This thematic review from the FCA evaluates how firms have embedded the Consumer Duty into their operations and whether their governing bodies effectively oversee customer outcomes. The findings provide critical insights into good practices and areas requiring improvement, with particular attention to smaller firms. 

The UK’s Financial Conduct Authority (FCA), alongside the Prudential Regulation Authority (PRA) and the Bank of England (BoE), has recently unveiled a series of proposed rules aimed at enhancing operational resilience in financial services.

The Financial Conduct Authority (FCA) has published its Consultation Paper CP24/20 focused on enhancing safeguarding practices for the Payment and E-Money firms. The FCA’s proposed safeguarding changes represent a significant upgrade to existing practices, and firms should begin preparing now to ensure they can meet the timeframes.

Operational resilience isn’t achieved in isolation. Today’s interconnected financial sector means that third-party vendors, and market infrastructures are integral to delivering IBS. Mapping these dependencies is crucial; firms need to understand exactly what resources—people, processes, technology, and vendors—are involved in each important business service.

“Firms should read this review, consider how their firm compares, and use it to address any shortfalls or gaps and raise standards. It is better for firms to resolve issues now than wait for us to identify and intervene on issues and remediate any harm later.” 

Third-party risks emerge from direct relationships between financial institutions and their vendors or service providers, fourth-party risks arise from the subcontractors of these third parties. Do your supplier relationships look a little like the image, and do you really understand who is dependent on who?

Regulators cannot possibly stay ahead of cybercriminals and it’s simply not realistic to expect them to. Regulations can lag years behind criminal innovation, and like the picture I asked our AI to create for this post, we face an indestructible enemy. If you’re C-suite, start thinking about the regulatory requirements for security as the floor, and then ask yourself “how much do we need to invest to stand up?”

As I said in my post last week: “The operational resilience requirements in the UK share common objectives with the EBA guidelines for Information and Communication Technology (ICT) security risk management, and the requirements laid down by DORA in the EU.” It made sense to me to follow up with a piece on the EBA guidelines.

Ensuring that firms can prevent, respond to, recover, and learn from operational disruptions is something worth investing in.

In recent months, the FCA have sent out Dear CEO letters to the wholesale broking and payments sector. In these letters they highlighted (amongst other things) AML deficiencies within both sectors

The implementation date for open products is fast approaching, with firms required to implement the rules for open products and services (those open to new sale or renewal) by end July 2023.

As discussed in previous posts there are five key parts to the DORA regulations that both European regulated financial service firms and those that supply them with services must comply with. In this post, the second of five, we write about ICT Related Incident Reporting.

The FCA have conducted a review of the Consumer Duty implementation plans from a selection of larger fixed firms. Keep reading even if you’re not a fixed firm. Why? Because this is an opportunity to be proactive.

The reliance on third parties within the finance sector has increased significantly over the last decade. This insight looks to bring together several connected initiatives to strengthen third party and outsourcing resilience.

Consistent with other recent regulation, there is emphasis on prevention of foreseeable harm occurring to consumers, including those identified as vulnerable. In the event that foreseeable harm is caused, firms will be expected to take preventative measures for the future and also go over and above the current redress requirements to the consumers harmed.