Menu Close

What are the regulators’ expectations?


Differing statutory objectives and impact tolerances

There are nuances the regulators’ requirements based on their specific statutory objectives.

Dual-regulated firms must also identify a separate impact tolerance for their important business service (one for each of the regulators’ objective). Regulators expect that, while firms need to set tolerances for each important business service by reference to that authority’s operational resilience rules, such firms will effectively manage the tolerances together.

Firms may set their separate impact tolerances at the same point if they deem it suitable for the purposes of each authority but will need to be able to justify this decision if challenged. Ensuring a firm can remain within the more stringent tolerance would be acceptable if they can demonstrate:

  • how they have considered each of the PRA and FCA’s objectives when setting their impact tolerances;
  • how their recovery and response arrangements are also appropriate for the longer impact tolerance (recovery and response arrangements must be viable for both shorter and longer time periods);
  • that scenario testing has been performed with the longer impact tolerance in mind as a shorter impact tolerance might constrain the range of severe but plausible events a firm might consider.

Example of different Impact Tolerances set by a dual-regulated firm for the same important business service

The FCA advised that dual-regulated firms are allowed to set additional sub-tolerances if they find it beneficial. It also commented that it will work collaboratively with the PRA to ensure they supervise tolerances efficiently.

Smaller firms are not required to consider financial stability when setting impact tolerances.

Notifications

Where a firm fails to remain within an impact tolerance it has set, it would be expected to notify the FCA under its Principle 11 and, if applicable, the PRA’s Fundamental Rule 7.

Outsourced services

When a firm is using a third-party service provider in the provision of important business services, it should work effectively with that provider to set and remain within impact tolerances.

The requirements to set and remain within impact tolerances remain the firm’s responsibility, regardless of whether it uses external parties for the provision of important business services

Reviewing Impact Tolerances

Regulators require firms to keep impact tolerances under review and relevant, and to consider their continued ability to comply with those if there is a relevant change to their business or to the market in which they operate.

They also require firms to prepare and regularly update a documented self-assessment of their compliance with the Operational Resilience obligations.

Have you read our responses behind other key questions?  You can view them by clicking on the links to the pages below:

What are Impact Tolerances?

How should firms determine and set appropriate Impact Tolerances?

Practical considerations

Top Tips and Points for Attention

Timeline