UK payments organisations must act now to meet the March 2022 operational resilience deadline

Operational resilience has become a key focus for regulators in the UK. In March 2021, the Financial Conduct Authority (FCA), the Prudential Regulatory Authority (PRA) and the Bank of England (BoE) published their final policy papers on ‘Building Operational Resilience’, which gave financial institutions, including payments companies, a one-year deadline to improve operational resilience. There are now four months left for the regulation to come into force and we, at Be | Shaping the Future (Be UK), observe how numerous payment companies and FinTechs lack focus and resources to meet the March 2022 operational resilience deadline. Meeting the deadline is possible but companies must act now and establish appropriate operational resilience capabilities to ensure compliance and avoid facing significant financial costs.

What is operational resilience and why is it important?

In the FCA’s words, operational resilience is “the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions”. Operational resilience defines a company’s approach to managing operational risks and aims to deliver important business services with minimal interruption even during severe operational incidents. As an outcome of this regulation, policy makers expect companies to understand their vulnerabilities, invest in protecting against those as well as themselves, consumers, and the overall market.

Recent internet outages and IT failures have led operational resilience to become a necessity in the financial services industry. Examples include:

• IT failures from NatWest, RBS and Ulster Bank in 2014, which left over 6 million consumers unable to access their bank accounts for a number of weeks. This caused significant harm to consumers who were not able, among other things, to make mortgage payments, obtain accurate account balance information and access to cash in foreign markets.
• The TSB migration failure in 2018, which resulted in nearly two million customers locked out of their accounts for several weeks.
• Tesco Personal Finance PLC’s failure to protect its account holders from a cyber-attack in 2019, leaving account holders vulnerable for over 48 hours, with cyber attackers netting £2.26 million.
• 2021 internet outages, which affected customers from PayPal, Tesco Bank, Sainsbury’s bank, HSBC, Lloyds, Barclays, American Express and TSB.

Operational resilience regulation has been formulated to avoid unexpected impacts of operational incidents like the ones listed above.

Failure to build operational resilience will have significant financial costs

Firms failing to comply with the newly introduced operational resilience regulations and undergoing operational disruption will face significant financial costs. Fines imposed by regulators might be the most visible financial costs related to non-compliance, with regulatory failings in these incidents ranging from hundreds of thousands to tens of millions of pounds. Despite this, operational resilience is currently not being prioritised by payment companies who lack the knowledge and the resources to properly deal with the regulation.

The FCA gives examples of regulatory fines from previous related incidents, including R. Raphael & Sons PLC (£1.9m, 2019), Tesco Personal Finance (£16.4m, 2019) and NatWest (£42m, 2014). Other less visible but significant financial costs related to non-compliance and operational disruption include: revenue loss during the disruption (e.g. RBS and NatWest customers couldn’t make transactions for several weeks in 2014 as mentioned above), fraud costs and resources spent on fraud recovery (e.g. the TSB migration failure in 2018 resulted in a loss of £330.2m for TSB) and revenue lost as a result of bad reputation (i.e. loss of both existing and potential customers).

Who is in scope?

Considering the definition and scope of operational resilience, it is not surprising that payments providers are in scope of the regulation. COVID-19 demonstrated that digital payments play a fundamental role in our economy, whereby they have become critical business services. If disrupted, they could cause severe harm to consumers, and could cause systemic instability in the financial system. As our collective dependency on digital payments increases, so does the need to ensure operational resilience across payments providers.

The newly introduced rules apply to payments institutions (PIs), e-money institutions (EMIs) / challenger banks, traditional banks (issuers and acquirers) and payments system operators. Other FinTechs / payment firms will be indirectly impacted but not regulated, as detailed below.

Non-payments companies in-scope include: insurers, recognised investment exchanges and building societies, central counterparties, central securities depositories, enhanced scope Senior Manager & Certification Regime (SMCR) and PRA-designated investment firms. 

What are the requirements?

