fca business plan outsourcing

• Publications

FG16/5: Guidance for firms outsourcing to the ‘cloud’ and other third party IT services

In November 2015, we consulted on guidance to clarify the requirements on firms when outsourcing to the ‘cloud’ and other third party IT services. We published the final guidance (FG16/5) in July 2016.

Our finalised guidance is relevant to firms who are interested in outsourcing to the cloud and other third party IT services. It may also be of interest to third party IT providers (including cloud providers), trade associations and consumer groups, law firms and other advisers, and auditors of financial services firms.

Read FG16/5 (PDF)

We updated FG16/5 in July 2018 to reflect the publication of the European Banking Authority’s (EBA) final report on cloud recommendations (EBA/REC/2017/03) and changes to relevant legislation.

In February 2019, the EBA published its final report on outsourcing arrangements (EBA/GL/2019/02). The Final Report on outsourcing arrangements subsumed the EBA’s cloud recommendations (EBA/REC/2017/03). We have notified the EBA of our intent to comply with the EBA guidelines on outsourcing (EBA/GL/2019/02) and we have updated FG16/5 to reflect the publication of (EBA/GL/2019/02) and changes to relevant legislation.

The EBA outsourcing guidelines (EBA/GL/2019/02) apply to credit institutions and investment firms subject to the EU Capital Requirement Directive (2013/36/EU) i.e. banks, building societies and IFPRU investment firms as defined in the FCA Handbook as well as payment institutions and electronic money institutions. They do not apply to Account Information Service Providers that only provide the service in point 8 of Annex I of PSD2.  

The EBA guidelines applied from 30 September 2019 in respect of all outsourcing arrangements entered into, reviewed or amended on or after this date. There are also transitional arrangements extending up to 2021 relating to co-operation agreements, a register of outsourcing and the review of existing ‘critical or important’ outsourcing arrangements entered into before 30 September 2019. In scope firms must make every effort to comply with the guidelines.

The FCA’s FG16/5 remains relevant to all other firms that we authorise.

Summary of findings

Our responses to the feedback we received on Guidance Consultation GC15/6 is set out in the annex of this finalised guidance. We do not consider that the feedback received requires substantial changes to our guidance and proposed approach as set out in GC15/6. However, in some areas we have amended the draft guidance, mostly to clarify our expectations.   

The main feedback issues were:

• physical access to business premises, including data centres
• the scope of firms’ obligations relating to supply chain and sub-contracting arrangements
• clarifying expectations around aspects of risk management, including concentration risk
• points around the choice and control in relation to the jurisdictions where data is processed, stored and managed
• the provisions to ensure firms have effective access to data
• specific expectations around exit plans.

More information

• GC15/6: Proposed guidance for firms outsourcing to the ‘cloud’ and other third-party IT services
• The EBA's recommendations on outsourcing to cloud service providers (EBA/REC/2017/03) repealed with effect 30 September 2019
• The EBA’s guidelines on outsourcing (EBA/GL/2019/02) applicable from 30 September 2019
• Impact assessment for FG16/5

Page updates

01/10/2019: Information added regarding EBA outsourcing guidelines

Was this page helpful?

FCA Business Plan and ‘Dear CEO’ Letter Set Out Updated Priorities for Asset Management and Alternatives Supervision

Greg Norman Abigail B. Reeves Weite (Wendy) Li

In March 2024, the Financial Conduct Authority (FCA) released two documents with its updated supervisory approach for the asset management and alternatives sector: the FCA’s 2024/25 Business Plan (the Business Plan ), and a “ Dear CEO” letter titled “Our Asset Management & Alternatives Supervisory Strategy – interim update” (the Dear CEO Letter).

The Business Plan details the regulatory agenda and strategic priorities for the upcoming year, and the Dear CEO Letter serves as a parallel resource to inform stakeholders of the FCA’s regulatory expectations and focus for the near- to mid-term. A particular focus of both publications is the FCA’s emphasis on accountability in assessing the effectiveness of firms’ governance, as illustrated by a statement in the Dear CEO Letter that the boards and senior managers of firms should take decisive actions to comply with the FCA’s requirements and mitigate any potential risks of harm.

Here we analyse the two documents and highlight areas where asset managers and those in the alternatives sector will want to monitor.

The Business Plan

In the Business Plan, the FCA reaffirms that it will uphold its operative objectives:

(i) protecting consumers;

(ii) ensuring the integrity of the UK financial system;

(iii) promoting effective competition; and

(iv) enhancing the international competitiveness of the UK economy.

In response to the changing external environment, the FCA has recognised three key challenges that it is currently monitoring: higher interest rates and persistent inflation; global financial risks (including the riskier market-based corporate borrowing and high levels of public debt); and geopolitical risks with the potential to cause severe disruption. The FCA expects to release further updates on how it measures performance against metrics in the summer.

To help address these external challenges in the next year, the FCA makes three specific commitments as part of its updated focus: reducing and preventing financial crime, putting consumers’ needs first, and strengthening the UK’s position in global wholesale markets.

In addition to its ongoing activities, the FCA also plans to initiate the following new actions to support the new focus:

• increasing investment in the FCA’s systems to utilise intelligence and data more effectively in targeting higher risk firms and activities;
• carrying out multi-firm work and market studies across various sectors to elevate standards for consumer protection, with a particular emphasis on supporting those in vulnerable circumstances; and
• encouraging innovation and supporting industry efforts towards T+1 settlement to enhance operational efficiency.

