Having worked through the 73 responses to its consultation paper CP19/32 issued late last year, the FCA has published a policy statement, PS21/3, outlining its final rules on building operational resilience, which are due to come into force on 31 March next year.
Technically, these apply only to enhanced scope firms, but the FCA says both core and limited scope firms should regard them as guidance, noting that the impact of the pandemic has underlined the importance of firms understanding the services they provide and investing in their resilience.
Changes made in PS21/3 include allowing affected firms more time and flexibility around meeting mapping and scenario-testing requirements.
The new rules are set out in a 20-page Appendix to the 80-page policy statement. As previously noted, they come into force on 31 March 2022.
By that date, firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption, and carried out mapping and testing to a level of sophistication necessary to do so – as well as identifying any vulnerabilities in their operational resilience.
As soon as possible after 31 March 2022, and no later than 31 March 2025, firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service and made the necessary investments to enable them to operate consistently within their impact tolerances.
For further details on this story, or any compliance-related topic, contact our expert team on 01925 767888, or email email@example.com.