CP19/32: Building operational resilience: impact tolerances for important business services

Open discussion: DP18/4
05/07/2018
Discussion closes
05/10/2018
Open consultation: CP19/32
05/12/2019
05/12/2019
Consultation closes
01/10/2020

The Bank of England (the Bank), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have published a shared policy summary and co-ordinated consultation papers (CPs) on new requirements to strengthen operational resilience in the financial services sector.

Show CP19/32 (PDF)

Why we are consulting

We published a discussion paper on operational resilience in July 2018. We said that our aim is to increase firms’ investment in operational resilience where they provide important products and services, and that building operational resilience is in the public interest.

We are now consulting on new requirements on the firms we supervise to help strengthen operational resilience. We describe operational resilience as an outcome: the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions. 

We want firms to consider the impact of disruption which can come in many forms. For example, technology failures, cyber-related and other operational incidents, including those outside of a firm’s control, can all have an impact on the people and businesses (and financial markets) that rely on their products and business services.

Operational disruptions and the unavailability of important business services that firms provide, have the potential to cause wide-reaching harm to consumers and market integrity, threaten the viability of firms and cause instability in the financial system.

What we are proposing

We propose firms:

  • identify their important business services that if disrupted could cause harm to their consumers (retail and wholesale) or market integrity
  • set impact tolerances for each important business service (i.e. thresholds for maximum tolerable disruption to help achieve consumer protection and market integrity)
  • identify and document the people, processes, technology, facilities and information that support their important business services (mapping)
  • test their ability to remain within their impact tolerances through a range of severe but plausible disruption scenarios
  • conduct lessons learnt exercises to identify, prioritise, and invest in their ability to respond and recover from disruptions as effectively as possible
  • develop internal and external communications plans for when important business services are disrupted

Our proposals are not intended to conflict with or supersede existing requirements to manage operational risk or business continuity planning, but rather aim to set new requirements that enhance operational resilience.

Delivering operational resilience requires firms to take decisive and effective actions, for example by replacing outdated or weak infrastructure, increasing systems’ capacity or addressing key person dependencies.

By addressing resilience gaps, and building resilience, we believe firms will become more capable of supplying their most important business services even during severe operational disruption. 

We are not proposing changes to the rules and guidance on outsourcing or third-party service provision. We reiterate our expectation that all firms remain responsible for the management of their outsourcing and third-party relationships. In an increasingly complex and fast changing business environment, we want the delivery of important business services by firms to be able to prevent, adapt, respond, recover and learn from disruptive operational incidents. To achieve this outcome, firms need to consider their dependency on services supplied by third-parties and the resilience of these third-party services. This includes those third-parties typically outside the regulatory perimeter, where firms retain responsibility for the delivery of their regulated services, including any dependency on the third-party service provider.

Who this applies to

This consultation affects:

  • banks
  • building societies
  • PRA-designated investment firms
  • Solvency II firms
  • Recognised Investment Exchanges
  • FCA Enhanced scope SM&CR firms
  • entities authorised and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011

This CP does not apply to EEA firms.

June 2020 update

In March 2020, we announced an extension to the FCA consultation until 1 October 2020. It is planned that firms and FMIs will not need to meet requirements resulting from the consultations before the end of 2021. While operational resilience remains a top priority for the FCA, PRA and the Bank, the later publication date and implementation timetable are intended to alleviate burden on firms and FMIs in the wake of the Covid-19 outbreak.

Respond to our consultation

We want to know what you think of our proposals. Please send your comments by 1 October 2020.

Online response form

You can also:

  • email your responses to [email protected] or
  • write to: Governance & Professionalism Policy, Strategy & Competition, Financial Conduct Authority, 12 Endeavour Square, London, E20 1JN

Page updates

25/06/2020: Information added June 2020 update
17/03/2020: Information changed Consultation closing date extended