Operational Resilience – What’s the worst that could happen?

Payments, as I’m sure readers will have either read or heard me say before on numerous occasions, is the plumbing of financial services. Nobody pays it much attention when it is working OK, but when it goes wrong it causes major issues for everyone. The poster child for this view is the RBS computer failure in June 2012 (when I was at the FSA). To quote the Wikipedia entry about it:

“Completions of new home purchases were delayed, and some people were stranded abroad. Another account holder was threatened with the discontinuation of their life support machine in a Mexican hospital, and one man was held in prison. As a result of the error, RBS and NatWest announced that over 1,200 of their busiest branches would extend their hours throughout the week, including the bank's first Sunday opening, to enable affected customers to access cash. On Monday 25 June, over 1,000 branches opened for extended hours,[9] and the number of phone staff was doubled to deal with customer queries.”

The disruption continued long into July and affected not just RBS Group customers, particularly those in Ireland, but also those at other Payment Service Providers (PSP) who were depending on funds expected from RBS. Not, I’m sure everyone will agree, a “good outcome” for customers, as is now required under the Consumer Duty.

Operational resilience

The FCA’s Policy Statement PS21/3 in 2022, introduced specific requirements around resilience for certain firms, including all Banks, Payment Institutions, E-Money Institutions and Registered Account Information Providers, recognising the potential impact of payments failures. The fact that all Payment Service Providers are included shows that the FCA recognise the potential for disruption to payments to cause major customer harm, as evidenced by the RBS failure.

Firms were required to have undertaken a number of actions by 31 March 2022, including mapping important business services (and the internal process and resources that support them) and external providers to understand potential vulnerabilities. Firms were also required to set impact tolerances, defined as:

“The maximum tolerable level of disruption to an important business service, as measured by a length of time in addition to any other relevant metrics, reflecting the point at which any further disruption to the important business service could cause intolerable harm to any one or more of the firm’s clients or pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.”

The FCA said that to identify intolerable harm, firms should have regard to various factors, such as:

• The number and types (such as vulnerability) of consumers adversely affected, and nature of impact;
• Financial loss to consumers;
• Financial loss to the firm;
• The level of reputational damage;
• Impacts to market or consumer confidence;
• Loss of functionality or access for consumers; and
• Any loss of confidentiality, integrity or availability of data

It is important to note that in this case “Consumers” includes corporate clients and wholesale market participants. As an aside, whenever you see “consumers” mentioned in any communication from the FCA, always double check what definition they are using in that particular case.

From 31 March 2025, the FCA expects firms to operate within their impact tolerances at all times, so having these tolerances spelled out as well as how the firm will ensure that they are met will be important.

As well as requiring firms to make these preparations, the FCA requires that scenario testing is carried out, saying:

“We expect that firms manage their business to ensure they can operate within tolerance at all times including during severe but plausible scenarios.”

And specifying (at SYSC 15A.5.6 G in the Handbook) that:

“A firm should, among other things, consider the following scenarios:

• Corruption, deletion or manipulation of data critical to the delivery of its important business services;
• Unavailability of facilities or key people;
• Unavailability of third party services, which are critical to the delivery of its important business services;
• Disruption to other market participants, where applicable; and
• Loss or reduced provision of technology underpinning the delivery of important business services.”

SYSC 15A.6.1R then goes on to require that firms make, and keep up to date, a written record of compliance, which includes:

• The firm's testing plan
• Details of the scenario testing carried out
• Any lessons learned exercise conducted

Firms must retain each version of the records referred to in SYSC 15A.6.1R for at least 6 years and, on request, provide these to the FCA.

What does this mean for firms?

The increased and increasing focus on operational resilience is likely to mean that the FCA will be more likely to ask firms for evidence of their preparations and, if a firm were to suffer a major failure, one of the first things the FCA would ask to see is whether and how the firm had complied with the testing and “lessons learned “ requirements.

If this has not been done, or done in a slapdash manner without proper consideration of the risks and the potential for harm to customers, it would be seen as a significant governance failure. Such a failure would also be likely to be a breach of the Consumer Duty obligations on firms to address risks to good outcomes for customers. 

This is clearly not somewhere that boards and senior management would want to be, but my feeling is that there may be a lack of awareness of these requirements in some firms in the payments and E-money sector and a “box ticking” approach by others, without really addressing the risks. 

Given the FCA’s previously stated concerns about governance and the understanding of risk amongst payments and E-money businesses, it is important that boards and senior management make sure that they are taking a holistic view of the risks so that firms’ Consumer Duty and Operational Resilience requirements are considered together rather than in a siloed manner.  Again, showing your workings and evidencing that you have done what is required is vital. If you don’t, you could end up like this, one of my favourite cartoons by the late Ray Lowry (this one from Punch).