PS21/3 Building operational resilience

Open discussion: DP18/4
05/07/2018
Discussion closes
05/10/2018
Open consultation: CP19/32
05/12/2019
Consultation closes
01/10/2020
Policy statement
29/03/2021
29/03/2021

We've set out our final rules and guidance on new requirements to strengthen operational resilience in the financial services sector.

Show PS21/3 (PDF)

Why we are changing our rules

In December 2019, we consulted – in CP19/32 – on proposed changes to how firms approach their operational resilience. We developed these proposals in partnership with the Bank of England – in its capacity of supervising financial market infrastructures (FMIs) – and the Prudential Regulation Authority (PRA) to improve the operational resilience of the UK financial sector.

We received 73 responses, most supporting our proposals. In some cases, respondents asked us to clarify how the rules would apply. In a small number of cases, respondents opposed our proposals or suggested changes to the proposed rules. 

To give firms more time and flexibility to meet mapping and scenario testing requirements, we have made changes to the policy position. See Chapters 4 and 5 of the Policy Statement.

In general, we have implemented our other proposals as consulted on, and have made amendments to reflect the feedback received. We set out the feedback and our response to it in the Policy Statement

Who this applies to

This affects:

  • banks
  • building societies
  • PRA-designated investment firms
  • insurers
  • Recognised Investment Exchanges
  • enhanced scope SM&CR firms
  • entities authorised and registered under the Payment Services Regulations 2017 or Electronic Money Regulations 2011

This does not apply to EEA firms.

Background to the operational resilience consultation 

Ensuring the UK financial sector is operationally resilient is important for consumers, firms and financial markets. Operational disruptions can cause wide-reaching harm to consumers and pose a risk to market integrity, threaten the viability of firms and cause instability in the financial system. The disruption caused by coronavirus (Covid-19) has shown why it is critically important for firms to understand the services they provide and invest in their resilience. 

With the Bank and PRA, we have published a shared final policy summary on these requirements to strengthen operational resilience in the financial services sector.

Next steps

Our rules and guidance came into force on 31 March 2022.

As soon as possible after 31 March 2022, and by no later than 31 March 2025, firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances. 

By 31 March 2022, firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption and carried out mapping and testing to a level of sophistication necessary to do so. Firms must also have identified any vulnerabilities in their operational resilience.

Page updates

: Information changed To reflect that our rules and guidance came into force on 31 March 2022
: Information added Operational resilience webinar

25/06/2020: Information added June 2020 update

17/03/2020: Information changed Consultation closing date extended