UK’s operational resilience plans and how they impact fintech
No one in fintech can ignore the risk of technology outages, or the threat of increasingly sophisticated cyber-attacks. New rules from the UK regulators will push some financial services firms to prepare for disruption to their operations in a more exacting way. Even fintech firms outside the scope of the rules can expect more interest in how operationally resilient they are.
What has happened?
The Financial Conduct Authority and Bank of England have put the finishing touches to their operational resilience regimes. The final rules are largely unchanged from an earlier draft which we covered in our 2019 blogpost: Operational resilience: a new approach to managing cyber, tech and sourcing risk.
Who’s in scope?
Some, but not all, UK fintechs will need to apply the rules. In-scope firms include challenger banks, payment institutions and electronic money institutions and certain payment system operators. Other fintechs may be impacted indirectly (see more on this below).
What applies when?
The rules will start to apply from 31 March 2022. By this date, in-scope firms will need to have:
- identified their important business services,
- begun mapping what is needed to deliver those services,
- set impact tolerances for the maximum tolerable disruption to each of those services,
- developed a plan for testing whether they can remain within those impact tolerance levels, and
- made several documents recording compliance with the operational resilience requirements.
Our Linklaters podcast on operational resilience takes a closer look at the different aspects of the regime. For example, Episode 5 focuses on “important business services” and how to identify them.
Another requirement to remain within impact tolerances for each importance business service will only apply in full from 31 March 2025. This three-year transition period also gives in-scope firms extra time to refine their scenario testing and mapping exercises.
What are the main challenges for fintechs?
The rules which prescribe new documentation and processes are likely to be the most burdensome aspects of the operational resilience regime for fintechs. For example:
- Governance: Senior management at fintech firms must oversee and approve their implementation of the regime on an ongoing basis. At a recent conference, Linklaters partners Julia Dixon and Pansy Wong shared their insights on Approaching the UK’s operational resilience reforms: How to ensure you do it once and do it right, drawing on their experience of helping firms get the right governance in place for regulatory change projects.
- Audit trails: Firms will need to record how they comply with the rules and make these records available to regulators on request. In several areas this includes explaining decisions that have been made when implementing the regime. For example, the firm must keep a record of not only the firm’s testing plan but also a justification for the plan it has adopted.
- Scenario testing: Firms are required to regularly test their ability to remain within impact tolerances in a range of “severe but plausible” scenarios. The rules require this testing to be followed by a “lessons learned exercise” to address weaknesses.
What’s happening elsewhere?
Looking ahead, another challenge could be managing different international resilience regimes. For example, the EU has drafted legislation on “digital operational resilience”, known as DORA, which is similar in some ways to the UK regime. Read our briefing on DORA for more on the EU’s plans.
Other jurisdictions are set to follow in their footsteps and build on international principles for operational resilience that have been set by the Basel Committee on Banking Supervision. Even though these emerging regimes share a common aim, the nuances between them may cause problems for fintechs that operate cross-border.
What about firms not in the scope of the UK rules?
Fintechs outside the scope of the UK rules could still be indirectly impacted. For example, many fintechs provide services to regulated firms. Mapping exercises mean firms in the scope of the operational resilience regime will scrutinise not only the vulnerabilities in their systems but also the resilience of third party providers. The fallout from the Wirecard insolvency shows how important business services can be disrupted when a third party fails.
The regulators are also paying close attention to outsourcing and third party risk management more generally. The FCA has confirmed that – notwithstanding Brexit – it will continue to apply the European Banking Authority’s guidelines on outsourcing, although with adjusted timeframes to align with the operational resilience regime. The Prudential Regulatory Authority has finalised new guidance in this area as well.
What happens next?
Beyond the rules themselves, operational resilience is now part of the regulators’ mindset. Supervisors are likely to question firms’ readiness for disruption in a variety of scenarios. For example, when unregulated fintechs seek authorisation, regulated fintechs request new permissions, or when innovative products are trialled in the regulatory sandbox.