The Dear CEO Letter

This Dear CEO Letter serves as an interim update following the series of communications released in August 2022  and February 2023 , which have progressively outlined the FCA’s supervisory strategies for asset management firms primarily engaged in managing or advising on alternative investment products. The Dear CEO Letter was issued in response to changes in the external market environment, especially in light of the heightened uncertainty and several market shocks experienced in the past year. It delineates the FCA’s supervisory priorities, noting that the FCA anticipates a “high volume of significant business and regulatory changes to be implemented in 2024.”

The table below outlines several critical areas that investment managers of private capital businesses should monitor closely.

Other Areas of Focus

• The FCA remains committed to rectifying shortcomings in authorised fund managers’ “assessment of value” governance, bolstering the application of the Consumer Duty, and mitigating operational disruptions that could adversely affect consumers.
• The FCA will continue collaborating with the Bank of England in the System-Wide Exploratory Scenario initiated in June 2023, an initiative that seeks to promote the regulators’ understanding of the behaviours of banks and non-bank financial institutions amidst periods of heightened financial market stress.
• The FCA will implement an upgraded Fund Gateway to facilitate new offshore funds from equivalent jurisdictions to be marketed into the UK, which will replace the Temporary Marketing Permissions Regime established post-Brexit.
• The FCA remains actively involved in providing thought leadership to organizations such as the International Organization of Securities Commissions (IOSCO) and the Financial Stability Board (FSB) and endeavours to sustain the UK’s global competitiveness, a goal underscored in its Business Plan.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

Update Your Browser

This website is not compatible with Internet Explorer 9 or below, we recommend you update your browser.

Did you know

Old and outdated browser version have security issues and don't follow new web standards. By updating your browser you can element these issues and enjoy a feature rich experience.

Which browser should I choose?

Google Chrome more info | free download

Internet Explorer more info | free download

Mozilla Firefox more info | free download

FCA guidance for firms outsourcing to the cloud

What does the guidance cover.

The guidance builds on the FCA’s existing approach . The FCA defines outsourcing as a third party delivering services on behalf of regulated firms, and the term 'cloud' includes different IT services supplied over the Internet. The benefits of outsourcing include cost efficiency, flexibility and increased security. However, there are also associated risks such as the customer's lack of control over the supplier and where the data is being stored. The FCA provides guidance on how to monitor and mitigate these risks.

Who needs to comply with it?

The guidance is not binding but aims to help firms and service providers find ways in which they can comply with the relevant rules.

The guidance affects firms that are currently outsourcing to the cloud and other third party IT services or those that are thinking of doing so.

What do FCA-regulated entities need to do/think about when using cloud services?

Legal and regulatory considerations – the FCA states that a firm should have a “clear and documented business case or rationale” to support the outsourcing of critical or important operational functions. A firm should also ensure that the service is suitable for the firm, taking into account relevant legal or regulatory obligations, as well as ensuring that by entering into an outsourcing agreement it does not worsen the firms operational risk.

In addition, firms must maintain accurate records of contracts, and consider the effect of contractual governing law and jurisdiction as well as any additional legal or regulatory obligations on its arrangements with the cloud provider. A firm should also identify all the service providers in the supply chain and ensure that the requirements on the firm can be complied with throughout that chain.

Risk Management – in order to manage any risks arising in an outsourcing agreement, firms should carry out a risk assessment to identify risks and any steps that can be taken to mitigate such risks. The risk assessment should include: identifying current industry good practice and reviewing whether legal and regulatory risk differ due to customers, firms and employees in different geographic or jurisdictional locations. Firms should also assess the overall operational risks and ensure that the contracts provide for the remediation of breaches and other adverse events.

International standards – firms may also wish to assess the provider’s adherence to international standards. For example, does the provider comply with well-understood standards? (e.g. the ISO 27000 series) Is part of the service being assessed relatively stable? Is the service uniform across the customer base?

Oversight of service provider – firms should be aware that they will retain full accountability for discharging all their responsibilities under the regulatory service and it cannot delegate responsibility to the service provider. Therefore, before outsourcing, a firm should be clear about the service being provided and how responsibility and accountability between the firm and its service provider is allocated. Staff should have the skills, competency and resources to oversee, monitor and mitigate any risks, as well as being able to properly manage an exit or transfer from an existing service provider.

Data security – firms should conduct a data security assessment of the service provider which would include agreeing a data residency policy with the provider, setting out the jurisdictions in which the firm's data can be stored, processed and managed. This policy should be reviewed periodically. The data security assessment would also help to understand the provider’s data loss and breach notification process and ensure they are aligned with the firm’s risk appetite and legal or regulatory obligations. Firms should also consider how the data will be segregated, transmitted, stored and encrypted as necessary.

Data Protection Act (DPA) 1998 – a firm should comply with each of the 8 principles of the DPA, as well as the guidance provided by the ICO on cloud computing (PDF) .

Effective access to data and business premises – a firm should have effective access to data and the business premises of the service provider in order to successfully conduct its monitoring. 'Business premises' is a broad term, but the guidance states that this does not necessarily include data centres. Further to this, a firm should ensure that notifications on accessing data are reasonable and not restrictive. The firm should also ensure that there are no restrictions on the number of requests the firm, its auditor or the regulator can make to access or retrieve data. When a firm is seeking to access business premises, it should provide reasonable prior notice and may ask its auditor to undertake the visit. The regulator should also have access to the premises but only if it is necessary. Firms should also ensure that data is not stored in jurisdictions that may hinder access to data for UK regulators.