In-scope firms will need to develop a self-assessment document, which requires the following:

• Identify their ‘Important Business Services’ (IBS). These are defined as services provided by the firm or on its behalf which, if disrupted, could cause harm to the firm’s clients or pose a risk to the soundness, stability, or resilience of the UK financial system.
  • Payments companies will only need to identify ‘important’ business services, which are those provided to the end-customers.
  • There is no need to identify products. If we take an e-wallet provider as an example: the provision of access to an e-money wallet via an app to initiate payments would be a service, but not the wallet itself, which is a product.
  • Payments companies need to identify ‘each’ of their IBSs, not a ‘collection’ of services. If we continue with the example above, the provision of payment initiation would be a collection of services, while initiating a payment via an app, web or phone would be three separate services.
• Set an impact ‘tolerance level’ for each IBS. These are defined as the point at which a disruption to the IBS would pose intolerable risk of harm to consumers or market participants. They are measured by time or any other relevant metric (e.g. number of transactions or number of cardholders impacted). As an example, an e-money institution may set an impact tolerance of two hours of unavailability in relation to access to the company’s e-money wallet for those users who rely solely on its service to make payments, such as bills or mortgages.
• Conduct mapping of IBS. Involves identifying people, processes, technology, facilities and information that support each IBS. Mapping needs to be extended to outsourcing providers or third parties that support IBS of the regulated entities. As a result, third party providers such as issuer and acquirer processors will be expected to support their clients with mapping and testing exercises. The fallout from the Wirecard scandal showed how important business services can be disrupted when a third party fails. Proactivity to help and enable customers to meet their operational resilience requirements may therefore offer a competitive advantage compared to other third-party providers.
• Scenario testing and remediation action. Mapping will need to be tested against a range of ‘severe but plausible’ scenarios on a regular basis to ensure they are able to remain within their tolerance levels, identify vulnerabilities and take remediation actions (e.g. investment to address vulnerabilities and build resilience).

The self-assessment document will need to be reviewed at least once a year. Frequency will need to increase in the case of ‘material’ changes in the firms’ IBSs (e.g., introduction of a new service, or change of outsourcing partner, etc.).

The self-assessment document will need to be made available to regulators on request. Regulators also expect senior management of the in-scope organisations to be responsible for overseeing and approving the firm’s operational resilience implementation on an ongoing basis.  

What are the timelines?

The enactment of the regulation will consist of a two-phased approach. The deadline for the first phase is fast approaching, with an implementation period which runs to 31 March 2022, in which firms ‘only’ need to carry out mapping and testing to a level of sophistication necessary to accurately identify their IBS, set impact tolerances and identify any vulnerabilities in their operational resilience. This is a significant amount of work to be done over four months for those firms who have not got started with their operational resilience compliance!

Secondly, there is a transition period running to March 2025 in which firms should ensure they are able to operate within their impact tolerances. The FCA points out that the transition period up to March 2025 is a hard deadline and that firms should be able to remain within their tolerance levels as soon as reasonably practicable within the 3-year period, or otherwise companies would be in breach of the FCA’s rules.

Meeting the March 2022 deadline is still possible, but you must act now!

Achieving operational resilience, as shown above, brings numerous benefits to in-scope firms, end-customers, and the financial services / payments industry as a whole. Nevertheless, achieving compliance will not be easy, given the level of detail and sophistication required in the self-assessment document, for which only flexible guidance has been provided by regulators.

The fact that companies will have over three years to remain within their tolerance levels indicate the significant amount of work required to comply. Companies will need to change the way employees at all levels understand resilience, with senior management needing to be involved. As always busy senior management will need to be involved in the decision-making process, in-scope entities must ensure they build a robust programme governance and an appropriate framework to facilitate decision making and achieve operational resilience compliance. This can either be developed in-house or outsourced to a trusted partner, who can manage the day-to-day operations and allow companies to focus on key decisions and overall accountability. We at Be UK are here to help you achieve operational resilience in an integrated and cost-efficient manner.