How resilient are you? FCA surveys the payments sector with a lengthy questionnaire.

The FCA’s focus on customer protection and service, as evidenced by the new Consumer Duty, is being reinforced by their actions across the regulatory piece. This can be seen in the regulator’s interest in ensuring that key firms and sectors are operationally resilient and able to provide continuity of service to customers.

The FCA’s Business Plan for 2022/23 set out four “consistent topline outcomes” they are seeking to ensure, amongst which is “Access” defined as “Diverse consumer needs are met through (1) high operational resilience and (2) low exclusion.”

Readers may recall my commenting when the FCA’s Operational Resilience requirements were set out in their Policy Statement PS21/3 that the scope, being:

“banks, building societies, designated investment firms, insurers, Recognised Investment Exchanges (RIEs), enhanced scope senior managers’ and certification regime (SM&CR) firms and entities authorised or registered under the Payment Services Regulations 2017 (PSRs 2017) or the Electronic Money Regulations 2011 (EMRs 2011),”

bracketed the payments and E-money sector alongside the biggest banks, insurance companies and investment companies, whereas mid-sized and small FSMA firms escape the requirements. This is a function of the FCA’s belated recognition of the importance of the sector and the potential harm that can be caused by failure, as can be seen from the change in supervisory attitude and the renaming of the payments supervision department as “Payments Market Intervention”.

A phrase I often use is that payments is ‘the plumbing of financial services’ in that, just like plumbing, nobody takes much notice of it until it goes wrong, at which point it becomes the most important thing there is. A prime example of this was back in 2012, when the Royal Bank of Scotland had a failed software update, which they were unable to back out of and which caused them to be unable to make payments. According to Wikipedia:

“Completions of new home purchases were delayed, and some people were stranded abroad. Another account holder was threatened with the discontinuation of their life support machine in a Mexican hospital, and one man was held in prison.”

One can see how, with the FCA’s focus on protecting consumers, they are keen to avoid this sort of thing happening again. The requirement under the Operational Resilience regime to identify “intolerable harm” and time based impact tolerances is evidence of how the FCA is looking to address the risk.

So, why am I rehashing all of this, which is hardly news? The answer is because I have sitting in front of me a 67 page, 111 question survey which the FCA is sending out to firms required to comply with the Operational Resilience requirements, which may land in readers’ inboxes in the near future. It is asking specifically about governance of Operational Resilience strategy, responsibilities, planning, staff awareness, oversight, checking of tolerances, documenting of evidence, integration into the ERM framework, interaction with Consumer Duty etc.

While I’m certain none of my readers would have just filed and forgotten the initial work done for Operational Resilience back in 2021, I’d urge all payments firms to review their arrangements to make sure that they are up to date and that their firm is in a position to respond quickly and positively to the survey.

Thematic work like this is usually followed by FCA targeted action, such as s165 letters.  As a reminder of what the FCA expects, SYSC 15A.6.1R says:

“A firm must make, and keep up to date, a written record of its assessment of its compliance including, but not limited to, a written record of, and justification for:

• Important business services identified by the firm.
• The firm’s impact tolerances.
• The firm’s approach to mapping under SYSC 15A.4.1 R.
• The firm’s testing plan.
• Details of the scenario testing carried out.
• Any lessons learned exercise conducted.
• Identification of the vulnerabilities that threaten the firm’s ability to deliver its important business services within the impact tolerances set, including the actions taken or planned.
• Its communication strategy how it will reduce anticipated harm from operational disruptions.
• The methodologies used to undertake the above activities.

And SYSC 15A.6.2R says:

“A firm must retain each version of the records referred to in SYSC 15A.6.1R for at least 6 years and, on request, provide these to the FCA.”

I’d suggest that the issue of this survey indicates that the FCA may be requesting these records in the fairly near future, so making sure that you have them available would be a very sensible thing to do.