Relationships between service providers – if the firm does not directly contract with the outsource provider, the firm still needs to ensure that it continues to comply with regulatory requirements. A firm should therefore review its subcontracting arrangements, consider security requirements and ensure that it will still have effective access to data and business premises. The firm should also consider how service providers work together - will the firm or one service provider take the lead systems integration role? A firm should assess how easily a service provider's service will interface with a firm's internal systems or other third-party systems.

Change management – risks can be introduced when changes are made to processes and procedures. A firm should therefore look to establish what provisions can be made for making future changes to technology

Continuity and business planning – where there is an unforeseen interruption of the outsourced services, a firm should consider the impact of the unexpected disruption to the continuity of its operations. A firm could also document its strategy for maintaining continuity of operations and regularly update and test arrangements to ensure their effectiveness. It would also be wise to put in place arrangements to ensure the regulator has access to data in the event of unexpected disruption.

Exit plan – an effective outsourcing plan will minimise disruption of services whilst still complying with regulations. A firm should be aware of how it would transition to another provider whilst maintaining business continuity. An exit plan and termination agreement would document how the firm would remove data from the system, monitor concentration risks and what action would be taken if the outsource provider failed.

In summary, the guidance is a step in the right direction in aiming to help regulated firms adopt the cloud in a safe and compliant way. The guidance also provides a useful standard for regulated firms to base their discussions with a potential cloud provider. For example, the cloud provider will be aware of what restrictions it can put in place when there is an audit, as well as the access requirements of regulators. Cloud providers will also be aware of the compliance requirements imposed on their FCA regulated customers, and will therefore be able to consider how it can facilitate compliance.

Key contact

Michael Hayles Partner

• Public Sector Pension Schemes
• Financial Services

Subscribe to news and insight

Related news and insights, tech firms called on to 'tame aggressive algorithms' under ofcom's new child safety codes.

In May 2024, the UK online safety regulator published its draft Children’s Safety Codes of Practice which set out steps that tech firms must take to protect children online

Navigating Ofcom’s Guidelines on Illegal Harms: Ensuring Legal Compliance for Forum and App Developers

Burges salmon acts on £130m funding package to support major wind farm project in scotland, what does the online safety act’s risk assessment look like, outsourcing.

• Sustainability
• Client Login

• Built Environment
• Energy & Natural Resources
• Financial Services
• Government & Public Sector
• Technology, Media & Communications

Legal Services

• Commercial, Regulatory & Data
• Dispute Resolution
• Employment and Pensions
• Finance and Restructuring
• Real Estate
• Tax & Private Capital
• India Group

Legal Operations

• Contracts Management
• Cyber Incident Services
• Legal Analytics
• Legal Operations & Consulting
• Litigation and Investigations

Business Services

• Claims Management & Adjusting
• Corporate Governance & Compliance
• DWF Chambers
• Regulatory Consulting
• Class Actions
• Economic Crime & Fraud Hub
• Sustainable Business & ESG
• Data Protection and Cyber Security
• News and Insights
• Reports and Publications
• News and Press
• DWF onDemand
• Brave New Law
• DWF Link: Business leaders of the future
• Consumer Duty Hub
• Takeaways from the FCAs Business Plan

Key takeaways from the FCA's Business Plan for 2023/24

FCA activity shows no sign of slowing down as the regulator revealed its Business Plan for 2023/24.

Building upon the FCA's three-year strategy, the 2023/24 Business Plan represents the 'sophomore' business plan outlining how the overall strategy will be delivered. It sets out the regulator's response to a number of current challenges including the uncertainties arising out of high interest rates, inflation, unemployment, declines in incomes and market volatility. 

The Business Plan for this year has been slightly re-structured to more closely align with the strategic themes and outlines a total of 13 regulatory commitments across three focus areas, which are:

• Reducing and preventing serious harm
• Setting and testing higher standards
• Promoting competition and positive change

The 13 commitments under the 2023/24 Business Plan are set out below, with the first four commitments being of the greatest priority:  

• Preparing financial services for the future 
• Putting consumers’ needs first 
• Reducing and preventing financial crime 
• Strengthening the UK’s position in global wholesale markets
• Dealing with problem firms 
• Improving the redress framework 
• Reducing harm from firm failure 
• Improving oversight of Appointed Representatives 
• Delivering assertive action on market abuse
• Enabling consumers to help themselves 
• Minimising the impact of operational disruptions 
• A strategy for positive change: our environmental, social and governance (ESG) priorities
• Shaping digital markets to achieve good outcomes

This article provides a brief summary on some key takeaways from the regulator's Business Plan for the year to come. 

Consumer Duty

Predictably, the FCA said it remains strongly focused on the Consumer Duty, which is due to come into force on 31 July 2023, specifically for those with live products and services.   The regulator has stressed that increased consumer protection and the Consumer Duty will represent a significant shift for regulated firms. The Duty imposes more stringent standards for consumer protection and will become an integral part of the regulator's approach and mindset in years to come.

The FCA will invest £5.3 million to ensure the Consumer Duty is successfully embedded and intends to steadily increase its headcount to accompany the transition.  Key information was provided about the metrics and KPIs that will be used from sources such as levels and root causes of Financial Ombudsman Service (FOS) complaints, to form a view as to whether firms are meeting the requirements under the Consumer Duty in the two outcomes relating to Consumer Understanding and Consumer Support. 

