The UK regulators’ new rules on Operational Resilience enter into force on 31 March 2022. Firms need to ensure that they have identified “important business services” and set “impact tolerances” for those important business services by the deadline, as well as ensuring they have processes to comply with the other requirements under these new regimes.
The background
In March 2021, both the PRA and the FCA issued statements setting out new rules for certain firms in relation to operational resilience (PRA SS1/21 and FCA PS21/3 respectively). The new rules require firms to:
- identify important business services (broadly, services provided by the firm to clients, the disruption of which could cause intolerable harm to: consumers; market integrity; the firm’s safety or soundness; or financial stability); and
- set impact tolerances for those important business services (broadly, an impact tolerance is the maximum tolerable level of disruption to an important business service as measured by length of time and any other relevant metrics).
There are also rules aimed at ensuring firms can consistently remain within their impact tolerances.
What firms need to do now?
Under both the PRA and FCA regimes, the deadline for identifying important business services and setting impact tolerances for those important business services is 31 March 2022. Firms should therefore be well underway with their projects to meet these requirements or else commence them as a priority.
Dual-regulated firms that are subject to both regimes will need to ensure that this exercise takes account of the regulators’ different objectives when setting impact tolerances. The FCA and PRA define the term “impact tolerance” differently, with the FCA’s definition focusing on consumer harm and the PRA’s definition focusing on prudential soundness.
Whilst impact tolerances set under each regime may often be aligned, firms will need to ensure they understand where they differ and that they are able to effectively monitor and deal with any potential breaches of those separate impact tolerances where this is the case
Next steps
Under both regimes, firms have a three year transitional period from 31 March 2022 to 31 March 2025 to take the necessary steps to be able to stay consistently within impact tolerances for all important business services. However, the regulators’ expectation is that firms will take steps to do this as soon as possible after 31 March 2022 rather than waiting until the end of the transitional period.
In order to meet this requirement, firms will need to undertake exercises to map the people, systems, and services that underpin important business services (including any third party suppliers on which firms rely for the performance of important business services). Firms will also need to undertake regular scenario testing to ensure that they can remain within impact tolerances and will need to conduct “lessons learned” exercises following any tests to understand the changes that need to be made in order to improve their ability to remain within impact tolerances.
In addition, firms should give thought to whether their contractual arrangements with service providers involved in the performance of important business services are sufficiently robust to ensure compliance with the new rules and remediate these if required.
[View source.]