Testing Times: The FCA doubles down on requirement to test arrangements

  • Posted on: 14 April 2022
  • Written by: John Burns

My old maths teacher at school used to say, “If you assume, it makes an ass out of u and me”. Reading the FCA’s Thematic Review  TR 22/1 on wind-down planning, along with a number of other recent guidance publications from the regulator, it struck me that they are of the same mind – untested assumptions by governing bodies of regulated firms are not acceptable to them.

In TR 22/1, the FCA make a key observation that, ”testing the outcomes of wind-down planning is the best way of showing the firm’s Board/governing body, as well as the FCA that the plan and process is credible and operable”. This reinforces the FCA’s common message that the Board/governing body need to be able to prove to the FCA that there is a reasonable basis for them making the decisions that they do and that any plan which is untested is likely to be regarded by them as being next to useless. Looking more widely at communications and policy documents from the FCA, testing is a common theme (and in my experience one that many firms have, in the past, honoured more in the breach than the observance, which may explain the FCA’s current emphasis on it).

Taking first the FCA’s proposed new Consumer Duty, expected to come into force at the end of July, which the FCA say would require firms to monitor, test and adapt their practices and processes on an ongoing basis, and to be in a position to provide information and data to the FCA that evidence the outcomes of their monitoring and testing activity. This testing requirement will also apply to communications, to check understanding by the recipients.

I’m sure all payment institutions and EMIs have met the 31 March deadline to have their operational resilience arrangements in place, but remember that a key part of the requirements is to have carried out mapping and testing to a level of sophistication necessary to identify important business services, set impact tolerances and identify any vulnerabilities in your operational resilience, (PS21/3: Building operational resilience: Feedback to CP19/32 and final rules (fca.org.uk)), and conducted lessons learnt exercises to identify, prioritise, and invest in your ability to respond and recover from disruptions as effectively as possible.

Again, the FCA are requiring firms to keep evidence of their testing and lessons learned for 6 years and to provide them as evidence to the regulator that their requirements are met.

Finally (and linked to the Operational Resilience requirements) let us not forget the Business Continuity Plans.  SYC 4.1.8(6) requires “regular testing of the business continuity policy in an appropriate and proportionate manner”. The FCA is also still referring to the European Banking Authority’s Guidelines on ICT and Security Requirements, which say that testing should:

  • include testing of an adequate set of severe but plausible scenarios including those considered for the development of the BCPs; and

  • be designed to challenge the assumptions on which BCPs rest, including governance arrangements and crisis communication plans.

Too often in the past I have seen the supposed BCP testing be an annual fire alarm evacuation into the car park.  For the avoidance of doubt, that is not going to meet the FCA’s expectations, particularly following the experience of Covid.

What does this mean for firms?

All of the above are likely to be seen by the FCA as being “threshold conditions” and an inability to provide the evidence of compliance required on request will be seen as a governance failure. Given the FCA’s more assertive/aggressive approach to supervision signaled in their recently published business plan and strategy, enforcement action may follow.

From the regulator’s perspective, if a firm cannot show that it has a solid basis for the assumptions on which its plans are based, as shown by proper testing it will be, by definition, a risk to its customers.

Boards and governing bodies therefore need to put in place processes to ensure that all required testing happens, is at an appropriate level of granularity and that the feedback loop of lessons learned works properly.  They also need to evidence that they have proper and continuing oversight of the process.

As my maths teacher also said, “to fail to prepare, is to prepare to fail”.