The FCA is also focused on improving the redress framework and is developing proposals to improve complaints reporting. The regulator will be consulting on guidance for firms regarding redress calculations and is currently consulting on access to the FOS  for small and medium enterprises that may have insufficient resources to resolve disputes through the legal system. 

Oversight of Appointed Representatives ("AR")

The FCA is set to continue with its action to tighten supervision in the principal/AR space. The Business Plan confirms that there will be further engagement and scrutiny in this area from a regulatory perspective. The FCA criticised Principals for not adequately overseeing their ARs' activities, thereby putting consumers at an increased risk of being misled. Principals will have to become familiar with the FCA's new rules and guidance to ensure compliance and minimise the risks associated with their ARs' possible mis-selling to consumers.  Reporting for principal firms under the new rules becomes fully effective later this year.  

Financial Crime & Market Abuse 

Consistent with previous year, the FCA has stated its intention to further its work in the prevention of regulated firm's being used to facilitate financial crime and it is developing metrics in this area to test the effectiveness of its strategy. 

Further, the FCA continues to actively target entities who become involved in Market Abuse practices to tackle the detrimental effect these have on market confidence and participation. 

The regulator is pinning its strategy on better education for its regulated entities to foster prevention and compliance. In parallel, the regulator is working to improve its detection and prosecution capabilities to detect market manipulation and abuse through increased data capture, improved analytics and a dedicated "equity manipulation team". 

Persons Discharging Management Responsibility (PDMR) will also be expected to provide additional transparency and engagement in respect of detecting potential insider dealing. 

The FCA is building a regulatory framework to support its ambition to foster a UK net-zero financial centre. The regulator intends to tighten its grip on mis-leading marketing and disclosure around ESG related product and "greenwashing" to protect consumers and promote trust in the market for ESG investment products. 

The FCA will further collaborate with key stakeholders in the ESG sphere through its ESG Advisory Committee to the Board, which it established in December 2022, to execute its ESG responsibilities. The regulator will also finalise and publish its rules on Sustainability Disclosure Requirements and investment labels. 

Data and Technology 

The FCA will increasingly rely on Data and Technology-led regulation programmes this year to improve their intelligence capabilities through automation of analytics tooling, detection of crime and faster responses to consumer harms. The regulator has also invested in cyber security and operational resilience to improve efficiency of its staff and regulated firms. 

We can expect that the FCA will continue to promote innovation and that reporting expected by firms will become more sophisticated, to improve their existing detection capabilities and promote speed and efficiency of supervision and intervention. 

Financial Regulatory Framework 

Finally, the FCA expects to invest £12.7 million in 2023/24 to support its "Preparing financial services for the future" strategic commitment. This forms part of the post-Brexit Future Regulatory Framework (FRF), which will transfer even more responsibilities to the FCA and will reinforce accountability, scrutiny and transparency for regulated entities. 

General Observations 

The Business Plan as pledged to further work that has been ongoing for a number of years in respect of the Financial Promotions Gateway, ensuring the ongoing resilience of firms from both a financial and operational perspective and how it will continued to share intelligence with other agencies to advance its operational objectives. Closer scrutiny of how firms meet the Threshold Conditions was also widely restated across the business plan, with the FCA planning to challenge firms at each stage of their lifecycle, starting from new firm authorisations.  

The FCA's activity is showing no signs of slowdown. To the contrary, during 2022 the FCA issued over 1,800 warnings about potential scam firms, which is 400 more warnings than the previous year. The regulator's headcount has also grown from 3,800 in early 2022 to almost 4,500 at the end of March 2023. Numbers are expected to grow again for the years 2023/24.  DWF have a depth of expert insight on regulatory natters across a range of regulatory topics and would be pleased to discuss with you what the business plan means of your firm and how it should be integrated into your business and compliance strategy this year.  

Related Authors

Andrew Jacobs

Partner and Head of Regulatory Consulting

Robbie Constance

Head of Financial Services Regulatory // Co-Head of Financial Services Sector

Jonathan Drake

Related sectors, related services.

• Regulatory Compliance & Investigations

Further Reading

Our pocket guides are designed to highlight what the practical steps for businesses of identifying and assessing impacts in the risk-based due diligence process.

DWF, the global provider of integrated legal and business services, has advised the shareholders of UK-based Britannia Parking on the sale of the business to KKR backed international operator, Q-Park. 

This session covered the basics of construction law, knowing your contracts and top tips. 

• {{lL.name }} {{lL.languageCode | uppercase}}
• Skip to main navigation
• Skip to content
• Skip to footer

0"> {{suggestionHead.categoryName}}

{{bckdata.locationheading}}.

• {{ !!location.countrycode?location.countryName :location.officeName }}

{{headerData.hamburgerPrimaryFeatureHeading}}

0" ng-style="{'color': tile.tiletextcolor}" class="gpof-h-xs white bold padding-b-nill gpof-font-semi-bold margin-b-15">{{tile.title}}, {{headerdata.hamburgersecondaryfeatureheading}}, 0" ng-style="{'color': tile.tiletextcolor}" class="gpof-h-xs gpof-grey-dark bold padding-b-nill gpof-font-semi-bold margin-b-15">{{tile.title}}, operational resilience: the fca's review of business continuity planning.

The FCA has published its findings from a recent review of business continuity planning (BCP) among small and medium-sized retail banks, payments institutions and electronic money institutions. 

Although the findings suggest that many firms have taken meaningful steps to build operational resilience into their systems and processes, the FCA also identifies a number of areas for improvement. It encourages firms proactively to review, test and revise their arrangements ahead of further supervisory work to be conducted later this year, in particular with respect to scenario testing, incident response planning, training and management oversight.

