Financial services firms in the UK face more regulatory risk in the wake of operational incidents. Now that the UK’s operational resilience regime applies in full, the door is open to more intensive supervision and potential regulatory enforcement when disruption strikes.
Three-year run-up
Most of the UK operational resilience regime has already been in effect for three years. The UK financial services regulators – the Financial Conduct Authority, Prudential Regulation Authority and Bank of England – have applied their rules to the different parts of the financial sector that they oversee since March 2022.
Recognising the amount of time that was needed to improve resilience to operational disruption, the regulators allowed a three-year transition for three critical aspects of the regime: mapping, testing and remaining within impact tolerances.
Better mapping and testing
The transition allowed firms to work on the sophistication of their mapping and testing processes.
Firms in the scope of the regime must map the people, processes, technology, facilities and information that support their delivery of important business services. They must also conduct scenario testing. Thanks to the transition, however, it is only from now that these exercises need to be operating at the full extent of sophistication.
Practice is over
The most important rule in the regime has now been switched on.
Firms must make sure that they can remain within impact tolerance for their important business services in the event of a severe but plausible disruption to their operations. Firms set their own impact tolerances, indicating the maximum level of disruption an important business service can withstand before intolerable harm occurs.
The transition allowed breathing space as firms got used to the new regime. From now on, the regime has “teeth”: failing to remain within tolerance limits would be a technical breach of a regulatory requirement.
Looking ahead
Passing this milestone means that both the UK regime and the EU's Digital Operational Resilience Act are now in effect. In general, this means that firms can move from implementation to ensuring the new standards are embedded in their day-to-day processes. But there are also more rules on the horizon.
The UK regulators have put forward additional rules for reporting operational incidents and third party arrangements. These correspond to similar requirements under DORA. Watch our recent webinar for more: How DORA is impacting UK operational resilience rules