Operational resilience has moved from a forward-looking regulatory concept to a live compliance obligation. The FCA's operational resilience framework, implemented through PS21/3, requires firms to identify their important business services, set impact tolerances and demonstrate that they can remain within those tolerances during severe disruption. For payment institutions, whose services are critical to customers and the wider economy, operational resilience is a regulatory priority. This article provides practical guidance for payment firms on meeting the FCA's expectations.
What Is Operational Resilience?
Operational resilience is the ability of a firm to prevent, adapt, respond to, recover and learn from operational disruptions. Unlike traditional business continuity planning, which focuses on recovering from incidents, operational resilience focuses on ensuring that important business services continue to be delivered to customers within acceptable parameters during and after disruption.
The FCA's framework is built on three pillars: identifying important business services, setting impact tolerances, and testing the firm's ability to remain within those tolerances.
Identifying Important Business Services
An important business service is a service provided by the firm to an external party (customers, market participants, the firm's counterparties) where disruption could cause intolerable levels of harm. For payment institutions, important business services typically include:
- Payment processing — the execution of customer payment transactions
- Safeguarding operations — the receipt, segregation and reconciliation of customer funds
- Customer onboarding — the ability for new customers to open accounts and begin using services
- Complaints handling — the ability for customers to raise and resolve complaints
- Regulatory reporting — the ability to submit required regulatory returns
Firms should assess each service based on the potential harm that disruption could cause to customers, market integrity or the firm's own financial stability.
Setting Impact Tolerances
Impact tolerances define the maximum tolerable level of disruption to an important business service. They must be expressed in measurable terms — typically in terms of time, but potentially also in terms of the number of affected customers or the financial value of transactions impacted.
For payment processing, an impact tolerance might be expressed as: "Payment processing must be restored within 4 hours of a disruption, with no more than 2% of daily transaction volume affected." The specific tolerance will depend on the nature of the payment services provided, the customer base and the availability of alternative payment mechanisms.
Scenario Testing
Firms must conduct scenario testing to assess whether they can remain within their impact tolerances during severe but plausible disruption scenarios. Relevant scenarios for payment firms include:
- A cyber attack that disables the firm's core payment processing platform
- Failure of a critical third-party service provider (banking partner, technology vendor, cloud infrastructure provider)
- A major technology outage affecting multiple systems simultaneously
- Loss of access to a safeguarding bank account
- A sudden surge in transaction volumes beyond normal capacity
Scenario testing should involve all relevant teams — technology, operations, compliance, senior management — and should produce documented findings, identified vulnerabilities and remediation plans.
Third-Party Dependency Management
Payment firms are heavily dependent on third-party service providers — banking partners, technology platforms, cloud infrastructure providers, AML screening tools and customer verification services. The FCA expects firms to map these dependencies for each important business service, assess the risk of each dependency, and implement appropriate mitigations (contractual protections, alternative suppliers, manual fallback processes).
The FCA's Critical Third-Party regime, implemented through PS24/16, adds further obligations for managing relationships with third parties designated as critical by the regulators. While the CTP regime applies directly to the third parties themselves, firms using CTP-designated providers should understand the regulatory framework and their own obligations in relation to third-party risk management.
What Firms Should Do Now
- If you have not yet identified your important business services, do so immediately.
- Set measurable impact tolerances for each important business service.
- Map end-to-end processes including all dependencies and potential points of failure.
- Conduct scenario testing against realistic severe disruption scenarios.
- Develop and test remediation plans for identified vulnerabilities.
- Ensure the board receives regular reporting on operational resilience.
Regulatory Counsel advises payment firms on operational resilience framework development, impact tolerance setting, scenario testing and third-party risk management. Contact us for a free initial consultation.
Frequently Asked Questions
Services provided to external parties where disruption could cause intolerable levels of harm — typically including payment processing, safeguarding operations and customer onboarding for payment firms.
The maximum tolerable level of disruption to an important business service, expressed in measurable terms such as maximum acceptable downtime.
At least annually, and following any significant changes to the firm's technology infrastructure, third-party arrangements or business model.
The CTP regime applies directly to designated critical third parties, not to the firms using them. However, payment firms must manage third-party dependencies as part of their own operational resilience framework.