The FCA, alongside the Bank of England and the Prudential Regulation Authority, published a new set of rules which will impact the FS sector, but we also expect it to have a wider impact, affecting technology providers down the line as well as other industries.
This techUK webinar will enable attendees to understand why these rules have been developed, how they will be implemented and what it means for their business. We will be joined by experts from:
- Pinsent Masons
- Lloyds Bank
Newly published rules matter
The new rules have been established to increase operational resilience and improve practice in outsourcing, which is important for consumers, firms and financial markets. Operational disruptions and the unavailability of important business services can have a wide and critical impact on the economy, businesses and consumers alike. These disruptions can ultimately threaten the viability of firms or cause instability in the financial markets.
Key rules highlighted
The PRA has issued outsourcing requirements which relate to operational resilience, cloud, data, data locations, data security, data classification and business continuity, together with a range of other matters relevant to technology providers.
Both the FCA and the PRA have particularly highlighted the following new requirements for affected financial services firms:
- identify their important business services that, if disrupted, could cause intolerable harm to consumers of firms or risk to market integrity, threaten the viability of firms or cause instability in the financial system
- set impact tolerances for each important business service (i.e. thresholds for maximum tolerable disruption)
- identify and document the people, processes, technology, facilities and information that support a firm’s important business services (mapping)
- test their ability to remain within their impact tolerances through a range of severe but plausible disruption scenarios
- conduct lessons learnt exercises, including with their technology providers, to identify, prioritise, and invest in their ability to respond and recover from disruptions as effectively as possible
- develop internal and external communications plans for when important business services are disrupted.
Timeline and transition
To allow firms to adapt and adjust to the new rules, including testing, the new rules have set a transition period and decided on a phased approach:
- from 31 March 2021, firms need to begin considering the PRA’s outsourcing requirements when negotiating contracts with technology and other service providers
- by 31 March 2022, firms need to have identified their important business services, set impact tolerances for the maximum tolerable disruption to these and carried out mapping and testing to a level of sophistication necessary to identify important business services, set impact tolerances and identify any vulnerabilities in their operational resilience
- by 31 March 2025, firms will need to have performed mapping and testing so that they are able to remain within impact tolerances for each important business service, and made the necessary investments to enable them to operate consistently within their impact tolerances.
Please get in touch with the colleagues below for more information.