UK's OpRes Regulatory Environment Continues to Evolve

New FPC OpRes update

In the UK, it is now less than a year until UK-based financial institutions (FIs) must achieve the legally-binding operational resilience standards laid out by the UK’s financial regulators. By no later than 31 March 2025, in-scope FIs will need to have:

• Performed mapping and scenario testing so that they can remain within impact tolerances for each important business service. Impact tolerance is defined as the maximum level of disruption to an important business service as measured by a length of time, in addition to any other relevant metrics and.

• Made the necessary investments to enable them to operate consistently within their impact tolerance.

This is on top of a spate of requirements that they should already have, including having identified important business services that, if disrupted, could cause “intolerable harm to consumers” and carried out mapping and testing to a level of sophistication necessary to identify important business services and prepared self-assessment documentation.

As digital transformation of the financial sector accelerates, the exposure of FIs to the risk of a major disruption caused by a technology failure, such as a cyber attack or an ICT system flaw or breakdown, naturally increases. As such, operational resilience frameworks have had to keep pace with this reality in order to reduce system vulnerabilities.

On top of this, the emergence of new technology trends, such as tokenisation and other digital assets, mean that the operational resilience regulatory requirements for UK FIs are still evolving, with regulators exploring how to incorporate these technologies into existing operational resilience frameworks. In-scope firms are expected to stay in line with the evolving requirements and adjust their operational resilience models as appropriate.

In particular, the Bank of England’s Financial Policy Committee (FPC), one of three bodies involved in overseeing the UK financial industry’s operational resilience environment, expects key financial firms (i.e. banks and insurers) and financial market infrastructures (FMIs) such as payment systems, exchanges and clearing mechanisms, to consider which of their services are vital to UK financial stability when they build their own operational resilience frameworks. Vital services include:

• Payments, clearing and settlement of transactions;

• Deposit taking and lending; and

• Insurance and activities which support the functioning of markets.

Last week, the FPC outlined its next steps in delivering operational resilience and financial stability to the UK’s financial services industry. These include:

• Assessing potential gaps from a system-wide perspective that are not covered by existing rules;

• Continuing to run cyber-attack stress tests as well as considering other types of operational disruption themed tests;

• Monitoring the implementation and outcomes of a new set of rules for important outside service providers (critical third parties); and

• Considering whether to set further expectations about how quickly services should be able to be restored after an operational incident (the Financial Policy Committee currently only does this for payments).

In our recent Cracking the DORA Code report we highlighted how the UK’s stance toward operational resilience among financial services ‘lacked provisions on regulatory oversight of critical third-parties.’ However, judging by the third point in the FPC’s operational resilience ‘next steps‘ roadmap, its stance toward critical third-parties is changing. To be clear, this refers to disruption originating from third parties supporting the provision of vital services by firms and FMIs. For example, technology failures, cyber-attacks or data integrity issues at a third-party supplier that cause disruption to its clients.

With increasing importance being placed on critical third-party providers thanks to the proliferation of digitalisation, interconnectedness and greater choice of system providers, this move to give more regulatory oversight over critical third-parties feels like an inevitable next step for the UK. Given that the EU Digital Operational Resilience Act (DORA) places strong emphasis on this aspect of resilience further highlights the need for the UK to include it in its own framework.