We are setting out our final rules and guidance on new requirements to strengthen operational resilience in the financial services sector.
Why we are changing our rules
In December 2019, we consulted - in CP19/32 - on proposed changes to how firms approach their operational resilience. We developed these proposals in partnership with the Bank of England - in its capacity of supervising financial market infrastructures (FMIs) - and the Prudential Regulation Authority (PRA) to improve the operational resilience of the UK financial sector.
We received 73 responses, most supporting our proposals. In some cases, respondents asked us to clarify how the rules would apply. In a small number of cases, respondents opposed our proposals or suggested changes to the proposed rules.
To give firms more time and flexibility to meet mapping and scenario testing requirements, we have made changes to the policy position. See Chapters 4 and 5 of the Policy Statement.
In general, we have implemented our other proposals as consulted on, and have made amendments to reflect the feedback received. We set out the feedback and our response to it in the Policy Statement.
Who this applies to
This affects:
• banks
• building societies
• PRA-designated investment firms
• insurers
• Recognised Investment Exchanges
• enhanced scope SM&CR firms
• entities authorised and registered under the Payment Services Regulations 2017 or Electronic Money Regulations 2011
This does not apply to EEA firms.
Background to the operational resilience consultation
Ensuring the UK financial sector is operationally resilient is important for consumers, firms and financial markets. Operational disruptions can cause wide-reaching harm to consumers and pose a risk to market integrity, threaten the viability of firms and cause instability in the financial system. The disruption caused by coronavirus (Covid-19) has shown why it is critically important for firms to understand the services they provide and invest in their resilience.
With the Bank and PRA, we have published a shared final policy summary on these requirements to strengthen operational resilience in the financial services sector.
Next steps
Our rules and guidance will come into force on 31 March 2022.
By 31 March 2022, firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption and carried out mapping and testing to a level of sophistication necessary to do so. Firms must also have identified any vulnerabilities in their operational resilience.
As soon as possible after 31 March 2022, and no later than 31 March 2025, firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances.