On 29 March 2021, the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) published their final policy statements on operational resilience following their consultations papers issued in December 2019. The new rules will come into effect on 31 March 2022, giving firms a one-year implementation period to comply with the new requirements.
There is also a 3-year transition window to March 2025 that will be granted to firms, beyond which they should remain within their impact tolerances. This means that while firms must be compliant with the rules and parts of it by 31 March 2022, there is no expectation that all vulnerabilities will have been remedied by that time. The expectation is that firms should be able to remain within their impact tolerances as soon as reasonably practical.
In this month’s newsletter, we summarise the key points made in the policy statements.
Both regulators outline that firms will be required to comply with the following by the implementation date:
- Identify the important business service that particularly could impact the regulators’ objectives if disrupted
- Set impact tolerances for each of their important business services
- Begin testing to identify weaknesses in their operational resilience environment.
The PRA noted in their policy statement that to comply with the rules, firms should contact their supervisors to agree on their plans for meeting the policy requirements.
For the FCA, its policy statement notes that it has:
- Made changes to the policy position to provide firms with more time and flexibility to meet mapping and scenario testing requirements
- Clarified how the rules fit with the broader domestic and international regulatory landscape and other FCA policy initiatives, such as the treatment of vulnerable consumers
- Set out how it will further support firms in implementing the rules on operational resilience
- Included more varied examples of how different types of firm might apply the proposals
We expect GRC professionals to work on the following as part of implementation:
- Carry out regulatory change assessments to design an operational resilience programme
- Assess governance, accountability, committee structure and reporting lines
- Conduct out independent assurance reviews
- Identify any deficiencies in areas such as technology, outsourcing, and third-party resilience