Navigating Operational Resilience: A Comprehensive Guide for UK Payment Institutions

What are the FCA’s Operational Resilience Requirements for Payment Institutions?

The Financial Conduct Authority’s (FCA’s) operational resilience requirements for Payment Institutions are designed to ensure that firms can prevent, adapt to, respond to, recover from, and learn from operational disruptions, thereby protecting consumers and market integrity. These requirements largely stem from PS21/3: Building operational resilience, which finalised new rules and guidance on operational resilience, primarily impacting firms falling under the scope of SYSC 15A. For Payment Institutions specifically, while SYSC 15A applies, a broader understanding of resilience expectations also arises from the Payment Services Regulations 2017 (PSRs 2017), particularly requirements related to security, incident reporting, and business continuity.

The core objective is to ensure that firms can continue to deliver their "important business services" within "impact tolerances" even during severe but plausible disruption. This goes beyond traditional business continuity planning, which often focuses solely on the firm’s survival, to explicitly prioritise the continued provision of services to customers. The FCA expects firms to:

• Identify important business services: These are services whose disruption would be likely to cause intolerable harm to consumers, market integrity, or financial stability, or threaten the firm’s viability. Payment Institutions must carefully consider all aspects of their payment processing, account information services, and payment initiation services when identifying these.
• Set impact tolerances: For each important business service, firms must set maximum tolerable levels of disruption, defining the specific metrics (e.g., maximum outage time, maximum data loss) that would cause unacceptable harm. These tolerances must be realistic and reflect the harm that would be caused at different levels of disruption.
• Map resources: Firms must map the people, processes, technology, facilities, and information that support the delivery of each important business service. This mapping exercise is critical for understanding dependencies and potential single points of failure.
• Perform scenario testing: Firms are required to regularly test their ability to remain within their impact tolerances during severe but plausible disruption scenarios. These scenarios should be challenging and reflect a range of threats, including cyber-attacks, IT failures, loss of key personnel, and third-party outages. The testing regime should be rigorous and adaptive, learning from each exercise.
• Communicate and learn: Effective internal and external communication strategies are vital during and after a disruption. Firms must establish clear reporting lines and ensure that lessons learned from incidents and tests are thoroughly analysed and used to enhance resilience.

The FCA’s stance is one of proactive supervision, expecting firms not merely to comply with the letter of the law, but to embed a culture of resilience throughout their organisation. Non-compliance can lead to significant regulatory action, given the critical role Payment Institutions play in the economy.

Who is affected by Operational Resilience Requirements and What are the Key Regulations?

The operational resilience requirements primarily affect all firms subject to SYSC 15A, which includes most Payment Institutions authorised and regulated by the FCA. Specifically, this encompasses:

• Authorised Payment Institutions (APIs)
• Small Payment Institutions (SPIs) to a degree, though proportionality applies
• Electronic Money Institutions (EMIs), both authorised and small
• Other firms designated by the FCA or PRA.

While SPIs and Small EMIs are generally subject to a more proportionate regulatory regime, the FCA’s overarching expectation for operational resilience applies, especially concerning the protection of client funds and the continuity of payment services. The principle of proportionality means that the complexity and scale of an SPI’s operational resilience framework should be commensurate with its size, nature, and systemic importance. However, the fundamental responsibility to ensure the continuity of important services remains.

The key regulations underpinning operational resilience for Payment Institutions in the UK are:

• PS21/3: Building operational resilience: This Policy Statement formalised the FCA’s final rules and guidance on operational resilience, amending the FCA Handbook.
• SYSC 15A: Operational Resilience: This chapter of the Senior Management Arrangements, Systems and Controls (SYSC) sourcebook sets out the explicit rules and guidance for firms regarding their operational resilience framework, including the identification of important business services, setting of impact tolerances, and mapping requirements.
• The Payment Services Regulations 2017 (PSRs 2017): While not exclusively focused on operational resilience, the PSRs impose several requirements that are directly relevant, including:
• FCA ‘Dear CEO’ Letters and publications: The FCA frequently issues letters and thematic reviews that highlight specific expectations or areas for improvement regarding operational resilience, acting as important guidance for firms to consider. For example, letters often remind firms of the importance of managing third-party risks or cyber resilience.

It is crucial for Payment Institutions not to view operational resilience as a separate, standalone exercise but as an integrated component of their overall risk management and governance framework. The interconnectedness of these regulations means that compliance with one often supports compliance with others.

What Steps Should Payment Institutions Take to Implement an Effective Operational Resilience Framework?

Implementing an effective operational resilience framework requires a structured approach and continuous commitment from Payment Institutions. Here are the crucial steps:

1. Establish Robust Governance and Oversight:

1. Identify Important Business Services and Set Impact Tolerances:

1. Map Resources and Dependencies:

1. Perform Rigorous Scenario Testing:

1. Develop Communication and Learning Strategies:

By following these steps, Payment Institutions can build a robust and adaptive operational resilience framework that not only meets regulatory expectations but also strengthens the firm’s ability to serve its customers reliably and securely.

What are the Supervisory Expectations and Enforcement Implications?

