What is this article about?
The growing importance of operational resilience in financial institutions, driven by FCA guidelines and the EU’s DORA framework
Why is it important?
Operational resilience ensures firms can withstand disruptions like cyberattacks or supply chain failures, safeguarding critical services and consumer trust.
What’s next?
As we edge closer to 2025, financial institutions across the UK and EU are under increasing pressure to fortify their operational resilience. This imperative stems not only from the complexities of today’s financial ecosystem, which includes threats from cybersecurity breaches and geopolitical instability, but also from direct experiences such as the COVID-19 pandemic and high-profile incidents like the CrowdStrike outage. These events have exposed the vulnerabilities of global supply chains and remote operational models, underscoring the need for firms to rapidly recover and adapt to prevent future disruptions.
Amidst this backdrop, recent statistics have revealed alarming trends: For example, in 2023, data breaches in the U.S. financial industry surged by 330% since 2019, reaching 744 incidents. Additionally, globally, 52% of organisations suffered financial losses between $300,000 to $1 million due to cyberattacks, with 12% experiencing losses exceeding $1 million.
The frequency of these incidents is alarming. In the UK, 21% of businesses reported monthly data breaches, while 18% experienced weekly breaches. Cyber threats rank as the fourth biggest risk for financial services in 2024, with an average score of 6.02 out of 10, according to data from Protiviti. The significance of this is not understated, with 47% of businesses reporting greater difficulty attracting new customers as a consequence of cyberattacks this year.
Lorraine Mouat, a partner at Thistle Initiatives, highlights the distinction between operational resilience and traditional business continuity planning. According to Mouat, operational resilience is not only about recovery; it’s about a firm’s ability to prevent, adapt, and learn from disruptions to ensure the delivery of critical services. This approach is vital for maintaining consumer trust, ensuring financial stability, and protecting the integrity of the financial system.
The urgency for enhanced resilience has prompted regulatory responses. The UK’s Financial Conduct Authority (FCA) and the EU’s Digital Operational Resilience Act (DORA) have introduced stringent guidelines and frameworks focused on managing risks from critical third-party providers and digital operations, setting the stage for significant transformations in how financial stability is maintained and ensured by 2025.
In response to the growing issue, the FCA has made operational resilience a cornerstone of its regulatory approach, especially following the challenges posed by the COVID-19 pandemic. The FCA has emphasised the need for financial institutions to not only have contingency plans in place but to actively build resilience across all aspects of their operations. It defines operational resilience as the ability of firms to prevent, adapt to, recover from, and learn from operational disruptions. This definition extends beyond traditional business continuity planning, which focuses primarily on recovery, to a more comprehensive approach that prioritises a firm’s capacity to adapt to and learn from disruptions.
The numbers suggest a growing awareness of the need for improved resilience, with recent surveys and studies indicating that operational resilience is becoming a top priority for financial firms globally, including in the UK and EU. In 2024, nearly half of organisations worldwide reported their network resilience readiness was at a formative stage, with 30% at a progressive level.
As Mouat notes, since March 2022, the FCA has expected firms to identify and prioritize key business services—those whose disruption could significantly affect consumers or market integrity. This focus aims to protect critical services from disruptions that could endanger the financial system or consumers. “Firms should also have established impact tolerances for these services, defining acceptable levels of disruption,” Mouat adds.
These thresholds must be rigorously tested so that firms can demonstrate their ability to operate within these limits, even under severe but plausible scenarios. By its March 2025 deadline, the FCA expects firms to fully embed these requirements, which include regular resilience testing, robust oversight of third-party dependencies, and ongoing refinement of strategies based on lessons learned from previous incidents.
The pandemic exposed significant vulnerabilities, particularly the reliance on manual processes and fragmented technological infrastructures. The shift to remote work placed considerable strain on operations, revealing gaps in business continuity plans and digital systems.
This has prompted the FCA to make it clear that firms must be operationally resilient to disruptions like COVID-19, meaning they cannot use such events as an excuse for non-compliance with regulatory requirements, such as CASS (Client Assets Sourcebook) related operations.
The regulator has set a compliance deadline of March 31, 2025, for firms to demonstrate full adherence to the operational resilience framework. This gives firms a clear timeline to evaluate and modify their operations to meet the FCA’s requirements, which involve identifying critical business services, conducting resilience tests under stress scenarios, and developing appropriate recovery strategies.
The regulator expects firms operating in the financial services space to use this time to develop and document their approach to resilience, incorporating lessons learned from past disruptions.
