FCA Operational Resilience (PS21/3): What Financial Firms Must Deliver by March 2025
The FCA and PRA's operational resilience policy (PS21/3) is not a cybersecurity regulation in name — but every important business service a financial firm must protect runs on IT systems. The requirement to identify services, set impact tolerances, and demonstrate you can remain within tolerance during a severe but plausible disruption directly demands documented cybersecurity and business continuity controls. By March 2025, firms must have completed their self-assessment and be able to evidence they can survive disruption to their most critical services. For firms that have not yet mapped their technology dependencies, the window is closing.
FCA and PRA require every regulated firm to set a specific impact tolerance for every important business service — expressed in time, volume, or financial terms.
The Three Core Requirements of PS21/3
PS21/3 establishes a framework with three sequential requirements that build on each other:
- Step 1 — Identify important business services: Services that, if disrupted, would cause harm to consumers or market integrity. Examples: client onboarding, order execution, payment processing, custody, financial advice delivery
- Step 2 — Set impact tolerances: The maximum tolerable level and duration of disruption for each service — expressed in specific terms (e.g., "payment processing cannot be disrupted for more than 4 hours at any time")
- Step 3 — Test and self-assess: Firms must test their ability to remain within impact tolerances using severe but plausible scenarios, document the results, and submit a self-assessment to their supervisor on request
What Counts as a Severe But Plausible Disruption
The FCA and PRA expect testing scenarios that reflect real threats — not comfortable best-case assumptions. For cybersecurity, severe but plausible scenarios include:
- Ransomware attack rendering core systems unavailable for 48–72 hours
- Compromise of a critical SaaS provider (CRM, portfolio management, order management system)
- Insider threat leading to mass data exfiltration and system disruption
- DDoS attack against client-facing portals or trading infrastructure
- Supply chain compromise of a critical software vendor or managed service provider
- Loss of a data centre or cloud region hosting material systems
The Self-Assessment: What Supervisors Expect to See
The FCA and PRA expect firms to maintain a written self-assessment document that they can produce on request. It must demonstrate: a complete map of the firm's important business services; documented impact tolerances with rationale; a record of testing conducted, scenarios used, and outcomes; identified vulnerabilities and a remediation plan with timelines; and board-level sign-off by a Senior Manager accountable under SMCR. Firms that cannot produce this document are at material regulatory risk.
How Hadrian Supports Operational Resilience Mapping
You cannot set an impact tolerance for a business service without understanding the technology that delivers it — and you cannot assess your resilience without knowing where your exposures are. Hadrian's attack surface management platform maps your external-facing infrastructure: client portals, APIs, trading platforms, partner integrations, and any shadow IT your teams have deployed. That map becomes the foundation for your important business service analysis. When vulnerabilities are identified, Hadrian provides the evidence that your firm is actively managing them — exactly what PS21/3 self-assessments require.
Frequently Asked Questions
Which firms are subject to PS21/3 operational resilience rules?
PS21/3 applies to banks, building societies, PRA-designated investment firms, insurers, and Solvency II firms regulated by the PRA. FCA-only regulated firms — including wealth managers, IFAs, mortgage brokers, and payment institutions above certain thresholds — are subject to the FCA's equivalent operational resilience requirements under SYSC and the FCA's supervisory approach.
What happens if we cannot stay within our impact tolerances?
If testing reveals that a firm cannot stay within its impact tolerances during a severe but plausible scenario, the firm must document this, identify the cause, and produce a credible remediation plan. The FCA and PRA do not expect perfection — they expect honesty and progress. What they will not tolerate is a firm that claims resilience it cannot demonstrate, or that fails to act on identified vulnerabilities.
Is a third-party cloud outage our problem under PS21/3?
Yes. If your important business services depend on a cloud provider, and that provider suffers an outage, your firm remains responsible for staying within its impact tolerances. This is precisely why SS2/21 (outsourcing) requires documented exit plans, contractual SLAs, and concentration risk analysis. The FCA's view is that outsourcing does not outsource regulatory responsibility.
Map your important business services and technology dependencies
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.