The FCA’s supervisory expectations for operational resilience are high, reflecting the critical importance of continuous financial services delivery. The regulator expects Payment Institutions to move beyond a mere "tick-box" compliance exercise and to embed operational resilience into the firm’s culture, strategy, and daily operations.

Key supervisory expectations include:

• Proactive Engagement: Firms should proactively identify and address vulnerabilities, not just react to incidents. This involves continuous monitoring, risk assessment, and investment in resilience capabilities.
• Demonstrable Understanding: The FCA expects firms and their senior management to have a deep and demonstrable understanding of their important business services, their dependencies, and the potential impact if they are disrupted. This includes understanding the results of scenario testing and the implications for impact tolerances.
• Evidence of Improvement: Firms must be able to demonstrate that they are continuously improving their resilience capabilities based on lessons learned from incidents, near misses, and scenario testing. This means having a clear audit trail of actions taken and enhancements made.
• Proportionality in Application: While the principles apply broadly, the FCA expects a proportionate approach. Smaller Payment Institutions will not be expected to have the same scale or complexity of framework as large, systemic banks, but they must still meet the fundamental objectives of identifying important services and maintaining resilience within impact tolerances.
• Third-Party Oversight: Given the reliance of many Payment Institutions on third-party providers (e.g., for core banking systems, cloud infrastructure, payment gateways), the FCA places significant emphasis on firms’ ability to oversee the operational resilience of their critical third parties. This is clearly articulated in guidance related to outsourcing and third-party risk management.

Enforcement Implications: Failure to meet the FCA’s operational resilience requirements can lead to significant enforcement action. The FCA has a wide range of tools at its disposal, including:

• Formal Requirements Notices: Mandating specific actions to address identified deficiencies.
• Skilled Person Reviews (Section 166 reviews): Commissioning independent experts to report on a firm’s operational resilience.
• Fines and Penalties: Significant financial penalties can be imposed for breaches of regulatory requirements. The FCA’s penalty regime aims to deter future non-compliance and can be substantial, reflecting the potential harm caused by disruptions.
• Reputational Damage: Beyond formal enforcement, a firm’s reputation can be severely damaged by operational outages, leading to loss of customer trust and market share.
• Withdrawal of Authorisation: In extreme or persistent cases of non-compliance, particularly where client money is at risk or the firm poses a systemic threat, the FCA has the power to withdraw a firm’s authorisation.

The FCA’s expectation is that operational resilience is not simply a compliance exercise, but a fundamental aspect of sound risk management and good corporate governance. Firms that embrace this philosophy will be better positioned to navigate the challenges of an increasingly complex and interconnected operational landscape.

How do Payment Institution Requirements Evolve with Digital Transformation and Emerging Technologies?

The Payment Institution sector is at the forefront of digital transformation, with rapid adoption of new technologies such as Artificial Intelligence (AI), Distributed Ledger Technology (DLT), and extensive use of cloud computing. These advancements profoundly impact operational resilience requirements, introducing both new opportunities and new risks.

1. Cloud Computing Dependencies:

1. Cyber Resilience:

1. Artificial Intelligence (AI) and Machine Learning (ML):

1. Distributed Ledger Technology (DLT) and Crypto Assets:

1. Agile Development and Continuous Deployment:

In essence, digital transformation necessitates a dynamic and adaptable approach to operational resilience. Payment Institutions must constantly evaluate how new technologies impact their risk profile, update their mapping, and enhance their testing scenarios to reflect the evolving operational landscape. The FCA expects firms to innovate responsibly, with resilience built in from the design stage.

What are the Reporting and Disclosure Obligations for Payment Institutions?

Payment Institutions have several reporting and disclosure obligations related to operational resilience, designed to provide the FCA with oversight and transparency regarding a firm’s capabilities and any incidents that may occur. These obligations are critical for both supervision and for ensuring appropriate public disclosure where necessary.

1. Incident Reporting (Regulation 98 PSRs 2017):

1. Annual Self-Assessment (SYSC 15A.8):

1. FCA Data Collection and Surveys:

1. Public Disclosure (SYSC 15A.10):

1. Information Sharing:

Effective reporting and disclosure are not just about meeting regulatory mandates; they are vital components of a mature operational resilience framework. They enable the FCA to monitor systemic risks, identify emerging threats, and provide sector-specific guidance, ultimately benefiting the entire financial ecosystem.

How Can Firms Prepare for an FCA Operational Resilience Audit?

Preparing for an FCA operational resilience audit, or any supervisory engagement, requires a structured and thorough approach, demonstrating that the firm has effectively embedded resilience within its operations. The FCA will likely look for evidence beyond mere documentation; they want to see resilience in action.

Here are key aspects Payment Institutions should focus on:

1. Demonstrate Executive and Board Engagement:

1. Comprehensive Documentation:

1. Evidence of Regular Testing and Remediation:

1. Third-Party Resilience:

1. Incident Management and Communication:

1. Cultural Embedding:

By meticulously preparing these elements, Payment Institutions can provide clear evidence of their commitment to and effectiveness in operational resilience, fostering a more positive engagement with the FCA. It is about proving not just that a framework exists, but that it is actively used, reviewed, and improved upon.