The Financial Conduct Authority (FCA) has published supervisory observations from firms’ annual operational resilience self-assessments, almost a year after the end of the transition period on 31 March 2025, to reinforce ongoing compliance with its operational resilience rules and guidance. The FCA is engaging directly with firms in scope of the regime, while noting the observations may also be relevant to firms outside scope. The review covers banks, building societies, designated investment firms, enhanced scope Senior Managers and Certification Regime firms, Solvency II firms, UK recognised investment exchanges, electronic money institutions, payment institutions, registered account information service providers and consolidated tape providers. Across important business services, mapping, scenario testing, vulnerability management, communications and governance, the FCA points to stronger methodologies for defining services and calibrating impact tolerances, more detailed mapping and use of outputs to identify vulnerabilities, and broader scenario testing including cyber and third-party outages. Areas needing improvement include setting distinct impact tolerances for consumer harm and market integrity, mapping beyond technology to include people, processes, facilities and information, stronger evidence that testing is sufficiently severe when firms claim full recoverability, clearer end-to-end vulnerability remediation frameworks (including second and third line input), testing communications arrangements including loss of usual channels, and clearer board approval trails and ownership of remediation actions. In related joint material with the Bank of England and the Prudential Regulation Authority, the authorities also share effective practices for responding to and recovering from high-severity cyber disruption, including immutable back-ups, bare metal recovery in clean environments, prioritised restoration of critical data, segregated tertiary facilities, and contingency options where material third parties cannot provide equivalent resilience assurance. Firms are expected to reassess their ability to remain within impact tolerances annually, and the authorities indicate they will continue to request self-assessments periodically.
Financial Conduct Authority 2026-03-25
Financial Conduct Authority publishes post-transition findings from operational resilience self-assessments and highlights areas for firms to improve
The Financial Conduct Authority has published supervisory observations from firms’ annual operational resilience self-assessments to reinforce compliance with its framework, highlighting stronger practices and areas needing improvement in impact tolerances, mapping, scenario testing, vulnerability management, communications and governance. In related joint material with the Bank of England and the Prudential Regulation Authority, the authorities set out effective practices for responding to and recovering from high-severity cyber disruption and signal they will continue requesting periodic self-assessments as firms reassess their ability to remain within impact tolerances.