FCA Operational Resilience Framework 7 Crucial Steps to Comply
From 31 March 2022, companies with UK Electronic Money License, Small Electronic Money Institutions, UK Payment Institutions, Small Payment Institutions, Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs), banks, investment firms, insurers, building societies are subject to FCA Operational Resilience Framework requirements, which are written in the new chapter of SYSC 15.A. Existing firms must choose impact tolerance levels applicable to failures of essential business services (see Step 3 that explain what impact tolerance level is) before 31 March 2022. After this date, they have three years to ensure that they will remain within their impact tolerances at all times. Firms authorised after this date should have the FCA Operational Resilience Framework Assessment ready when they make an application to become authorised. They will have time until 31 March 2025 to ensure they remain within their impact tolerances.
What is this article about? We created this article to help you comply with the requirements and be able to better avert, adapt, address, recover and learn from operational disruptions.
How is this article structured? We broke down the FCA operational resilience framework requirements into seven simple steps you should follow to build a compliant framework and conduct a resilience assessment.
Why understanding the FCA operational resilience framework is crucial? You should read this article carefully if a) you haven’t complied with the FCA operational resilience framework requirements yet; b) you want to double-check whether you’ve done everything correctly, or c) you are applying to get an authorisation from the FCA. You should note that the FCA obliges firms to have a separate document, which you can call the FCA Operational Resilience Assessment, approved by the board of directors or equivalent management body. The FCA requires firms to have an assigned senior level employee responsible for operational resilience. This employee would need to review the FCA Operational Resilience Assessment document at least yearly to improve existing standards or embed new standards of resilience. While you don’t have to submit this document to the FCA after preparing it, you will need to show it to the FCA upon request.
Step 1. Identify important business services for the purposes of operational resilience
According to the operational resilience framework FCA requirements, regulated firms must identify important business services in the context of their business models. To do this, you should make a list of all your services and identify those services that must not be disrupted at all times as their disruption may cause harm to your clients that are impossible to tolerate or even cause harm to the UK financial system as a whole.
To understand levels of harm to consumers that you cannot tolerate, you should think about what may happen to your consumers in the short term if the service is not available. For example, if you provide e-money services to consumers who use your firm as their primary payment service provider, the inaccessibility of the firm’s payment card may be pretty painful for them, while the inaccessibility of currency exchange service may not be that important for them. When you do your assessment, you should also recognise which of your consumer base use a certain important business service because it is critical to identify whether a certain customer base is more vulnerable than the other. In a similar vein, you should consider disruption of which services may pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.
Step 2. Understand how important business services can fail
In a nutshell, an important business service is not operational (i.e., it fails) when a customer cannot access it or use it correctly. To understand how a service can fail, you should list all the processes and points of failure applicable to a specific service. You should also identify human and financial, information resources, the technology needed for the service to be operational.
For example, you have identified that making payment transfers (e.g., GBP transfers via Faster Payments) is a business service that if it fails, will cause intolerable harm to consumers. There are many ways how this service may fail — some of these ways you can control while some are not under your control. For instance, you may lose access to the API of a PSP that provides you with access to Faster Payments. If you are a digital-only payment service provider, one more example is when your clients cannot access their payment accounts to make a payment order. If you have only a mobile app, your service may not be operational if your mobile app (either Android or Apple app) is not accessible because it is a single point of failure. But if you have a functional web app, it may mean that your payment transfer service is still operational.
PS, we know that, most likely, your mobile and web app are literally the same thing, and they will fail together. Still, our examples are just to illustrate what the FCA Operational Resilience Framework Assessment should look like.
Step 3. Setting impact tolerance level
You should identify the point at which an important service failure would cause harm to consumers that cannot be tailored or hinder UK financial market integrity. Thus, you should understand the amount of time you can tolerate the inoperability of a service. For instance, a PSP that does not offer a payment card service may consider that inaccessibility of a money transfer service for more than 6 hours causes intolerable harm to its customers, while a non-bank PSP offering a payment card service may consider that inaccessibility of its money transfer service for more than 24 hours significantly harms consumers.
To identify what is intolerable harm to consumers and what is your impact tolerance you should consider the number and types (e.g., vulnerable clients) of your clients that are affected, their financial loss, impact on their lives, their data affected, your financial and reputational losses (relevant if your losses can affect your ability to provide services or negatively affect the UK financial market).
Step 4. List procedures and measures to be taken to avert, adapt, and address business services failures
Once you have come up with various scenarios of how your important business service may fail, you must identify measures that you will take to prevent these scenarios from happening. You should also think about what measures you can take to adapt to the failure and fix it. You must identify human and financial, information resources, the technology needed to restore them.
Don’t forget to make sure that your response and recovery scenarios correspond to reality. Our experience shows that only a firm that is prepared beforehand can effectively deal with service disruption. For example, in theory, if your money-transfer app is dysfunctional, you may take payment instructions over the phone. However, in practice, without training your employees beforehand on taking payment instructions via phone calls, they will not be able to do it during a service disruption.
One of the goals of the FCA Operational Resilience Framework Assessment is to make sure that your firm can always remain within the impact tolerance level. If your firm is audited by the FCA and the tolerance level for money transfer service is 6 hours, you must show the FCA how you will make sure that in case of a service failure, it will not affect the consumers for more than 6 hours. Thus, you or a third party that you employ must test scenarios and test your prevention, adaptation and problem resolution measures. Always remember that, according to the FCA Operation Resilience Framework policy statement, your resilience must be proven by practice, not by theory! Our experience shows that real-life simulations always uncover some unnoticed residual risks and resilience gaps that you may fix.
Don’t forget that when you provide your services through a third party (e.g., an EMD Agent), you should note that you are fully responsible for the third party and that your operational resilience planning must take this fact into consideration. Depending on your relationships with such third parties, you may oblige them to conduct their own FCA Operational Resilience Framework Assessment or to include them in your firm’s assessment.
Step 5. Create a communication strategy
You must have internal and external communication strategies to respond quickly and effectively to reduce the harm caused by important business services failures. In case of an operational disruption, you must know whom you will contact and what channels you will use. You should also have a call tree and a detailed escalation process. The FCA also recommends thinking beforehand about vulnerable customers and whether you may require special communication strategies to address vulnerable customers’ needs.
Step 6. Create a process that allows you to learn from failures and improve your FCA Operational Resilience Framework
Apart from testing your FCA Operational Resilience Framework, you should have a procedure in place to ensure that after an operational risk materialises, you would make an FCA Operational Resilience Framework assessment taking into consideration how your company was able to react to disruption and update the Framework.
Step 7. Review the FCA’s Operational Resilience Framework
You should review the Operational Resilience Framework you created at least annually to understand whether anything was missed and to account for changes in your business model that may include the provision of new services, new software providers or any other third-party providers you may outsource certain functions to, significant changes to your existing service or characteristics of your customers (e.g., during the last year you could onboard more vulnerable customers).
How PSP can help you with the FCA Operational Resilience Framework Assessment
We are a group of professionals focused on helping non-bank PSPs to comply with regulatory requirements and develop their business. We have helped various PSPs with their FCA Operational Resilience Framework Assessments. Whether you are an established firm that needs a review of its FCA Operational Resilience Framework Assessment or a new player entering the market who need help with building a compliance framework, you should contact us.