The importance of this topic is underscored by the fact that the PRA currently has a number of enforcement cases underway against senior managers at UK financial institutions for IT failures, a point confirmed last week by Lyndon Nelson, executive director for regulatory operations and supervisory risk specialists at the PRA, in evidence to the Treasury Select Committee.

The FCA's review follows on from the publication of the joint FCA and PRA discussion paper " Building the UK financial sector's operational resilience " in July 2018 (the Joint Discussion Paper) and also covers ground which overlaps to some degree with recent FCA publications on the related issue of cyber security and resilience – see, for example, the " Cyber and Technology Resilience: Themes from cross-sector survey 2017/18 " paper of November 2018 (the Cyber Resilience Paper) and the " Cyber security – industry insights " document of March 2019.

The continuing regulatory focus on this area is borne out further by the emphasis on operational resilience as a cross-sector priority in the FCA's recently published Business Plan for 2019/20 and the Final Notice issued jointly by the PRA and FCA to Raphaels Bank on 30 May 2019 for failing properly to manage outsourcing arrangements between April 2014 and December 2016 (see our earlier article here ).

The FCA's review

In undertaking its review, the FCA found that most firms have demonstrated a good understanding of BCP, but noted that there are "some important areas where improvements could be made". 

The FCA assessed firms' approaches to four particular aspects of BCP:

• planning for and managing business continuity events;
• responding to disruptions, e.g. by implementing business continuity contingencies, including communications protocols;
• recovering from events by returning swiftly and efficiently to normal service; and
• identifying potential or actual consumer harm caused by an event and taking the appropriate steps to remediate where necessary.

With respect to planning , the FCA found that most firms had a clearly documented BCP strategy with an appropriately defined risk appetite, and that they used governance forums for approval, challenge and maintenance of policies, plans and frameworks.

However, the FCA noted that: 

• only "some firms" had considered real-life scenario testing going beyond the basic scenarios of denial of premises access and denial of IT service;
• a lack of adequate consideration is being given to the link between large-scale change projects and BCP. Firms are encouraged to plan for unanticipated disruptions when implementing significant changes;
• there was a lack of relevant and tailored training being rolled out across the whole of a firm's employee population, as opposed to simply just technical staff.

Management and oversight of events is often assigned to staff at too low a level in firms, with insufficient challenge to those staff on current capabilities from senior management. With regard to responding, the FCA noted that some firms had crisis management plans containing pre-approved communications for both employees and customers, and that most firms documented several contingency plans for customer-critical processes.

Potential areas for improvement, however, were also identified:

• Most firms had not created and developed "playbooks" covering different potential scenarios with multiple impacts and containing guidance on appropriate communications, the contingencies required to respond and the roles and responsibilities of individuals managing the event.
• The FCA also recommends that firms should consider whether their incident response plans should be subject to independent verification and oversight, whether internal or external.

On the topic of recovering from events and offering appropriate remediation, the FCA noted that all firms used post-incident reviews as a catalyst for updating and improvement of BCP policies, and that some firms proactively contacted customers during an event if harm had occurred.

However, it also recommends that firms ensure that adequate management information is used to identify potential or actual harm proactively and consider what lessons can be learned from an event. This echoes a theme present in other recent FCA communications in which the regulator has expressed some concern regarding the quality of management information presented to senior management at firms and their ability fully to understand it given the technical nature of certain BCP issues such as cyber threats: see, for example, chapter 3 of the Cyber Resilience Paper.

Next steps and actions for firms

The FCA is advising firms to consider the contents of the Joint Discussion Paper and has made it clear that it expects firms to carry out self-assessments of policies, frameworks and plans on an ongoing basis. Although the review was carried out among small and medium-sized retail banks, payments institutions and electronic money institutions, it will be of interest to all regulated firms – and all businesses – regardless of their size.

The 2019/20 Business Plan says that, as part of its focus on operational resilience, the FCA intends to undertake a number of further activities in this area this year. For example, it plans to:

• utilise regulatory tools to test the cyber capabilities of high-impact firms;
• undertake multi-firm supervisory work to better understand the protection measures that firms take against cyber attacks; and
• do further work to understand and assess the approach taken by firms to change management and third party service provider management.

Firms will want to make sure that they are well prepared to deal with any queries from the regulator in these areas.

With the increasing frequency and severity of cyber attacks and operational disruptions suffered by businesses, it is important that firms are prepared in order to mitigate the risks associated with such events. The FCA's findings and recent papers ought to assist when assessing whether policies and procedures are able to stand up to testing. We would be happy to review your existing BCP and discuss with you how you might improve upon this in light of the FCA's comments.

How can the world's largest global law firm help you today ?

Contact us or find an office in your location..

Unsolicited emails and other information sent to Dentons will not be considered confidential, may be disclosed to others, may not receive a response, and do not create a lawyer-client relationship. If you are not already a client of Dentons, please do not send us any confidential information.

Redirection

You are switching to another language. Please click Confirm below to continue.

Leaving Site

You will now be taken from the global Dentons website to the $redirectingsite website. To proceed, please click Accept.

Leaving Dentons

Beijing Dacheng Law Offices, LLP ("大成") is an independent law firm, and not a member or affiliate of Dentons. 大成 is a partnership law firm organized under the laws of the People’s Republic of China, and is Dentons' Preferred Law Firm in China, with offices in more than 40 locations throughout China. Dentons Group (a Swiss Verein) ("Dentons") is a separate international law firm with members and affiliates in more than 160 locations around the world, including Hong Kong SAR, China. For more information, please see dacheng.com/legal-notices or dentons.com/legal-notices.

