Testing Times: The FCA doubles down on requirement to test arrangements

Share this post

My old maths teacher at school used to say, “If you assume, it makes an ass out of u and me”. Reading the FCA’s Thematic Review  TR 22/1 on wind-down planning, along with a number of other recent guidance publications from the regulator, it struck me that they are of the same mind – untested assumptions by governing bodies of regulated firms are not acceptable to them.

In TR 22/1, the FCA make a key observation that, ”testing the outcomes of wind-down planning is the best way of showing the firm’s Board/governing body, as well as the FCA that the plan and process is credible and operable”. This reinforces the FCA’s common message that the Board/governing body need to be able to prove to the FCA that there is a reasonable basis for them making the decisions that they do and that any plan which is untested is likely to be regarded by them as being next to useless. Looking more widely at communications and policy documents from the FCA, testing is a common theme (and in my experience one that many firms have, in the past, honoured more in the breach than the observance, which may explain the FCA’s current emphasis on it).

Taking first the FCA’s proposed new Consumer Duty, expected to come into force at the end of July, which the FCA say would require firms to monitor, test and adapt their practices and processes on an ongoing basis, and to be in a position to provide information and data to the FCA that evidence the outcomes of their monitoring and testing activity. This testing requirement will also apply to communications, to check understanding by the recipients.

I’m sure all payment institutions and EMIs have met the 31 March deadline to have their operational resilience arrangements in place, but remember that a key part of the requirements is to have carried out mapping and testing to a level of sophistication necessary to identify important business services, set impact tolerances and identify any vulnerabilities in your operational resilience, (PS21/3: Building operational resilience: Feedback to CP19/32 and final rules (fca.org.uk)), and conducted lessons learnt exercises to identify, prioritise, and invest in your ability to respond and recover from disruptions as effectively as possible.

Again, the FCA are requiring firms to keep evidence of their testing and lessons learned for 6 years and to provide them as evidence to the regulator that their requirements are met.

Finally (and linked to the Operational Resilience requirements) let us not forget the Business Continuity Plans.  SYC 4.1.8(6) requires “regular testing of the business continuity policy in an appropriate and proportionate manner”. The FCA is also still referring to the European Banking Authority’s Guidelines on ICT and Security Requirements, which say that testing should:

  • include testing of an adequate set of severe but plausible scenarios including those considered for the development of the BCPs; and
  • be designed to challenge the assumptions on which BCPs rest, including governance arrangements and crisis communication plans.

Too often in the past I have seen the supposed BCP testing be an annual fire alarm evacuation into the car park.  For the avoidance of doubt, that is not going to meet the FCA’s expectations, particularly following the experience of Covid.

What does this mean for firms?

All of the above are likely to be seen by the FCA as being “threshold conditions” and an inability to provide the evidence of compliance required on request will be seen as a governance failure. Given the FCA’s more assertive/aggressive approach to supervision signaled in their recently published business plan and strategy, enforcement action may follow.

From the regulator’s perspective, if a firm cannot show that it has a solid basis for the assumptions on which its plans are based, as shown by proper testing it will be, by definition, a risk to its customers.

Boards and governing bodies therefore need to put in place processes to ensure that all required testing happens, is at an appropriate level of granularity and that the feedback loop of lessons learned works properly.  They also need to evidence that they have proper and continuing oversight of the process.

As my maths teacher also said, “to fail to prepare, is to prepare to fail”.

Article by Compliancy Services

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?