UK Operational Resilience In Times of Crisis: Matters to consider in the midst of the Coronavirus pandemic

Key action points

As will be apparent from the discussion below, when firms are deploying or implementing their business continuity and contingency plans to address the coronavirus crisis, it is more than a matter of simply complying with the specific contingency requirements under the FCA rules (and, for dual-regulated firms, the PRA rules). Other general and overarching requirements are also very much relevant. While the proposed new regime for operational resilience is still being consulted on, given the broad and often vague wording of the proposed rules (and of the existing requirements), it may also be desirable for firms at least to consider, now, the suggested direction of travel as demonstrated in the consultation document.

Failure to comply with a specific requirement may lead to a firm being considered in breach of a general requirement, e.g. a Threshold Condition (see below). The latter breach may have consequences far more serious.

Current requirements

Currently, “operational resilience” is not an expressly defined specific regime under the FCA rules. Instead, the concept of “operational resilience” is embedded in other requirements throughout the FCA Handbook including those specifically relating to business continuity and contingency planning. Such requirements can be categorised into three groups.

General Principles

Certain of the overarching “Principles for Business” in the FCA Handbook have a particular bearing. Principle 2 requires firms to conduct its business with due skill, care and diligence and Principle 3 requires firms to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.

Threshold Conditions

“Threshold Conditions” are those which a firm must meet before their application for authorisation can be granted and which the firm must continue meeting at all times throughout its life as an authorised firm. The conditions that are relevant in this context include CON 2.4 which requires firms to have appropriate resources and CON 2.7 which requires a firm’s business model to be suitable to its regulated activities.

Specific Rules

The Senior Management Arrangements, Systems and Controls sourcebook (SYSC) in the FCA Handbook contains specific requirements on business continuity and contingency planning such as the relevant requirements under SYSC 4. In addition, the outsourcing requirements under SYSC and the relevant guidelines issued by the European Banking Authority are also relevant in this context and may need to be taken into account as well.

Further, the requirements under the Senior Managers & Certification Regime (SM&CR) are also relevant. For example, the FCA has suggested that, while a firm does not need to designate a single SMF specifically responsible for its coronavirus response, a SMF (as deemed appropriate by the firm) should nonetheless be allocated such responsibility.

Firms subject to dual regulation by the FCA and the PRA also need to consider relevant rules made by the PRA. For example, UK banks that are subject to the ring-fencing regime may also need to consider the business continuity requirements under the PRA rules for that regime.

Finally, there are also sector-specific requirements: e.g. those under the Market Conduct sourcebook for multilateral trading facilities and organised trading facilities.

Future rules

The FCA and the PRA are consulting on a specific operational resilience regime (see e.g. the FCA consultation paper CP 19/32)¹. The consultation sets out a specific concept for “operational resilience” which means “the ability…to prevent, adapt, respond to, recover and learn from operational disruptions”. Under the proposed new regime which will apply to essentially all authorised firms, firms should focus more effort and resources on achieving the continuity of their important business services in the event of severe operational disruption, and not just on recovery of the underlying systems and processes. 

As a general summary, firms will be required to identify their “important business services” and map the successful delivery of such services to their underlying resources. Then firms must set an “impact tolerance” which is essentially the maximum duration of disruption that a firm can cope as regards an important business service before intolerable levels of harm will arise to consumers or market integrity. The FCA states that setting impact tolerances is intended to change the mindset of firms’ boards and senior management away from traditional risk management towards accepting that disruption to business services is inevitable, and needs to be managed actively.

The FCA and PRA largely leave the specificities of the new regime to the discretion of each firm (subject to general factors that the FCA/PRA have set out). So there may be a degree of uncertainty as regards what exactly a frim should to comply  (which, it seems, is not entirely unlike the current situation).

The FCA has made it clear² that the new regime is not about protecting the reputation of firms. It is about preventing operational incidents from impacting consumers, financial markets and UK financial system. The FCA has also noted³ that every SMF under the SM&CR requirements should know what they are responsible for under the new regime.

The consultation is initially scheduled to close in April. Now the FCA and the PRA have extended their respective consultation to 1 October. It would be a good opportunity for the industry to reflect their experiences in addressing the coronavirus crisis and to have its views (or revised views) heard by the regulators.

1. The PRA has a separate consultation paper CP29/19 on the same topic. The main proposals are set out in the FCA CP19/32 which is our focus in this Update.

2. See the speech of 5/12/2019 by Megan Butler, Executive Director of Supervision, FCA.

3. See footnote 2.