Important Notice

• Thought Leadership

The FCA operational resilience guidelines: an overview

Released in March 2021, the FCA operational resilience policy provides a framework for financial services firms to strengthen their resilience against operational disruptions . To do this, the policy required firms to establish robust plans for ‘severe but plausible’ risks earlier this year.

Created alongside the Bank of England and the Prudential Regulation Authority (PRA), the policy came about in response to Covid-19. The pandemic, as you will be all too aware, caught many businesses off-guard , and the FCA want to prevent a similar situation from occurring. The global financial crisis and the recent rise in cyber-attacks also prove the need for firms to achieve operational resilience.

To understand the regulator’s operational resilience framework in more detail, let’s first go back to basics. Exactly what is operational resilience?

What is operational resilience?

The FCA and PRA define operational resilience as the ability of financial services firms and the finance services sector to:

prevent, adapt, respond to, recover, and learn from operational disruptions.

Essentially, it is all about ensuring that your organisation has contingency plans and risk mitigation strategies in place. Why? So that you are as prepared as possible for adverse scenarios. This should prevent harm from manifesting or will help you to recover more easily if something does go wrong.

The importance of building operational resilience goes beyond protecting your organisation from becoming victim to operational risk . It is also in the public interest. By being prepared for unfavourable situations, financial firms are better placed to protect consumers and the wider financial industry.

Operational resilience is also about changing your organisation’s mindset. Instead of thinking about operational disruption as something that could happen, firms should assume it will happen. This shift in attitude should propel your organisation to make operational resilience a priority and will help to drive cultural change within the industry.

So, what are the FCA operational resilience guidelines?

If you are not already familiar with the FCA operational resilience policy , it focuses on five key areas:

• Important business services – This refers to services that would cause intolerable damage to consumers or the market if they were disrupted.
• Impact tolerances – This is the maximum level of disruption that can be endured whilst still being able to deliver important business services. Disruption to important business services beyond this level would cause intolerable harm to consumers, the UK financial system, and financial markets.
• Transitional arrangements – Firms had until the 31st of March 2022 to implement the new requirements. Following this, the FCA have outlined a 3-year transitional period where firms must ensure they are remaining within their set impact tolerances.
• Mapping and scenario testing – Mapping involves establishing what resources are needed to continue to deliver important business services, from people and processes to technology and facilities. Scenario testing requires firms to assess whether they can remain within their impact tolerances under different harmful yet possible situations.
• Communication and self-assessment – In the instance that important business services are disrupted, the FCA expect firms to have internal and external communication plans ready. Firms should also self-assess their operational resilience and document this.

While the regulator’s operational resilience requirements may seem complex, in essence they are about ensuring firms are prepared for the worst. That way, severe operational disruption, as well as harm to consumers and the market, can be avoided.

“We need to know that you have planned for the worst and are able to continue to deliver your important business services when the worst does happen.” — Megan Butler , Executive Director of Supervision: Investment, Wholesale and Specialist , TISA’s Operational Resilience Forum

The FCA operational resilience framework applies to banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, enhanced scope SMCR firms, and entities that are authorised and registered under the Payment Services.

If you fall under one of these categories, you should now have an operational resilience strategy in place that meets the new requirements.

Building your operational resilience strategy

Considering all of the above, what steps should you have taken to ensure that your firm strengthens its operational resilience to meet the FCA’s framework?

• First, identify your important business services. Which services, if disrupted, could cause severe damage?
• Set impact tolerances, so that you can plan what actions are needed to stay within them.
• Spot vulnerabilities in your operational resilience. It is important that you learn from any operational disruptions.
• Carry out appropriate mapping and testing. At present, this only needs to be conducted to a level that enables you to properly perform the previous steps.
• Regularly update your operational resilience self-assessment; the FCA may ask to see this document at any time.
• Put a robust communication plan in place, so that you are prepared for adverse scenarios and can minimise further disruption if risk occurs.
• At least once a year, or when there is a significant change in your organisation or the market, review your important business services and impact tolerances. Update these as required, so that nothing is missed.
• Take all possible actions to ensure you remain within the impact tolerances for each important business service.

Operational risks are constantly evolving. With Covid-19 and the rise in cyber-attacks, the past couple of years has made this clearer than ever. It is no wonder, then, that the regulators have introduced this operational resilience framework to help firms in the financial sector prepare for the worst. One firm who did successfully prepare for the worst, however, is the Admiral Group . 

Now you have a better understanding of the FCA operational resilience policy, download our free e-book to discover a great example of operational resilience: the Admiral Group's response to Covid-19.

What we can learn from the Admiral Group’s pandemic response

Our free e-book explains how Admiral mitigated the risk of Covid-19 and achieved operational resilience. Find out what made their approach successful.

author.AuthorFullName

Dive into the future at frontier 2023.

Redefining what matters in regulated industries

Reed Smith LLP

3 June 2020 Reed Smith Client Alerts

Resilience and recovery – effective contingency planning

As financial institutions continue to respond to the challenges posed by COVID-19, the Financial Conduct Authority (FCA) has set out its expectations of how firms should be managing their business from a business continuity, operational resilience and recovery and resolution perspective. In addition, the FCA has required certain firms to submit copies of their business continuity plan (BCP), operational resilience framework (ORA) and recovery and resolution plan (RRP) (together, the contingency plans) for review.

