The transition period for the UK regulator FCA’s PS21/3 guidance for Financial Market Infrastructures (FMIs) to build their
operational resilience officially ends on 31 March 2025. For many organisations in the financial services and fintech industries, the conclusion
of this transition period marks a critical milestone in regulatory compliance and technological adaptation.
In 2019, the FCA consulted on the proposed changes to how operational resilience would be approached, in collaboration with the Bank
of England and the PRA. The background to this was the understanding that “operational disruptions can cause wide-reaching harm to consumers and pose a risk to market integrity, threaten the viability of firms and cause instability in the financial system.”
New guidance came into force on 31 March 2022 and it was ruled that “by no later than 31 March 2025, firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also
have made the necessary investments to enable them to operate consistently within their impact tolerances.”
Similar to the EU’s Digital Operational Resilience Act (DORA), the PS21/3 was introduced to ensure the effective regulation of firms offering payment and e-money
services in a rapidly evolving financial landscape. However, what does this mean for the financial services and fintech industries, and how will shift impact them?
A new era of oversight
As the transition period ends, firms will be required to adhere to stricter standards, including enhanced conduct requirements, risk management procedures, and transparency obligations. This means that businesses must now be ready for ongoing FCA supervision,
with regular checks and audits to ensure compliance with the updated rules.
For the financial services industry, this will likely lead to a rise in operational costs as businesses invest in compliance teams, risk management systems, and technological upgrades. Smaller firms, especially within the fintech space, may find it challenging
to meet the new requirements without significant investment, which could potentially impact their ability to compete.
Four months ahead of the deadline for full compliance, research from Parseq indicated that almost a third of financial
institutions are not fully confident in their ability to meet the new rules. Gordon MacKinnon, director of client services and growth, Parseq, said at the time: “Financial institutions raced to enhance their IT systems when the Operational Resilience guidelines
were published. When the audits start, we suspect the FCA will find greater room for improvement in back-office functions that rely more heavily on people, such as inbound customer communications, contact centre operations and cheque processing.
“Big players have less to worry about here. They already have pretty resilient systems, often from working with third parties that have robust business continuity and stringent SLAs baked into their offerings. Smaller institutions that handle these important
back-office services in-house will be more exposed in the event of a major technical, people or facility failure.”
Stronger safeguards for customers
PS21/3 introduces more robust consumer safeguards, including the requirement for firms to ensure that client funds are protected, and clearer rules on transparency in terms of fees, charges, and the quality of service provided.
As the transition period comes to an end, consumers will benefit from better protection against fraudulent activity, unauthorised transactions, and financial instability within the firms they use. This heightened level of consumer protection could foster
greater trust in digital payment solutions, helping to drive further adoption of these services.
Eimear O’Connor, COO, Form3 Financial Cloud, published an expert opinion article on Finextra in November 2024, in which she said that: “If,
unfortunately, payments systems do go down, this can have a big impact on consumers, whether that means they are unable to pay their mortgage, buy the groceries or deal with even more extreme situations, like paying for hospital bills when abroad.
“Fortunately, banks and payment service providers (PSPs) have safeguards in place so that breakdowns in payment processing doesn’t occur too often. Key to this is ensuring that payments infrastructure has strong operational resilience measures - the ability
for banks and PSPs to provide a service to their customers, despite or in the event or adverse incidents such as an outage of a technology solution. It's making sure that banks can cope with all different types of disaster recovery scenarios - and remain operational
for their customers.”
Innovation and competition
The stricter regulatory environment will level the playing field, ensuring that both incumbents and challengers adhere to the same standards. This may spur innovation in areas such as open banking, instant payments, and AI-driven financial services, as firms
look for ways to differentiate themselves within the regulatory constraints.
Additionally, larger firms with established compliance frameworks and resources may gain a competitive advantage over smaller startups that struggle to meet the regulations. However, firms that have already invested in compliance and consumer protections
will be well-positioned to thrive in this new regulatory environment.
David Turmaine, managing director, Broadridge, in an expert opinion article
on Finextra, used DORA as an example to explore this, but the sentiment still applied when considering the PS21/3. “Whilst resiliency measures have previously been quite inward looking, with firms focused on getting their own house in order first,
DORA will ensure they now need to extend this diligence externally across the third party vendors and strategic partners that they work with. Firms will need to conduct a more detailed analysis of the critical paths involved in their essential functions, which
include trade flow data, settlement data, and any other data they collect, store or share.
“This means that third party providers, as well as in-house IT systems, will come under increasing pressure. DORA requires that critical systems of all kinds, including those of service providers, have received the necessary attention and investment to provide
operationally resilient environments. This will necessitate a full review of a firm’s supply chain, including nth party dependencies that exist beyond the third party in a business relationship, regardless of their headquarters’ or providers’ location or regulatory
jurisdiction.”
A new phase of opportunity
Jonathan Gill, CEO, Panaseer, wrote in to Finextra on 31 March 2025, saying: “The FCA’s reasoning has always been clear: even with the best will in the world breaches keep happening, and ensuring operational resilience is critical. Throughout the transition
period the FCA has repeated two things. First, that mapping is the crucial element behind greater operational resilience. And second, that this mapping is not a one-and-done process, but one that will mature over time.
“Doing this successfully demands a reliable, centralised system of record, so firms can operate on facts rather than assumptions. This needs to be trusted and transparent, so all stakeholders accept it provides truthful data. It needs to be configurable,
so it reflects the organisation as it is instead of a best-fit approximation. It needs to make data understandable by all stakeholders, especially at the business and non-technical level, so they can make appropriate decisions about risk. And it needs to be
actionable, so any data-driven insights can be translated into concrete action.
“The challenge is that while other areas of the business have tools that will give them the intelligence they need and act as a system of record, too often CISOs are left to struggle without. Addressing this inequality will help organisations demonstrate
how assets map to important business services, provide clear ownership and accountability, and prove they can recover within defined impact tolerances. Doing this will help ensure the FCA’s demands aren’t a box-ticking exercise, but a way to increase resilience
and control risk.”
The end of the PS21/3 transition period on 31 March 2025 marks the beginning of a new chapter. Organisations that have already made investments in compliance and security will be well-positioned to thrive, while those that haven’t will need to accelerate
their efforts to stay competitive.
At the same time, the new regulations will foster innovation within the constraints of a secure and trustworthy financial ecosystem, ultimately benefiting consumers and enhancing the reputation of the fintech industry as a whole.
In the long run, the PS21/3 transition will strengthen the UK’s standing as a global fintech hub, ensuring that firms operate with transparency, accountability, and a focus on customer safety. The question now is whether individual firms are ready to meet
these new challenges head-on.