UK moves to regulate operational resilience for business services

If the past four years have taught the financial services and payments industry anything, it’s the need for contingency planning. A worldwide pandemic moved bankers and their customers away from their standard payment patterns without much warning. And the geopolitical turmoil caused by the Ukraine-Russia conflict sent many banks, as well as their customers, scrambling to find different cross-border payment arrangements as sanctions made many relationships untenable. 

In the United Kingdom having a backup plan for payments is about to be regulated, with new regulations aimed at codifying payments contingencies. It will require companies to think through their business processes and ask the tough questions: What if I can’t access the office? What if I can’t access our payments infrastructure. The answers – or lack thereof – might be a rude awakening for some businesses and they shouldn’t wait for a situation where they can’t pay a crucial supplier or get paid by an important customer. 

Titled “SS1/21: Operational resilience: Impact tolerances for important business services”, it details the Prudential Regulation Authority’s (PRA) expectations for “the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption.” Although it doesn’t officially take effect until mid-2025, many companies are already starting to hear from the PRA regarding SS1/21. And they’re concerned, as they should be. Companies are starting to understand how long it will take to understand. The regulations, prepare for the proper contingencies, test them and then implement them. The clock is ticking toward the deadline and companies that will be affected need to get started on compliance now. Because it may take about a year to comply with SS1/21.

As they do, here are some ways to make sense of a very complex set of regulations aimed at a very simple goal. 

What is SS1/21? According to The Bank of England’s March 2022 update, the regulation’s objective is to improve the resilience to operational disruptions “from the interconnectedness of the financial system and the complex and dynamic environment in which firms operate. The PRA considers that there is a need for a proportionate minimum standard of operational resilience that incentivises firms and, where relevant, their groups to prepare for disruptions and to invest where needed. Disruptions can affect firms’ safety and soundness, undermine policyholder protection, and, in some cases, affect financial stability.”

Operational resilience, in the context of the regulation, is a concept that UK regulators have been focused on in varying degrees since at least 2015 and has been driven by the Bank of England. According to a 2019 white paper from PwC, operational resilience is simply “The ability to adapt operations to continue functioning, when – not if – circumstances change.” Even before the pandemic, PwC stated that the concept “recognises the inevitability of adverse events and the challenges it could present to financial services firms.” It is important, according to PwC, to acknowledge that operational resilience is not a concept created to give comfort to shareholders alone but should be updated to prioritise improvements to IT and business processes that will benefit customers. 

Some other questions companies should be asking themselves right now: 

Is the regulation limited to banks? No. The policies apply to financial institutions that fall within the remit of the three regulating authorities – the Financial Conduct Authority, the Bank of England and the PRA. It is relevant not only to banks but building societies and insurers. 

Why was it enacted? This question is well-handled by the Bank Of England’s Elisabeth Stheeman (correct spelling) in a speech she made in October 2023: “As financial firms have become more digitised and interconnected at an operational level, the associated risks have become greater threats to the wider financial system. If business operations get disrupted at a system-wide level, there might be consequences for financial stability, and so the focus of work to improve operational resilience has broadened. Resilience to operational risk now includes not only business continuity and disaster recovery, but the ability of firms and the financial sector to be able to continue to supply vital financial services through disruption and periods of elevated activity.”

What purpose does it serve? It mandates the aforementioned interconnected entities in the UK financial system to have a Plan B when it comes to financial infrastructure in general and payments infrastructure in particular. For example, if an insurance company is responsible for pension disbursements each month and its operations are disrupted, the customers expecting that payment don’t have to be kept waiting or miss out on funds essential to their liquidity. Also, complying with SS1/21 helps take care of the “g” for governance in the environmental, social and governance (ESG) equation. Think of governance in terms of investing in the processes that will give your customers the best payments processes available to achieve business continuity. 

What are the key dates associated with it? The first phase of mandates for banks was March 31, 2022. The next phase wraps on March 31, 2025, but many insurance companies have already heard from the PRA as to their progress in achieving operational resilience. 

How does it relate to payments in particular? Suppose a company consistently uses a direct connection into a payment system (like Bacs) for its business payments, direct debits and disbursements to consumers. It may the case that the connection point into the payment system being used is reliable, automated, and secure. SS1/21 suggests you need a backup gateway and an additional route into the payment system to ensure operational resilience and business continuity. 

 What does it take to comply? There are three main areas of compliance, all of which can be done in-house but can be achieved much more efficiently with a partner. The three areas are: 

1.     Impact tolerance: This is essentially an estimation of the downtime associated with a potential service disruption and should include estimates for the maximum length of time for service interruption, maximum volume of disrupted transactions and maximum value of disrupted transactions.

2.     Mapping: According to the Bank of England, SS1/21 requires firms to identify and document the “necessary people, processes, technology, facilities, and information (the ‘resources’) required to deliver each of their important business services”. This process is commonly called ‘mapping’ and should include details on the essential business services critical to delivering business services like payments. It should also facilitate testing a firm’s ability to deliver important business services within the impact tolerances described earlier.

3.     Testing: Once financial services firms have established impact tolerances and mapped critical functions, teams must routinely test their ability to withstand potential disruption and recovery. 

What will happen after I engage a partner? The Bank of England is very clear on this point. The partner you choose must complement the requirements and expectations on operational resilience and facilitate greater resilience and adoption of the cloud and other new technologies to comply with SS1/21. 

 What should the next steps be? Create a roadmap for compliance if you’re a UK-based financial services company. Evaluate potential partners and make sure they can not only serve as your contingency but that they will be able to test impact tolerances and solve for disruption scenarios. 

Disruption as we have seen can come from unpredictable places. In this context, SS1/21 can be seen in two ways. The first is as a mandate companies must comply with. But it’s also an opportunity to prepare for the unexpected. Your reputation, your business customers – as well as consumers – will profit from your preparation.