UK Operational Resilience Rules: Are You Ready for 31 March 2025?

Several categories of UK financial services firms, including banks, insurers, electronic money institutions, and payment institutions, are required to comply with new requirements on operational resilience beginning 31 March 2025.

The main requirements are set out in the UK Financial Conduct Authority (FCA) Policy Statement PS21/3 – “Building operational resilience,” which introduced rules forming part of the FCA Handbook of rules and guidance.¹

Banks, insurers, and certain other firms that are authorised by the UK Prudential Regulation Authority (PRA) are also subject to the PRA Supervisory Statement SS1/21 – “Operational resilience: Impact tolerances for important business services,” which sets out PRA expectations of such firms.

Firms were given a transitional period to implement the new requirements by 31 March 2025. The FCA and PRA will expect firms to be fully compliant by that date.

What do firms need to do by 31 March 2025?

Firms within scope of the requirements must complete the following by 31 March 2025:

1. Identify each “important business service” of the firm. This is defined as a service provided by the firm, or by another person on behalf of the firm, to one or more clients of the firm that, if disrupted, could (1) cause intolerable levels of harm to any one or more of the firm’s clients or (2) pose a risk to the soundness, stability, or resilience of the UK financial system or the orderly operation of the financial markets. The FCA has issued guidance setting out a non-exhaustive list of factors that a firm should consider in assessing whether a service is an important business service for these purposes.
2. Set impact tolerances for each important business service. This is the maximum tolerable level of disruption to an important business service, as measured by a length of time in addition to any other relevant metrics, reflecting the point at which any further disruption to the important business service could cause intolerable harm to any one or more of the firm’s clients or pose a risk to the soundness, stability, or resilience of the UK financial system or the orderly operation of the financial markets.
   
3. Complete mapping and scenario testing. Firms must identify and document the people, processes, technology, facilities, and information necessary to deliver each of its important business services. These need to be sufficient to allow the firm to identify vulnerabilities and remedy these as appropriate. Firms must also implement a testing plan detailing how the firm will remain within the impact tolerances for each of its important business services in the event of a severe but plausible disruption of its operations.
4. Update internal policies and procedures. Firms are required to document various processes and assessments under the new rules, including written records of its assessment of its compliance with the requirements summarised above. Firms must ensure that their governing body approves and regularly reviews the applicable written records.
5. Prepare a communication strategy. Firms must maintain an internal and external communication strategy to “act quickly and effectively to reduce the anticipated harm caused by operational disruptions.”

In May 2024, the FCA published its insights and observations on the preparation firms had made towards compliance with the new requirements. The FCA noted that firms should use these observations to review their proposed approach to compliance and assess their readiness. The FCA highlighted the following (among other feedback):

• Firms should consider all factors set out in the relevant FCA rules and guidance when identifying their important business services. A service should not be excluded by considering one factor alone and should be determined without reference to response or recovery capabilities.
• Firms should consider the interactions and interdependencies between their important business services and those of other firms (e.g., in relation to sub-contracting chains).
• It is the firm’s responsibility to remain within its impact tolerances, including where a third-party provider supports or delivers the relevant important business services.
• Relationships with relevant third parties should be actively managed so that the firm can be satisfied with their resilience.
• Testing of a third party’s resilience can be undertaken by the third party. However, the firm needs to be satisfied that the third party’s methodology, and the scenarios that are tested, are appropriate and sufficient for the firm’s requirements.
• The FCA expects remediation plans to be approved, fully funded, and appropriately governed to ensure delivery, with evidence at closure through repeated scenario tests to verify that the relevant vulnerability has been resolved.
• 31 March 2025 marks the end of the transition period, but the requirement to be operationally resilient is not a “once and done” activity or something that should be seen as “tick-box regulatory compliance.” Instead, this should be a way of working that is embedded into the firm’s culture.

Operational incident and outsourcing and third-party reporting

On 13 December 2024, the PRA and FCA published further consultation papers, “Operational resilience: Operational incident and outsourcing and third-party reporting” (PRA CP17/24) and “Operational Incident and Third-Party Reporting,” (FCA CP24/28) respectively. These propose a framework for reporting operational incidents and notification and reporting of material third-party arrangements. Under the proposals, the PRA and FCA will expect firms to report incidents meeting certain thresholds even if these have not yet breached the impact tolerances of any affected important business service under the operational resilience rules. Further, where an operational incident disrupts the delivery of one or more important business services, firms would be required to disclose this when submitting an operational incident report.

Next steps for firms

Operational resilience is a complex and cross-functional challenge that requires firms to adopt a proactive approach.

Firms that are within scope of the new UK requirements should progress their preparations to ensure that they are able to comply with these by 31 March 2025. Firms should take into consideration the FCA’s published insights and observations on preparedness, as the FCA will likely consider that the market has been put on notice of these points and that it has given firms sufficient time to prepare.

As part of these preparations, as well as ongoing operational resilience reviews mandated under the new rules, firms should also consider:

• assessing their current state of operational resilience and identifying any gaps or areas for improvement (including ensuring that operational resilience policies and procedures are up to date);
• aligning their operational resilience approach with their existing risk management, business continuity, and recovery and resolution frameworks and ensuring that adequate resources, skills, and capabilities are in place to support operational resilience;
• reviewing and updating outsourcing agreements with third-party providers, and managing the operational resilience risks and obligations arising from such arrangements; and
• providing training and awareness on operational resilience to senior management, staff, and stakeholders.

Firms that operate or provide services in the EU should also consider whether they fall within scope of the EU Digital Operational Resilience Act (DORA), which applies from 17 January 2025. DORA establishes cybersecurity requirements for information and communication technology systems supporting the business processes of certain financial services firms. While there is a degree of overlap with the UK requirements discussed in this Update as well as certain other UK regulatory reforms,²  the UK and EU regimes have diverged in various ways. As such, businesses that are subject to both regimes will need to complete separate scoping and implementation projects for each and adapt policies and procedures for relevant legal entities or branches accordingly.

¹ At chapter 15A of the Senior Management Arrangements, Systems, and Controls sourcebook, available here: https://www.handbook.fca.org.uk/handbook/SYSC/15A/?view=chapter

² Including the UK’s critical third-parties regime under the amended Financial Services and Markets Act 2000.