This is pivotal, as the FCA will begin reviewing firms’ compliance, and those that fail to meet the requirements may face regulatory consequences. The timeline also aligns with the broader industry shift towards more robust, digitally enabled operational models that support flexibility and sustainability.
The FCA has made it clear that financial institutions must modernise their operations to withstand disruptions. Cloud-based solutions are increasingly being viewed as critical to achieving operational resilience. The demand for such solutions has grown, especially as firms realise the importance of managing operations from any location—on-site or remote.
Many firms that previously relied on manual spreadsheets and on-premise systems for regulatory processes have recognised the need for more automated, scalable, and resilient solutions. This shift to cloud-based platforms enhances operational resilience, streamlines compliance, and reduces the operational risks associated with outdated manual processes.
Additionally, the FCA has observed that firms relying on traditional, less resilient systems frequently encounter operational disruptions and compliance issues, leading to increased regulatory scrutiny. As a result, the transition to cloud-based solutions, supporting real-time data access and ensuring continuity during disruptions, has become vital.
As the FCA continues to assess firms’ operational resilience, it is vitally important that firms act now to modernise their infrastructure, implement comprehensive resilience plans, and demonstrate their ability to respond to and recover from disruptions without compromising critical services.
FIS Director, Payments Ecosystem Strategy, Kevin Flood breaks down the difference between the two: “While the UK’s approach shares similar intentions, it differs in emphasis, scope, and implementation. DORA’s broad scope covers a wide range of financial institutions, including ICT providers. In contrast, UK regulations focus on UK-regulated firms (overseen by the FCA and PRA) and indirectly address ICT providers.”
“DORA is more prescribed and harmonised focused on ICT risk and third party oversight, whereby the UK is more flexible and outcome-focused with a priority placed on continuity of important business services – firms operating across both jurisdictions need to carefully navigate the waters.”
Mouat’s insights on operational resilience, particularly in the UK context, echo the broader challenges DORA seeks to address. She notes that the FCA expects firms to have “identified and prioritised their important business services”, and this aligns with DORA’s requirement to assess risks specifically related to the technologies that underpin those services.
Both frameworks emphasise the need for firms to develop impact tolerances and ensure resilience across their operations, especially those critical to service delivery. Mouat highlights that “Firms should also have now established impact tolerances for these services,” and this focus is equally central in DORA, where firms must set clear thresholds for disruption tolerance and regularly test their resilience against ICT threats.
Specifically, the EU’s framework sets out several key provisions emphasising third-party accountability, incident reporting, and resilience testing, with a unique focus on ICT risks. One of the most important aspects of DORA is its requirement for third-party risk management, particularly in the context of outsourcing critical ICT functions to external providers.
Firms must not only assess the resilience of their internal systems but also ensure that third-party providers meet stringent operational resilience requirements. This includes ensuring that critical providers—such as cloud services or software vendors—adhere to the same levels of resilience, oversight, and testing as the firms themselves.
Mouat explains: “Firms must have robust oversight of third-party dependencies,” a concept DORA has integrated into its framework. The regulation stresses the need for firms to ensure that third-party contracts include provisions for resilience testing, monitoring, and incident management. This extends beyond simply managing the technology to ensuring that external vendors can sustain operations during disruptions, highlighting a more comprehensive and proactive approach to risk management.
A key aspect of DORA is its emphasis on incident reporting and resilience testing. It requires firms to report significant ICT-related incidents promptly, enabling regulators to quickly assess their scale and impact.
This not only enhances the visibility of systemic threats but also supports a more coordinated and transparent response across the sector. Additionally, resilience testing is required to be regular and comprehensive, ensuring firms can demonstrate their ability to withstand significant ICT disruptions under plausible but severe scenarios.
On ongoing adaptation, Mouat says: “Firms must regularly refine their strategies based on lessons learned from operational incidents.” DORA also encourages firms to evolve their resilience strategies continuously, incorporating insights gained from past incidents to improve preparedness for future disruptions.
Firms have less time to comply with the provisions of DORA, with the framework expected to be fully applicable from January 2025. With the UK’s operational resilience framework, DORA’s timeline gives financial firms time to assess their resilience, address potential vulnerabilities, and implement necessary changes.
In terms of shared objectives, both the UK and the EU share a common goal of enhancing operational resilience within the financial sector. Both the FCA and DORA frameworks aim to ensure that financial institutions can maintain critical services even during severe disruptions, safeguarding consumer protection and financial stability.