In previous statements, the FCA emphasised the importance of proper planning, constant monitoring, quick reactions and proactive remediation in the event of business disruption and it is clear that they expect firms’ contingency plans to be capable of dealing with any future developments in the COVID-19 situation. Therefore, firms should be reviewing and updating their contingency arrangements to ensure that they are not only fit for the current climate but stand up to potential regulatory scrutiny.

This alert highlights some of the issues that firms should consider when reviewing and updating their contingency plans.

Authors: Howard Womersley Smith David Calligan Bhav Panchal, Sophie Davis

The requirement to maintain and update BCPs has been woven into various aspects of regulation and has typically formed one of the key supervisory pillars by which regulators such as the FCA monitor the ability of a firm to withstand adverse events.

The FCA expects the BCP to address a variety of topics, covering: resource requirements, recovery priorities for each of the firm’s operations, stakeholder communications plans, escalation and invocation plans, the integrity of management information, and regular BCP testing. Factors that firms should take into account when reviewing, updating and implementing their BCPs include:

• Has the firm drafted and implemented a BCP?
• Has the firm identified all of its business resources and assets that need to form the subject of, or be included in, the BCP? Resources would include staff, real estate, technology, business lines and control functions.
• Has the BCP been reviewed by the board during the COVID-19 period?
• Have adequate reporting lines been set up to support the provision of management information in a timely and effective manner? How are these to operate in times of remote working?
• Have any barriers arisen that have impeded the firm’s ability to prudently and efficiently implement the BCP during the COVID-19 period? 
• Does the firm’s BCP account for both short-term and long-term impacts? For instance, does the BCP address extended periods of working from home?
• Are senior management and other members of staff aware of their responsibilities under the BCP? Does the BCP account for senior management and staff absences?
• Are reportable events (e.g., potential breaches of FCA rules) and reporting lines identified such that management are aware of the circumstances, timeframes and methods in and by which to engage openly and honestly with regulators?
• Can the firm identify in short order impacted customers and third parties (whether service providers or otherwise) and is there a communications plan to engage with them?
• Has the firm assessed the impact of business disruption on customers and is it clear that the relevant contingency measures are appropriate to meet the firm’s obligations towards clients? For instance, can the customer access the firm’s switchboards in a fair timeframe when staff employed to operate those switchboards are working from home?
• Would the firm’s testing methodology to date be robust in replicating disruption scenarios? As an example, has testing included extended periods of working from home, and ensuring that both operating systems and control functions are effective in these circumstances?
• Have senior management and staff been trained in what to expect, and what is expected of them, in executing the BCP? Have changes to the BCP been communicated to staff? 

Supplementing the high-level requirements of BCPs are more specific requirements relating to ensuring the integrity and continuity of outsourced services, whether they are critical, important or non-critical. Both the FCA and European Banking Authority (EBA) have issued detailed guidance in this area, which firms should take into account, particularly considering that firms remain responsible for the provision of the services they outsource. Issues to address include:

• Has the firm performed a business impact analysis that analyses exposures to a broad range of disruption, ranging from minor impacts on certain areas to severe impacts on multiple operational areas?
• Have business functions and their supporting processes, third parties and information assets, as well as the interdependencies of these, been mapped?
• Have any contingency plans been approved by relevant management stakeholders and is there a record of each stakeholder considering interdependencies between their area of responsibility and others?
• What are the potential impacts on confidentiality, and data integrity and availability, and have these been quantitatively and qualitatively assessed?
• Are there clear recovery timeframes pegged to the BCP for each operation?
• Is the BCP available on a system that is physically separated and readily accessible in case required?
• Are there effective communication lines between the senior management at the firm and those of the supplier? Are there robust and practical monitoring arrangements in place so the firm can ensure the proper provision of the outsourced service?
• Are suppliers to whom the firm has outsourced material functions aware of their obligations to deal in an open and cooperative manner with the firm’s regulators (this is particularly relevant for third country service providers)? Does the supplier contract reflect this and any other regulatory obligations? Do outsourcing agreements and service-level agreements set out risk-mitigating measures to be taken by either side?
• Has the firm identified intragroup arrangements within its control and supervision, and how has the firm dealt with the unavailability of those services, both for itself and reliant group entities?
• Does the BCP envisage that a service provider is unable to meet its obligations and does it take into account wider impacts to providers in that industry, such that alternative arrangements would need to be made?
• Has the firm learnt of any additional material outsourcing arrangements from its COVID-19 response? Has the FCA been made aware of this?

Where operational resilience differs from BCPs and RRPs is that it is more focused on the broad impact on customers and financial stability, rather than business continuity and operational continuity in resilience. The FCA and Prudential Regulation Authority’s consultations on operational resilience provide an insight into the themes regulators will be focusing on in a firm’s contingency planning going forward, as well as the process by which they expect firms to follow in creating a living, breathing contingency framework. While they may still be in the consultation stage (the consultation deadline has been extended to 1 October 2020) regulators are likely to take account of the principles established in their consultation when reviewing firms’ BCPs and RRPs during the COVID-19 period. Notably, the FCA will expect firms to invest in and address any weaknesses, vulnerabilities or deficiencies, with the aim of improving contingency plans overall.

