The key messages set out in the consultation paper are:
- The expectations for companies and financial market infrastructure to identify their important business services, by considering how disruption to the business services they provide can have impacts beyond their own commercial interests.
- That companies must set a tolerance for disruption for each important business service and ensure they can continue to deliver their important business services and are able to remain within their impact tolerances during severe but plausible scenarios.
- The requirements to map and test important business services to identify vulnerabilities in their operational resilience and drive change where needed.
Companies will need to keep their focus on operational resilience as circumstances change, government guidance is updated and, as things return to some form of ‘new normal’, how those changes will affect their resilience and their services.
In the midst of the crisis the FCA was further prompted to send out a survey on financial resilience to some 13,000 businesses, asking, among other things, for financial information about capital, income and profits.
The crisis has impacted companies’ revenues, while any decline in market values will mean there is significant downward pressure on investment management fee incomes.
Financial viability concerns already present in some companies will be amplified and otherwise financially sound businesses may become vulnerable.
Mr Gallacher says: “All directly authorised advice firms already have a requirement to hold a certain amount of capital according to their turnover and authorisation category, but this is of course not available to the business to use, as failure to hold that capital at a reporting date would be a breach of FCA rules and could result in a firm losing their authorisation.”
Ms Mouat says: “The FCA may ask firms to provide their own assessment of adequate financial resources and will assess this in line with the following:
- Does the firm appropriately and adequately identify the risks to which it is exposed?
- How material is each risk?
- How adequate are the systems and controls?
- Has adequate use been made of stress testing in the risk assessment?
- Is the risk assessment used for day-to-day decision making?
- Does the firm have adequate financial resources based on the risks to which it is exposed?”
Ms Mouat adds: “To adequately prepare against shocks, firms need to think beyond cyber-attacks and the resilience of their systems and technology.
“Firms need to assess the operational risks and consider how these could impact their financial position and take steps to ensure they retain sufficient capital to see them through any disruption.”
Linda Gibson, head of regulatory change at BNY Mellon’s Pershing, says: “Investment in IT and decisions about system infrastructure should be taken with a view to what business service they support, how critical that is and not just through a technology lens.
“Financial pressures in firms can lead firms, or individuals, to not fully consider their established procedures and governance arrangements in areas like client onboarding checks, record keeping and even providing unsuitable advice. This then puts the firm at risk.”
Mr Deeks expects the majority of FCA findings will be in relation to depth of documentation and associated enhancements to the risk identification and mitigation process.
“Therefore, the challenges are not only fixable but, in identifying them, beneficial to the firm in driving them to think more objectively about how they have identified and mitigated key operational and financial risks,” he adds.
“The market level advantage of firms holding more financial resources and having robust operational resilience is that it should reduce the likelihood of insolvency. Therefore, with fewer firms needing to rely upon the Financial Services Compensation Scheme, this should flow through in lower FSCS levies.”