all business services are in scope of the requirements.

Setting impact tolerances 

Impact tolerances need to be set for the maximum acceptable disruption to each important business service. As well as determining appropriate time limits firms will need to consider additional relevant metrics and thresholds before intolerable harm could be caused.  

Mapping important business services 

Initial mapping of each important business service to its supporting people, processes, technology, facilities and information must be carried out. 

Initial scenario testing  

Initial scenario testing should look at whether the firm can remain within the impact tolerances for each important business services. At this stage, firms need to have developed their mapping and scenario testing sufficiently to be able to identify any vulnerabilities in their operational resilience.  

As a natural extension to the mapping exercise, firms need to assess their ability to remain within their impact tolerances under a range of severe yet plausible scenarios. Firms are then expected to undertake more detailed and comprehensive mapping and scenario testing exercises as part of their ongoing approach to maintaining operational resilience.  

Addressing vulnerabilities 

At this stage firms should consider how to address and manage any vulnerabilities in operational resilience. Remediation plans should be developed for addressing these operational resilience vulnerabilities. Firms also need to put strategies in place for responding to and recovering from disruptions to important business services. This will include internal and external communication plans as well as escalation mechanisms and management actions. 

Preparing self assessment documentation 

All of the above steps, including supporting rationale, should be captured within the firm’s self-assessment documentation. This self-assessment documentation needs to reflect the firm’s overall compliance with the operational resilience requirements. In addition to capturing the outputs of each of the above steps, the documentation also needs to describe the underlying methodologies used by the firm. Firms are required to keep their self-assessments up to date and make the documentation available to the FCA upon request.  

We can help 

We have developed a range of tools and support packages to help our clients meet the FCA’s operational resilience requirements. Please let us know if you would like to know more or need any other assistance at this stage. 

Menu