Understanding FCA Operational Resilience Requirements
The FCA's operational resilience framework fundamentally changes how UK fintechs must approach cloud infrastructure and third-party services. The requirements, set out in Policy Statement PS21/3, demand that firms identify their important business services, set impact tolerances, and demonstrate they can remain within those tolerances even when things go wrong.
The 31 March 2025 deadline marks the end of the transitional period. By this date, firms must have completed mapping and testing, demonstrated they can remain within impact tolerances for each important business service, and made the necessary investments to operate consistently.
For fintechs—where cloud services typically underpin core payment processing, customer data management, and trading systems—this creates specific challenges around demonstrating resilience for outsourced infrastructure.
Cloud Outsourcing Under FG16/5
The FCA's Finalised Guidance FG16/5 specifically addresses cloud outsourcing requirements. The FCA views cloud services supporting important business functions as potentially material outsourcing, triggering enhanced due diligence and ongoing management requirements.
Key principles under FG16/5 include:
Regulatory access – Cloud arrangements must not impair the FCA's ability to monitor compliance
Data location – Firms must know where their data is processed and stored
Exit planning – Contracts must support orderly transition to alternative providers
Due diligence – Exercise skill, care, and diligence in selecting cloud providers
Ongoing monitoring – Actively manage relationships throughout the contract lifecycle
Chapter 8 of the FCA's SYSC sourcebook requires firms to take reasonable steps to avoid undue operational risk when outsourcing. Critically, firms cannot outsource functions in ways that would impair internal controls or regulatory oversight.
Important Business Services and Impact Tolerances
The FCA requires firms to identify important business services—those that, if disrupted, could cause intolerable harm to consumers or risk to market integrity. For most fintechs, these typically include payment processing, customer account access, transaction execution, lending decisions, and regulatory reporting.
For each important business service, firms must set impact tolerances: the maximum tolerable level of disruption. This might be expressed as maximum downtime (e.g., payment processing cannot be unavailable for more than 4 hours) or degraded service thresholds (e.g., transaction latency cannot exceed 30 seconds for more than 1 hour).
Crucially, impact tolerances must account for the full service chain—including cloud infrastructure. If your payment service depends on AWS or Azure, your impact tolerance must be achievable given your cloud provider's SLA and your own failover capabilities.
Third-Party Cloud Provider Management
The FCA is clear: it is the firm's responsibility to remain within impact tolerances, including where third-party providers support or deliver important business services. You cannot outsource accountability.
Effective third-party management for cloud services requires:
Contractual Provisions
Ensure cloud contracts include audit rights, access to relevant data and systems, defined SLAs with remedies, termination provisions supporting orderly exit, and clear data handling and location requirements.
Ongoing Monitoring
Implement continuous monitoring of cloud service performance against SLAs. Establish clear escalation paths for incidents and conduct regular reviews of provider security posture and certifications.
Scenario Testing
Regularly test your ability to remain within impact tolerances during cloud service disruptions. This includes failover to secondary regions or providers, degraded mode operations, and data recovery from backups.
AWS provides specific guidance on aligning with UK operational resilience rules, including the shared responsibility model for disaster recovery and availability.
Critical Third Parties Regime
The Financial Services and Markets Act 2023 gave UK financial regulators new powers to oversee critical third parties (CTPs)—providers whose services are so important to the financial sector that their failure could cause systemic risk. The new CTP rules came into effect on 1 January 2025.
Major cloud providers like AWS, Azure, and Google Cloud are likely to be designated as CTPs, subjecting them to direct regulatory oversight. For fintechs, this provides additional assurance but does not reduce the firm's own obligations under operational resilience rules.
Fintechs should monitor CTP designations and understand how their cloud providers' CTP status affects their own compliance and risk management.
Ongoing Compliance and Reporting
Compliance with operational resilience requirements is not a one-time exercise. The FCA expects firms to continuously review and update their important business services, impact tolerances, and resilience capabilities as their business evolves.
In December 2024, the FCA launched consultation CP24/28 proposing new incident and third-party reporting requirements. This will require firms to provide better information about their most important third-party suppliers (material third parties) and to report operational incidents more comprehensively.
Fintechs should prepare for enhanced reporting obligations by maintaining clear documentation of cloud dependencies, implementing robust incident detection and reporting processes, and establishing regular review cycles for third-party arrangements.