Issues that firms may wish to consider in the context of operational resilience include:

• Can the firm identify important business services by reference to a wide range of factors, including: the nature of the client base, the ability of clients to obtain the service from elsewhere, time criticality for clients for receiving the service, the number of clients receiving on the service, and the ability of the service to inhibit the functioning of the UK’s financial system?
• Is the information to make this assessment readily available to the firm?
• Can the firm identify and express clearly the first point at which likely disruption to each important business service might cause intolerable levels of harm to its clients or market integrity? 
• What arrangements can the firm point to in order to demonstrate that it is able to operate within its impact tolerances? 
• Can the firm justify its assessment that the impact tolerances considered are not excessively high?
• Does the firm currently have enough information to map out a complete view of its resilience? For instance, can it identify and document the people, processes, technology, facilities and information that deliver each of its important business services? 
• Is there a corresponding plan in respect of each area?
• Can the firm point to clear and wide-ranging scenarios in which it will test its systems? 
• Do such scenarios consider disruptions such as: corruption, deletion or manipulation of data critical to the delivery of their important business services; unavailability of facilities or key people and critical third party services providers; disruption to other market participants; and loss or reduced provision of technology underpinning the delivery of important business services? 
• The FCA’s proposals also require firms to conduct ‘lessons learned’ exercises. To this end, is the firm collating those lessons as they respond to current circumstances, and is a plan in place to address those lessons? 
• Can the firm identify a documented communications strategy for its range of stakeholders, both internal and external?
• Can the firm evidence that its contingency planning has been approved by senior management and that it has devoted adequate time to it to establish the business and risk strategies and the management of the main risks relevant to operational resilience? 
• Are there clear lines of responsibility for the management of operational resilience in line with the Senior Managers and Certification Regime?  As you can see, the regulators’ key proposals intend to provide more clarity and structure over a firm’s contingency arrangements and dovetail with the firm’s existing BCP obligations.

Completing a firm’s contingency matrix is the RRP required to be prepared by banks and larger investment firms, being investment firms subject to an initial capital requirement of €730,000 – i.e., UK IFPRU 730K firms. They set out what the firm would do in, or prior to becoming subject to, stressed circumstances that would affect the ability of the firm to carry on all or a significant part of its business. Whilst there will evidently be overlap between the considerations to be made when updating BCPs, RRPs have an additional granular focus on the financial recovery of the firm.

RRPs need to be periodically reviewed and submitted to regulators and so it is important to ensure their appropriateness and relevance. This is particularly pertinent given the changes to a firm’s business or financial situation that may have arisen as a result of COVID-19, and the lessons learnt from the firm’s response. Issues that firms should be considering when reviewing and updating their RRPs include:

• Does the RRP address newly identified stress scenarios and circumstances, and adverse events that have had a material impact on the firm’s business?
• Has the firm discovered any additional critical services and functions that it had previously not considered critical?
• What additional actions should be taken to ensure the viability and availability of technological systems and services? Do the firm’s current outsourcing relationships and contractual terms (discussed above) help or hinder this?
• Are the governance arrangements in place sufficient to provide management with requisite information in a timely manner so that they can consider viable recovery options? This may include ensuring that the composition of response teams and committees is appropriate and covers relevant areas of the business. 
• Does the recovery strategy account for the proposed capital and liquidity arrangements of the firm? To what extent will the availability of capital instruments be impacted and in what circumstances?
• Has the firm identified any material impediments that would impact its ability to execute its RRP? How does it propose to overcome them?
• Have all necessary preparatory measures been taken to implement the RRP within the firm, such that there are no internal barriers to executing the plan, if required?
• Are there any additional events that the firm has identified that may bring about the requirement to execute its RRP? Have these been identified clearly?
• Have all necessary stakeholders in a stressed scenario been identified and does the plan set out the method, frequency and strategy for engaging with those stakeholders?
• Stakeholders would include staff, regulators, group entities, outsourcing providers, other third party providers and any other external stakeholder that may be relevant to the firm’s business. 
• Does the plan account for impacts to third party service providers and infrastructure and how continuity of services can be ensured from the firm’s perspective in these circumstances? 
• Have assets and operations been identified that are capable of disposal, and have contingency arrangements been devised to replace any disposed items where these are important to business continuity? Is there an agreed-upon valuation method for proposed disposal assets and operations that would be deployed in a timely manner, if needs arise?
• Has the firm reviewed the periodic and prescribed information required from resolution authorities and is it in a position to gather the data efficiently? 

The EBA has recently issued a report on the inherent interlinkage between the content of recovery plans and the resolution plans which are prepared by resolution authorities on the basis of information provided by firms. Firms should be aware of this interlinkage and the best practices set out in the EBA’s report. The fact that recovery and resolution plans exist on a continuum means that firms should ensure consistency both in the recovery plans they prepare and the information they provide to resolution authorities. 

In a time where business interruption may be more widespread, unforeseen, and yet frequent, it will be important to ensure that the myriad requirements for continuity plans are comprehensive, robust and stress tested.

Firms should continue to monitor developments and statements from regulators in relation to continuity plans during this period of uncertainty.  If you have any questions or concerns, please get in touch with your usual contact at Reed Smith. 

Our Reed Smith Coronavirus team includes multidisciplinary lawyers from Asia, EME and the United States who stand ready to advise you on the issues above or others you may face related to COVID-19.

For more information on the legal and business implications of COVID-19, visit the Reed Smith Coronavirus (COVID-19) Resource Center or contact us at [email protected] .

Client Alert 2020-358

Share Tools

• Share on Facebook
• Share on LinkedIn
• Share via Email
• Print This Page

You May Be Interested