By Frank Brown of GRR Consulting
The FCA/PRA/BoE Operational Resilience rules came into force on 31 March 2022, with the final implementation deadline coming in 31 March 2025. The rules apply to dual regulated firms, enhanced scope SMCR firms and firms authorised or registered under the Payment Services Regulations or Electronic Money Regulations.
The Operational Resilience requirements were followed shortly after by the next big regulatory requirements from the FCA – Consumer Duty, which came into force in July 2023. Consumer Duty was more broad ranging in application and was relevant to all firms involved in the production, distribution or servicing of products for consumers.
Despite the close timing of these two regulatory changes, in many firms the implementation programmes were undertaken with a siloed approach, with little crossover or consideration of the links between the two requirements. This is a sub-optimum outcome, as, in many respects, Consumer Duty builds on (and expands) the Operational Resilience requirements. For those firms caught by both rules, it is important to recognise this linkage. And for firms currently outside of the scope of Operational Resilience, it is equally important for them to appreciate that the Principle of Consumer Duty brings with many elements of the Operational Resilience Rules.
Adopting a joined up and consistent approach can offer firms a range of benefits, in terms of controlling regulatory risk, and also in reducing costs and improving efficiencies.
Rebalancing the risk appetite
Operational Resilience has the concept of ‘Intolerable Harm’ which sets a fairly high bar for the level of impact firms should look to prevent. Conversely, Consumer Duty brings the cross-cutting rules, requiring firms to prevent ‘Foreseeable Harm’ and also to ‘enable and support customers to pursue their financial objectives’. Consumer Duty also has the Outcome of “Consumer Support”.
Consumer Duty provides guidance directing firms to ensure they are ‘dealing with issues when they arise to prevent customers from suffering harm as a result of firm inaction’. It also has an expectation that ‘Firms should be able to continue providing a reasonable level of support to their customers in the event of an issue arising with their services, which might include temporary works, an IT outage, or cyber-attack’.
Clearly the consumer support expectations of Consumer Duty are a far lower bar than Operational Resilience, and firms should reflect that in their risk appetites. Equally, Consumer Duty (through the foreseeable harm requirements) puts a far greater expectation on predictive and preventative actions.
Reassessing the approach
Whilst Operational Resilience clearly directs firms to consider the services that are important to customers (and the potential harm they can experience), there was always a tendency for firms to approach the requirements from an IT/Operations perspective. This was particularly true for dual regulated firms, who tended to focus on the PRA, rather than the FCA requirements.
Consumer Duty, in contrast, puts the customer front and centre. It is important for firms to recognise that they need to be fully focussed on these customer outcomes.
This reframing should flow through into reassessing the assumptions made regarding important business services and scenario testing, to ensure they are in alignment.
Aligning the application of the rules
Both Consumer Duty and Operational Resilience come with annual reviews, ongoing monitoring requirements and risk assessments. If firms are undertaking these as separate exercises, it is inefficient, and there is a significant risk that important elements will be missed. Firms can also take learnings from both, to improve performance.
In conclusion, it is important for firms caught by Operational Resilience and/or Consumer Duty requirements to recognise that there is a continuum of expectations between the two, and that adopting a siloed approach will lead to inefficiencies and increased regulatory risk. The Principles-based mindset of Consumer Duty (particularly the foreseeable harm element), can sharpen firms’ focus and bring in a greater appreciation of a forward-looking and preventative mindset.