Skip to content

FCA and PRA enforcement trends: operational resilience

Operational resilience is “the one to watch” for 2023.  It has been a key focus in the UK for both the Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA) for a couple of years and current market and geopolitical events have only intensified that focus. 

New regulatory regime

In March 2021, the PRA and FCA published new rules aimed at building firms’ operational resilience. Firms should now have identified their important business services, set impact tolerances and identified vulnerabilities. Firms have until March 2025 to perform mapping and testing and effectively implement the rest of the rules. Like the consumer duty, these new operational resilience rules are a significant development and, for similar reasons, will come under intense scrutiny from the regulators over the next couple of years. Firms are exposed to two key enforcement risks. 

  • That the systems and controls they develop will prove inadequate. We can expect that, once the new rules come into effect, both the PRA and FCA will be looking for cases to bring that will enable them to send regulatory messages about their expectations of how firms should implement the new requirements.
  • That their implementation programme is found too slow or inadequate, or the regulators say that inaccurate information was communicated to them about the status of that programme, which we have seen alleged in the context of other significant regulatory change programmes. 

The new requirements may also prove to be an area where we see the regulators demonstrate their growing willingness to use intervention powers, for example if they identify significant deficiencies in a firm’s arrangements to ensure that it can remain within impact tolerances in relation to a key business service.

Third party service providers

Both regulators are concerned about the growing role that critical third-party service providers, including cloud service providers, play in the financial services sector. The Bank of England, PRA and FCA have jointly consulted on proposals to bring these critical third-party service providers within the regulatory perimeter. A further consultation is expected in 2023. The current proposals would enable the regulators to issue directions, appoint skilled persons and apply rules to these critical third-party service providers. If these proposals come into effect, they will significantly extend the powers of the regulators to take action against currently unregulated companies. 

Change management

At the end of 2022, the PRA and FCA collectively imposed fines totalling GBP29.7 million on a firm in relation to weaknesses in the planning, management and execution of a significant IT migration project, that the regulators concluded led to the accumulation and mismanagement of “excessive operational risk”. While IT configuration, capacity and coding were identified as the direct causes of the issues encountered, the regulators considered there had also been a number of failings at points throughout the migration programme, particularly in relation to planning, outsourcing and business continuity and incident management.  

Sanctions and cyber security 

Other areas of operational resilience currently under scrutiny include sanctions and cyber security. 

  • In the case of sanctions, risks exist both in relation to ensuring compliance with new and existing sanctions imposed by the UK, U.S. and EU, but also in relation to the adequacy of systems and controls in place to spot, escalate, resolve and report issues. 
  • Both the PRA and FCA have repeatedly warned of the increased risk of cyber attacks, particularly since the Russian invasion of Ukraine. Firms that suffer an attack and have not taken adequate steps to guard against the increased levels of risk are at significant risk of assertive enforcement action being taken against them. 

Both the PRA and FCA accept that operational risk will always exist, albeit that it should remain within clearly identified and agreed tolerance levels. With firms well warned of the increased risks arising from recent market and geo-political events and the expectation that they will be on course to implement the FCA and PRA’s new rules, firms’ operational resilience plans are likely to be under intense regulatory scrutiny this year and beyond. This makes it all the more important to ensure these plans are adequately implemented, monitored and maintained. 

This post is based on an article “FCA and PRA Enforcement Action: Trends and Predictions” which first appeared in the January/February edition of PLC Magazine. A copy of the full article is available here and on the two the PLC Magazine website