Payments regulation lawyer advising on uk fca authorisation and open banking

Operational Resilience and DORA

ICT risk management, critical third-party oversight and operational resilience for payment firms

Operational resilience in UK financial services

Operational resilience is the ability of a firm, and of the financial sector as a whole, to prevent, adapt to, respond to, recover from, and learn from operational disruptions. The UK regulatory framework for operational resilience in payments and financial services is set by the FCA, the PRA, and the Bank of England, with sector-specific requirements imposed by the Payment Systems Regulator (PSR).

The FCA’s operational resilience framework, which took effect on 31 March 2022 with a transitional period ending 31 March 2025, requires regulated firms to identify their important business services, set impact tolerances for the maximum tolerable disruption to each service, and carry out mapping and testing to ensure they can remain within those tolerances. The requirements are set out in the FCA Handbook at SYSC 15A (Operational Resilience) and in FCA Policy Statement PS21/3.

For payment service providers and electronic money institutions authorised under the Payment Services Regulations 2017 (PSRs 2017), the FCA’s operational resilience requirements apply through the Senior Management Arrangements, Systems and Controls (SYSC) sourcebook. Payment institutions must identify their important business services, which will typically include the provision of payment initiation, account information, or payment execution services, and demonstrate that they can continue to deliver those services within impact tolerances during severe but plausible disruption scenarios.

Critical third parties and outsourcing

The Financial Services and Markets Act 2023 (FSMA 2023) introduced a new regulatory regime for critical third parties (CTPs) to the UK financial sector. Under sections 312L to 312R of FSMA 2000 (as inserted by FSMA 2023), HM Treasury may designate a third-party service provider as critical where its failure or disruption could pose systemic risk to the stability of, or confidence in, the UK financial system.

Designated CTPs will be subject to direct regulatory oversight by the FCA, PRA, and Bank of England. The regulators published their joint consultation (CP26/7) in 2024 proposing rules on minimum resilience standards, testing requirements, and information-gathering powers for CTPs. This regime is particularly relevant to cloud service providers, payment processors, and technology infrastructure firms that provide services to multiple financial institutions.

Separately, the existing outsourcing requirements under PSRs 2017 regulation 24 require payment institutions to take reasonable steps to ensure that outsourcing does not impair the quality of internal controls or the FCA’s ability to supervise the firm. The FCA’s guidance on outsourcing and third-party risk management (FG 16/5, updated 2024) sets expectations for due diligence, contractual protections, exit planning, and ongoing monitoring of outsourced service providers.

DORA and EU regulatory divergence

The EU’s Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA) applies from 17 January 2025. DORA establishes a harmonised framework for ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management across all EU financial entities, including payment institutions, electronic money institutions, and payment system operators.

DORA does not apply in the United Kingdom. However, firms operating in both the UK and the EU must comply with both frameworks. The key areas of divergence include the scope of application (DORA applies to a wider range of entities), the prescriptiveness of ICT risk management requirements (DORA sets detailed standards through Regulatory Technical Standards adopted by the European Supervisory Authorities), and the third-party oversight regime (DORA empowers the European Supervisory Authorities to directly oversee critical ICT third-party providers, whereas the UK CTP regime is operated by the FCA, PRA, and Bank of England).

The incident reporting requirements also differ. Under DORA, financial entities must report major ICT-related incidents to their competent authority within prescribed timeframes using standardised reporting templates. The UK framework relies on the FCA’s existing notification requirements under SUP 15.3 and the PSR’s incident reporting requirements for operators of recognised payment systems.

Firms with cross-border operations should conduct a gap analysis between the UK and EU frameworks and develop compliance programmes that satisfy both sets of requirements efficiently. The practical challenge is to build operational resilience and ICT risk management capabilities that meet the more prescriptive DORA standards while also satisfying the UK’s principles-based approach.

How bratby.law helps

bratby.law advises payment institutions, electronic money institutions, payment system operators, and their technology providers on operational resilience, ICT risk management, and the regulatory requirements that apply to critical services in the payments sector. Our managing partner holds a General Counsel appointment at UK Payments Initiative Limited and advises on operational resilience in the context of payment scheme design and governance.

Our work in this area includes:

Identifying important business services and setting impact tolerances under the FCA’s operational resilience framework
Operational resilience mapping, scenario testing, and gap analysis for payment institutions
Advising on the CTP designation regime under FSMA 2023 and its implications for technology providers serving the payments sector
Outsourcing and third-party risk management compliance under PSRs 2017 regulation 24 and FCA guidance FG 16/5
DORA compliance programmes for firms with EU operations, including gap analysis against the UK framework
ICT incident reporting frameworks and regulatory notification procedures
Contractual protections for outsourcing arrangements, including exit planning, audit rights, and service continuity provisions

Book a call

For advice on operational resilience, DORA compliance, or third-party risk management in the payments sector, book a call with Rob Bratby.

FAQs

Does DORA apply to UK payment firms?

No. DORA is an EU regulation and does not apply in the United Kingdom. However, UK firms that provide services to EU financial entities, or that have EU-authorised subsidiaries, will need to comply with DORA in respect of those EU activities. The UK has its own operational resilience framework under FCA SYSC 15A and the CTP regime under FSMA 2023. Firms operating cross-border should map the requirements of both frameworks and build compliance programmes that satisfy both.

What is the critical third parties regime?

The CTP regime, introduced by FSMA 2023, allows HM Treasury to designate third-party service providers as critical where their disruption could pose systemic risk to the UK financial system. Designated CTPs will be subject to direct oversight by the FCA, PRA, and Bank of England, including minimum resilience standards, testing requirements, and information-gathering powers. The regime is aimed at concentrated dependencies on a small number of technology providers, particularly cloud infrastructure and payment processing platforms.

What are impact tolerances?

Impact tolerances are the maximum tolerable level of disruption to an important business service, expressed as a specific time period and, where relevant, a volume or data integrity threshold. Under the FCA’s operational resilience framework, firms must set impact tolerances for each important business service and demonstrate through mapping and testing that they can remain within those tolerances during severe but plausible disruption scenarios. The FCA expects firms to have achieved this by the end of the transitional period on 31 March 2025.

How do operational resilience requirements interact with telecoms regulation?

Payment systems depend on telecoms infrastructure. Telecoms operators providing connectivity to payment infrastructure are subject to the Telecommunications (Security) Act 2021 and Ofcom’s security framework, which impose their own resilience requirements. Where a telecoms provider is also a critical third party to the financial sector, it may face overlapping obligations under both the telecoms security framework and the CTP regime. bratby.law advises on the interaction between these regulatory frameworks, drawing on experience in both telecoms and payments regulation.

Related payments regulation pages

See also our other payments regulation pages: