Operational resilience

Introduction

Operational Resilience is seen as one of cornerstones of stability in the financial sector, ensuring that institutions and their suppliers can withstand, adapt to, and recover from disruptions in an ever increasingly connected and complex operational landscape. Mass-closures and interruptions caused by COVID, significant global events and economic shocks as well as substantial disruption events in the world of IT such as the CrowdStrike outage have re-enforced regulatory interest in the topic with it appearing on the priority list of the FCA and other regulatory bodies. 2025 is also set to be another year of significant regulatory implementation deadlines from DORA to the UK Critical Third Party Regime.

This article is part of our series on Operational Resilience and sets out a very high level summary of the key points that institutions should be aware of in 2025 from a regulatory perspective and what you can do to be prepared.

Applicable regulatory frameworks

Operational Resilience in the UK has evolved significantly over the years. Initially, the focus was on outsourcing and risk management, as seen in SYSC 8 under the FCA Handbook. The introduction of MiFID II in 2018 further emphasised governance and risk controls, and then in subsequent years there has been a patchwork of rolling regulations issued by both the FCA and PRA through various supervisory statements, reinforcing the need for firms to ensure continuity of critical services.

Whilst we know that operational resilience stretches across business functions and is a more complex operational process including planning, testing and practical analysis of the tolerance that your business has to disruptive events, one area which is frequently overlooked (but is no less an important part of your Operational Resilience strategy) is in relation to third party supplier relationship management and their underlying contracts.

In the context of supply chain and third party relationships there are several current key regulatory frameworks (outlined above) which you need to consider as well as two new areas which have and are due to come into force shortly.

1. DORA: Digital Operational Resilience Act

   • Objective: DORA aims to bolster the digital Operational Resilience of financial entities across the EU by establishing uniform requirements for ICT risk management, incident reporting, and third-party risk management. It seeks to create a harmonised framework that enhances the ability of financial institutions to withstand digital disruptions.

   • Application: Although primarily an EU regulation, DORA's principles are highly relevant for UK firms operating in the EU or serving EU clients. It came into force on 17 January 2025, and required firms to implement comprehensive ICT risk management frameworks. Unlike previous regulations, DORA applies to all ICT providers a firm engages, not just material/critical providers.

   • Focus Areas: DORA covers a wide range of areas, including ICT risk management, incident reporting, and the oversight of critical ICT third-party service providers. It mandates that institutions have robust systems in place to detect, manage, and report ICT-related incidents promptly.

      

2. PRA PS16/24 and FCA PS24/16: Operational Resilience for Critical Third Parties to the UK financial sector (CTPs)

   • Objective: This guidance focuses on ensuring the resilience of CTPs, emphasising their ability to support financial institutions during disruptions. It highlights the importance of these CTPs in maintaining the stability of the financial system.

   • Application: PS16/24 applies to third-party service providers deemed critical to the UK financial system. The guidance requires these providers to implement robust risk management and continuity planning measures. Specific implementation details and timelines are available on the Bank of England's website [website link]; the final rules for CTPs took effect from the 1 January 2025, but the statutory obligations applicable to CTPs only apply once designated by HM Treasury (for which a CTP, when designated, has three months to submit a self-assessment to regulators demonstrating its compliance, and annually thereafter). At the time of writing no organisations have been designated but we are expecting that to come soon as the UK seeks to align with global standards.

   • Focus Areas: The guidance emphasises the need for CTPs to have strong risk management frameworks and continuity plans. This ensures that they can continue to provide essential services to financial institutions, even in the face of significant disruptions.

Do I need to worry?

The above is very high-level, and digging into the detail reveals a host of complex internal processes and external requirements that both firms and suppliers will need to demonstrate compliance. If you are worried that you are out of time then rest assured, you may already be compliant if you have previously undertaken remediation projects to align with the EBA Guidelines on outsourcing (and the FCA’s equivalent supervisory statement, SS2/21), summarised below:

3. SS2/21: Outsourcing and Third Party Risk Management, implementing the EBA Guidelines on outsourcing

• Objective: SS2/21 sets out the expectations for UK banks, building societies, and insurers regarding the management of outsourcing and third-party risks. It underscores the importance of robust governance, data security, and business continuity planning. Institutions are expected to have comprehensive frameworks in place to manage these risks effectively.

• Application: This framework applies to all UK financial institutions, mandating that they align their ‘material’ outsourcing arrangements with regulatory expectations by 31 March 2022. This includes ensuring that contracts are robust and that there are clear strategies for managing and mitigating risks.

• Focus Areas: Key areas of focus include ensuring data security, establishing clear access rights, and developing effective exit strategies. Institutions must ensure that they have the ability to continue operations without disruption, even if a third-party service provider fails.

Similarities across the regulatory landscape

Conclusion

The regulatory landscape for Operational Resilience is complex but essential for maintaining stability in the financial sector. Compliance with the EBA/PRA guidelines and PS16/24 (as well as DORA where relevant to your business) are crucial for financial institutions and their suppliers to ensure they meet the necessary requirements and avoid potential regulatory sanction. While the deadlines and requirements may seem daunting, they are designed to enhance the resilience and security of financial operations, and it may be that you already comply with these requirements.

While it is ultimately the financial institutions who are responsible for assessing whether their Operational Resilience processes measure up to the new regulatory landscape, at TLT we are here to support you through this process. Whether you are a bank, building society or a FinTech supplier, our team has the expertise and experience to help you navigate these regulations, improve your contracts and align your legal relationships and arrangements with these regulations.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at April 2025. Specific advice should be sought for specific cases. For more information see our terms & conditions.