DP 18/4: Building the UK financial sector’s operational resilience

Open discussion: DP18/4
Discussion closes

On 5 July 2018, we published a Discussion Paper jointly with the Prudential Regulation Authority (PRA) and the Bank of England (Bank) about strengthening the operational resilience of financial services firms.

Show DP 18/4 (PDF)

Why we are issuing this discussion paper

Operational resilience failures pose a risk to the supply of vital services on which the real economy depends. They can also threaten the ongoing viability of firms and cause harm to consumers and market participants.

We highlight the risks posed by cyber-attacks and other disruptive operational incidents, and the financial system’s increasing reliance on and connectedness through technology and data.

In this complex and changing environment, we want firms to be able to withstand, absorb and recover from disruptive operational incidents. Firms should manage their responses to these incidents in a way which considers the needs of those affected, including customers.

This discussion paper is part of our ongoing collaboration and coordinated approach with the PRA and Bank aimed at strengthening firms’ operational resilience.

Firms are already subject to requirements for risk management and business continuity. This discussion paper reminds firms of existing requirements and introduces new ideas:

  • planning for disruptive events as well as seeking to prevent them
  • focusing on the wider impact of disruptive events, not just on restoring systems and processes
  • mapping products and services to underlying systems and processes
  • identifying the likely impact on customers and market participants and on the firm’s own viability
  • developing a more standardised and consistent approach to setting tolerance levels for disruption to key products and services (impact tolerance)

Who this applies to

We encourage responses from all types of FCA authorised and recognised entities, trade associations, and consumer bodies. We are also interested in hearing from individuals and businesses who use authorised and recognised entities’ business services and who may have suffered harm from disruptive events that have affected these services.

What you need to do

Please send your comments by 5 October 2018. The Bank will be coordinating responses.

To respond, email: [email protected]