The emphasis on building resilience against cybersecurity risks, systemic failures, and other technology-related vulnerabilities highlights the recognition that operational disruptions often stem from digital infrastructure and third-party dependencies, making these factors a central focus for regulators on both sides of the Channel.
As Mouat notes, “Firms should have now established impact tolerances for these services,” which aligns with both the UK’s and the EU’s emphasis on identifying critical business services and testing resilience against plausible disruptions. The goal is for firms to not only prevent operational failures but also be able to recover from and learn from such incidents, adapting their strategies to minimise future risks.
Both frameworks require firms to assess their key business services and set clear thresholds for acceptable levels of disruption. This means firms must not only identify what is critical to their operations but also ensure that they can continue to operate under stress without jeopardising market integrity or consumer welfare.
These regulations also mandate resilience testing, with both the FCA and DORA requiring that firms regularly test their ability to operate within these tolerances during severe scenarios.
While both frameworks share a strong focus on critical services and resilience testing, there are notable differences in scope. The UK’s operational resilience framework, for instance, takes a more comprehensive approach, focusing not only on digital systems but also on the broader aspects of operational resilience, including people, processes, facilities, and information.
For firms operating across these two different jurisdictions, a unified approach to compliance is required to reduce duplication of effort and ensure that firms can meet the regulatory requirements of both the UK and EU without unnecessary complexity. This may involve regulatory mapping to identify overlaps and differences in the two frameworks, allowing firms to streamline their compliance processes and avoid conflicting requirements.
Firms will also need to adopt more centralised governance structures to manage operational resilience across both the UK and EU. This may include creating unified compliance teams that can oversee adherence to both regulatory environments, ensuring that resilience strategies are consistent and aligned across borders.
Furthermore, testing scenarios must satisfy the requirements of both the FCA and DORA, meaning that firms will need to demonstrate their resilience not only in the face of internal disruptions but also against ICT-specific risks and third-party dependencies.
Given that both frameworks emphasise the importance of third-party due diligence, firms should review their third-party relationships to allow for cross-border monitoring. This will ensure that external vendors, particularly those handling critical ICT functions, are subject to the same rigorous standards of resilience, regardless of their location. By harmonising their approach to third-party risk management, firms can ensure that all their operations, whether domestic or international, meet the required standards of resilience.
As the regulatory landscape continues to evolve with the introduction of both the UK’s operational resilience framework and the EU’s DORA, firms must create a unified risk management framework that aligns with the requirements of both jurisdictions. Mouat emphasises, “Firms should ensure they embed resilience into the organisational culture and ensure it is a shared responsibility across all functions.”
Firms must be proactive in mapping out regulatory overlaps and differences between the UK and EU frameworks, ensuring that their approach is efficient, consistent, and adaptable across both environments.
To manage these complexities, it will be essential for firms to engage in continuous dialogue with regulators. As Mouat points out, “Firms should also maintain an open dialogue with both the UK and EU regulators so that they can stay ahead of evolving expectations.”
Regular communication with regulators will help firms keep pace with changing requirements and avoid surprises as the FCA and the EU continue refining their operational resilience guidelines.
According to Linklaters, Senior Associate Simon Treacy advises firms to “leverage the plans, policies and procedures which they already have to meet existing regulatory requirements, such as incident-reporting processes under payment services legislation, and build on these to bridge the gap to the new operational resilience standards. Firms subject to both the UK and EU regimes should aim to implement the two consistently where possible.”
One of the most significant operational challenges firms will face is ensuring that their resilience strategies are both robust and adaptable enough to meet the regulatory expectations of both the UK and the EU. Given the regulatory focus on third-party dependencies, impact tolerances, and resilience testing, firms will need to develop comprehensive internal systems to monitor and manage these factors.
Mouat highlights that “Firms should consider creating a unified risk management framework” to avoid the duplication of effort and streamline their compliance processes across borders. This framework should provide a clear structure for managing operational risks, especially those related to ICT and third-party providers, ensuring that each critical business service is protected in line with both regulatory requirements.
Treacy adds: “Firms should package up the relevant strategies, plans and policies so that you are ready to evidence to the regulators how you ‘do’ operational resilience. Finally, engage with senior managers so that they understand their role in overseeing technology risks and receive the right information for them to do so effectively.”
AutoRek Global Payments Sales Manager Nick Botha believes that firms across the EU are slightly behind in the adoption of new technology for operational processes. “They tend to rely heavily on legacy systems and processes which require a lot of manual intervention and heavily reliant on key FTE’s, which poses huge operational risk to firms,” he tells Payments Intelligence.
