Understanding UK FCA and PRA Operational Resilience

This short article is designed to provide you with a high-level overview of the UK financial regulators requirements relating to operational resilience.

Seven dominos in a line
Dominos waiting to fall

In the UK, financial firms must comply with the regulatory frameworks by the Financial Conduct Authority (FCA) or the Prudential Regulation Authority (PRA) or both. The best place to start in terms of the operational resilience requirements are the rulebooks. Both regulators have them to meet their specific regulatory objectives.

Where to find the rule books: PRA rulebook & FCA rulebook

PRA rulebook

The PRA rulebook applies to PRA regulated firms. It’s primarily concerned with the stability of the UK financial system and a firm’s safety and soundness.  Just like the EU Digital Operational Resilience Act (DORA) it’s concerned with mitigating the risk of ‘cascade’ where a major firm takes out other firms that could then ripple through the UK and global financial systems knocking banks over like dominos.

The PRA requires firms to identify their ‘important business services’ and define a set of impact tolerances. These relate to services that if impacted could affect the stability of the UK financial system or the firm’s safety and soundness. The PRA also requires firms to consider the types of severe but plausible disruptions, how tolerances will be maintained, and testing conducted to demonstrate robustness or learn lessons.

Key requirements for PRA regulated firms:

  • have an internal governance and control framework that identified important business services, sets impact tolerances and manages risks
  • All dependencies must be mapped
  • Testing and lessons learnt to inform you and improve your judgement
  • Testing and controls to be proportionate to the complexity and size of the firm
  • Self-assessment to be carried out annually. This is bespoke based on your approach – you need to explain your internal governance and control framework then how you demonstrate compliance
  • Governance – Board to sign off on important business services, tolerances and the self -assessment conducted

FCA rulebook

The FCA rulebook applies to firms that are FCA regulated. Similar to the PRA rulebook firms need to identify ‘important business services’ – but the criteria here is greatly expanded. It includes harm to clients, number of clients affected, sensitivity of data, reputational damage, legal risk, conduct and market risk. We view this as a super-set of the PRA identified Important Business services.

Key requirements for FCA regulated firms are similar to the PRA but with more detail especially around scope of testing, frequency, corporate communication plans, inclusion of third-party providers, keeping good records, the role of the management body and regulatory reporting.

The section on testing is insightful as it provides different scenarios to be considered including:

  • Corruption and deletion
  • Unavailability
  • Third parties
  • Market participants
  • Loss of technology
  • When to carry out testing

Comparing FCA and PRA rulebooks with DORA

Both the PRA and FCA rulebooks on operational resilience are over 250 lines of text each with the EU DORA coming in at a hefty 1,200 lines. The PRA and FCA approaches are principles based which leaves a lot of responsibilities with firms to determine or describe how they comply. The EU DORA in contrast is much more prescriptive in most areas and therefore easier to demonstrate compliance. Which approach is best? Only time will tell. We like both for different reasons. The PRA and FCA for being pragmatic and the DORA for its practical method. Irrespective global financial entities are going to have to comply with both UK and EU regulations. In this regard we think they help to complement each other.

Conclusion: UK compliance with DORA as a benchmark

For UK firms struggling with the PRA or FCA requirements DORA can be a valuable benchmark. DORA helps outline and structure a good approach that can be tailored to meet the UK regulations.

About IT Security Locksmith

IT Security Locksmith specialises in board level training and consultancy.

To find out more about our capabilities please click here.

Our services page showcases the types of services we offer.

Click here to contact us for a no obligation initial consultation.