The Financial Conduct Authority’s (FCA) operational resilience rules were introduced three years ago with a clear message: financial firms must be able to withstand disruptions and keep essential services running no matter what happens.
On paper, the industry has had plenty of time to prepare. In reality, some firms are still racing against the clock, realising too late that compliance is about more than just paperwork. With only days left, the question remains: who’s truly ready, and who’s cutting it fine?
Go deeper with GlobalData
A wake-up call for the industry
Operational resilience isn’t a new concept, but it has taken on greater urgency in recent years. From cyberattacks and IT failures to third-party outages, financial institutions face increasing risks that can bring services to a halt. Customers expect 24/7 access to their money; businesses need smooth payment flows; and regulators are watching closely.
PS21/3 was introduced to make sure firms aren’t just reacting to disruptions, they’re prepared in advance. Yet, as the deadline looms, gaps in resilience planning are becoming more apparent. Some firms have treated compliance as a tick-box exercise, failing to integrate resilience into their broader strategy. Others have struggled with the sheer complexity of mapping critical business services and setting realistic impact tolerances.
The FCA has been clear: firms need to justify their decisions with evidence, not assumptions. Simply hoping a competitor can pick up the slack during a disruption isn’t enough. Every firm must know exactly how long it can sustain an outage before harm is caused and prove that they can recover within that timeframe.
Third-party risks: A weak link in resilience
One of the biggest challenges for firms has been managing third-party dependencies. Today’s financial ecosystem is deeply interconnected, with banks, payment providers and fintech firms all relying on external vendors for core services. What happens when those vendors fail?
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalDataThe CrowdStrike outage in 2024 was a stark reminder of how dependent financial firms are on third-party providers. Some businesses had contingency plans in place; others found themselves blindsided, unable to function until their suppliers restored service. The FCA has made it clear that firms cannot outsource responsibility for resilience. Even if a third party is delivering a key service, the regulated firm is still accountable for ensuring its stability.
For payment providers and e-commerce businesses, this challenge is even greater. Many operate across multiple jurisdictions, juggling various payment rails, processors and alternative payment methods. Ensuring that these providers meet resilience standards and can keep transactions flowing even in times of disruption, is essential.
Merchants need to choose their payment partners wisely
Beyond financial institutions themselves, merchants also have a stake in operational resilience. If a payment provider or acquiring bank fails to meet FCA standards, businesses relying on them could face service outages, lost revenue and customer frustration.
Merchants must be proactive in selecting financial partners that take resilience seriously. This means working with payment providers that have robust contingency plans, failover mechanisms and diverse payment routing capabilities. A provider with a single point of failure is a business risk; one that many merchants cannot afford to take.
As resilience becomes a key factor in financial partnerships, businesses need to demand transparency from their providers. How do they handle service disruptions? How quickly can they switch to backup systems? What safeguards are in place to keep payments running? These are the questions that should be asked before an outage occurs, not after.
Last-minute actions for firms still catching up
With the deadline fast approaching, firms that are still scrambling must prioritise key actions in the coming days. While long-term resilience requires a continuous effort, there are still urgent steps that can be taken to ensure compliance by 31 March:
- Verify that all important business services have been identified, and impact tolerances are clear. Every service should have a defined maximum tolerable outage time, backed by data.
- Run final scenario tests. Stress-testing resilience plans under ‘severe but plausible’ conditions can expose vulnerabilities that need last-minute fixes.
- Strengthen third-party oversight. Ensure that suppliers have their own resilience frameworks in place, and that they align with FCA expectations.
- Review and update recovery strategies. Response teams should know exactly what to do when disruptions occur, minimising downtime and customer impact.
For firms that planned ahead, this period is about fine-tuning and reinforcing resilience strategies. For those that delayed preparations, it’s a race to prove that they can meet regulatory standards, before the FCA starts asking tough questions.
Beyond the deadline
While 31 March marks the official compliance deadline, operational resilience isn’t a one-time task, it’s an ongoing expectation. The FCA has made it clear that financial firms must continue refining their resilience strategies, conducting regular reviews, and adapting to new risks.
Beyond regulatory pressure, firms that invest in resilience stand to gain a competitive advantage. Customers trust institutions that can deliver seamless services, even during crises. Payment providers that can guarantee uptime will attract more business. Merchants will prioritise financial partners that won’t leave them stranded when disruptions strike.
Those who see resilience as more than just a compliance burden, but rather as a core pillar of their operations, will be the ones that emerge stronger in the long run. For financial services, resilience isn’t just about surviving disruptions, it’s about thriving despite them.
Azimkhon Askarov is Co-CEO & Partner at Concryt