“Firms having to go back and review these processes may result in a rework of their systems architecture frameworks and will result in significant portions of budgets being allocated to projects to improve firms’ operational setups.”
According to Botha, these processes are not a “simple quick fix” and no system will be able to support everything a firm needs. In order to rise to the challenge, firms will need to implement a longer-term vision.
“This will result in expensive operational transformation projects, shifting away from customer acquisition, which has been the primary focus over the past few years as firms try to establish themselves in a highly competitive market.”
Flood believes that while DORA provides a robust framework for enhancing operational resilience, firms may encounter challenges in aligning their systems, processes, and culture within its prescriptive guidelines. “Addressing these challenges will require proactive planning, investment in technology and expertise, and close collaboration with regulators and third parties,” he adds.
Flood says firms that view DORA as an opportunity to strengthen their resilience, rather than merely a compliance exercise, will be better positioned to thrive in an increasingly digital and interconnected financial ecosystem.
Adopting real-time monitoring tools will be vital in helping firms meet UK and EU expectations for operational resilience. As the whitepaper suggests, using automated systems and cloud-based applications will enhance resilience and compliance. These technological solutions enable firms to continuously monitor their operations and respond quickly to incidents, ensuring that they remain within their impact tolerances and can demonstrate compliance with regulatory testing scenarios.
Mouat’s advice that firms should “ensure they embed resilience into the organisational culture” aligns with this shift towards more automated, cloud-based systems, which can help build flexibility and efficiency into daily operations. By adopting these technologies, firms can not only reduce the manual workload associated with compliance tasks but also improve their incident response times, ensuring that disruptions are swiftly addressed and recovery is as seamless as possible.
Moreover, integrating automated systems allows firms to streamline their third-party risk management, particularly by ensuring that critical vendors meet the same high standards of resilience.
Botha adds: “Cloud-based solutions and AI-driven monitoring tools are essential for achieving operational resilience. For example, many firms have successfully implemented cloud-based financial controls platforms to streamline processes and reduce operational costs per transaction significantly.
He belives that these third-party platforms not only support regulatory audit requirements more effectively but also integrates seamlessly with existing systems. “This interoperability enhances the technology stack without disrupting current operations, providing a scalable and cost-efficient solution to strengthen operational resilience for clients,” he explains.
Financial institutions should also consult with regulatory experts to ensure that their technological systems are fully aligned with UK and EU regulations and to get advice on implementing continuous resilience testing and reporting.
Botha advises firms to ensure they understand the specific requirements of each regulatory framework, engage proactively with regulators, and invest in scalable technologies to build resilience against emerging risks. “Engage with industry experts and understand that utilising the latest technologies to support operational processes may seem like an expensive investment, however ROI can be achieved by ensuring effective interoperability between the systems to support your operational teams,” he says.
Both the UK and EU have made operational resilience a critical focus for financial institutions, with frameworks such as the FCA’s operational resilience guidelines and DORA driving significant changes in the way firms approach risk management. These regulatory developments come in response to the increasing threats of cybersecurity breaches, supply chain disruptions, and other operational risks, all of which have been underscored by the challenges of the COVID-19 pandemic. While both frameworks share common objectives, such as third-party accountability and resilience testing, they also highlight distinct areas of focus, particularly around ICT risks in DORA and the broader resilience approach of the FCA.
A unified approach to compliance is essential for financial firms operating across both jurisdictions. This includes the development of robust risk management frameworks, effective third-party due diligence, and adopting real-time monitoring tools. Firms will also need to embrace technological solutions to support their resilience strategies, streamline operations, and ensure they meet regulatory requirements efficiently. By doing so, financial institutions can ensure that they not only meet regulatory demands but also foster a culture of resilience that strengthens their ability to adapt to future challenges and safeguard the financial system’s stability.
The EBA’s redefinition of e-money challenges traditional models, raising regulatory uncertainties and requiring compliance reassessment.
The Economic Crime and Corporate Transparency Act 2023 holds businesses accountable for fraud unless they prove strong prevention measures.
Virtual IBANs streamline payments but pose AML risks, demanding stricter oversight from PSPs.
The Payments Association
St Clement’s House
27 Clements Lane
London EC4N 7AE
© Copyright 2024 The Payments Association. All Rights Reserved. The Payments Association is the trading name of Emerging Payments Ventures Limited.
Emerging Ventures Limited t/a The Payments Association; Registered in England and Wales, Company Number 06672728; VAT no. 938829859; Registered office address St. Clement’s House, 27 Clements Lane, London, England, EC4N 7AE.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
