Merchant Acquiring
April 15, 2025
Operational resilience is key for financial firms amid rapid tech advances, enabling innovation but increasing cyber threats, regulations, and risks.
Resilience has moved away from recovery and further towards anticipation, mitigation, and adaptability to these challenges. The Financial Conduct Authority (FCA) in the UK, the European Union’s Digital Operational Resilience Act (DORA), and global regulators are emphasising the need for robust frameworks that ensure financial services can withstand disruptions.
Thistle Initiatives Partner Lorraine Mouat tells Payments Review: “Digital transformation isn’t just about swapping old tech for new—it’s about making sure businesses can handle whatever gets thrown at them. As organisations try to blend cutting-edge solutions with legacy systems, the real challenge isn’t just about preventing outages; it’s about staying agile, keeping customers happy, and making smart long-term decisions.”
There are four essential pillars that enable proper resilience to be achieved. The first being technology infrastructure, where cloud computing, artificial intelligence (AI) and automation reshape the way financial services operate. Migrating from legacy systems to cloud-based solutions improves flexibility and allows businesses to recover faster from unexpected failures; however, this is a difficult task for firms to embark on.
FIS Head of European Growth Office, Corporate & International Banking Kevin Flood adds: “One often-overlooked benefit of modernisation is the efficiency gains and standardised approach that result from adopting a common architecture conducive to modular and regular change. Resources will be able to more rapidly assess changes and provide impact analysis on regulatory or, more importantly, ‘innovate’ changes.”
The second pillar, cybersecurity and risk management, has become increasingly complex as cybercriminals exploit the rise of digital payments and remote working. Phishing attacks, ransomware, and data breaches have become constant threats. Companies should adopt zero-trust security models, continuous risk assessments, and real-time threat intelligence to ensure they’re staying one step ahead in this degree. Third-party risk also poses another key concern, as businesses often rely on external vendors for critical services. Regulators now expect firms to scrutinise their partners’ resilience as much as their own.
Regulatory compliance forms the third. With frameworks like DORA and the FCA’s operational resilience requirements, businesses must work to anticipate future regulatory trends.
On the FCA’s rules in particular, Sidley Austin Partner Max Savoie says: “Identifying important business services and setting impact tolerances for these in accordance with the rules requires a degree of judgement, as well as collaboration between those within a firm who are responsible for regulatory compliance and those responsible for customer services and the operational functions supporting them. Requirements for mapping and testing may also need to be relatively involved in processes and will likely require coordination with thirdparty suppliers and commercial partners.”
Many firms struggle with the cost and complexity of compliance, but failure to meet resilience mandates can result in further heavy penalties. A digital transformation can ease this burden for firms, with automation tools now assisting with real-time regulatory reporting and governance, reducing the risk of human error.
The final pillar is business continuity and incident response. Even the most technologically advanced firms are not immune to disruption. Having robust contingency plans, backup systems, and disaster recovery mechanisms ensures that, in the event of a failure, operations can continue with minimal impact. Realtime monitoring and response protocols are essential and it is critical that firms must move beyond reactive approaches and embrace predictive resilience, using AI and big data to forecast and prevent potential failures before they occur.
On this, Flood says: “If an organisation has not undertaken the necessary work from the business, technology, and operations teams to understand and set a strategy, no amount of expensive technology will solve the problem. The risk is an expensive, frustrating, and timeconsuming programme that was doomed to fail from the start due to a lack of clarity and direction.”
Despite growing awareness of the need for operational resilience, many firms struggle to put it into practice. One of the biggest barriers is legacy infrastructure. The difficulty is that many financial institutions still rely on outdated systems that cannot seamlessly integrate with modern digital solutions. Upgrading these systems is costly and complex, but it is necessary for firms to ensure their resilience.
Another significant challenge lies in the act of balancing agility with compliance. Fintechs and, in particular, digital banks, must innovate rapidly to stay competitive, but fast-paced development can introduce unexpected risks. Compliance with operational resilience requirements can slow down product rollouts which inadvertently creates tension between innovation and regulation.
Human factors also play a role. It is important that employees are trained to identify risks and execute contingency plans effectively. A system failure can be managed well if the right protocols are in place, but poor communication and unprepared staff can turn a minor disruption into a major crisis.
Unfortunately, reliance on third parties can further complicate resilience efforts, with many financial services companies depending on external vendors for services including cloud support, payment processing, or cybersecurity tools. If, for example, one of these providers experiences a failure, the impact can ripple across multiple businesses. As a result, regulators across multiple jurisdictions are increasingly holding firms accountable for the resilience of their suppliers, meaning companies must perform rigorous due diligence on third-party providers.
When properly executed, a complete digital transformation can improve operational resilience by utilising technology that positions organisations to better handle potential disruptions.
If implemented strategically, areas such as cloud computing can be enhanced. Cloud-based architecture allows companies to replicate and recover data across multiple regions, reducing the risk of prolonged downtime. Often, the firms that shift from on-premises systems to cloud-based environments report significant improvements in system reliability and response times.
In this age, no digital transformation is complete without introducing AI and machine learning. AI-powered predictive analytics can help detect patterns that indicate potential failures. This is enabling businesses to act before problems escalate, while automated compliance tools can help firms adhere to resilience regulations without excessive manual effort, reducing both costs and the risk of human error.
According to Flood: “Once there is consensus on the destination, various routes can be taken. One approach is to transition to digital by building a new system in parallel and then switching over, with legacy applications continuing to run some services until they are phased out.”
He adds that another method is to develop a new system that starts offering new products and services, with a phased migration from existing systems, allowing targeted systems and applications to be migrated first. “Alternatively, you can identify priority applications, products, and services, and implement new solutions that will take these on, offering new services and leveraging the power of new technology,” he says.
As financial services continue to evolve, resilience strategies will become increasingly data-driven and automated. Advances in quantum computing may revolutionise cybersecurity, offering next-generation encryption that protects against sophisticated cyber threats. In more certain terms, however, decentralised financial models are expected to also reduce dependency on single points of failure by distributing risk across multiple networks.
Mouat adds: “Resilience isn’t just a tech issue, I believe it’s more a mindset. For example, the best companies don’t just patch problems as they arise; they’re constantly stress-testing, scenarioplanning, and ensuring teams are ready to adapt. Instead of chasing perfection, they’re designing for failure.”
Regulators are likely to continue tightening resilience mandates, urging firms to invest in more robust risk management frameworks. Predictive resilience will be a defining feature of the future. Rather than merely reacting to disruptions, businesses will utilise AI and machine learning to forecast and prevent failures before they occur. Those firms that fail to adopt these advanced strategies may struggle to compete in an increasingly digital and risk-conscious environment.
The Payments Association
St Clement’s House
27 Clements Lane
London EC4N 7AE
© Copyright 2024 The Payments Association. All Rights Reserved. The Payments Association is the trading name of Emerging Payments Ventures Limited.
Emerging Ventures Limited t/a The Payments Association; Registered in England and Wales, Company Number 06672728; VAT no. 938829859; Registered office address St. Clement’s House, 27 Clements Lane, London, England, EC4N 7AE.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
