FCA Operational Resilience:
PS21/3 and Third-Party Technology Risk
The FCA's operational resilience framework, impact tolerances, and how firms can meet their obligations when critical systems are vendor-managed.
Executive Summary
The FCA's Policy Statement PS21/3 introduced a binding operational resilience framework for UK financial services firms, requiring them to identify important business services, set impact tolerances, and demonstrate the ability to remain within those tolerances by March 2025. For firms whose important business services depend on third-party ICT vendors, PS21/3 creates a direct obligation to ensure vendor risk does not compromise resilience commitments. This paper sets out the framework and how DORAssure supports compliance.
The FCA Operational Resilience Framework
PS21/3 — published jointly by the FCA, PRA, and Bank of England in March 2021 — established a new operational resilience standard for the UK financial sector. The framework requires firms to:
- → Identify their important business services — those where a disruption would cause intolerable harm to consumers, market integrity, or financial stability
- → Set impact tolerances for each important business service — the maximum period of disruption they could sustain without causing that intolerable harm
- → Map the resources — people, technology, data, facilities, third parties — that support each important business service
- → Test their ability to remain within those impact tolerances through scenario-based testing
The March 2025 deadline required firms to demonstrate, not merely plan, that they can remain within their impact tolerances. Testing evidence must be available to supervisors on request.
Third-Party Technology and Impact Tolerances
Where an important business service depends on a third-party ICT vendor, the firm cannot set an impact tolerance that is simply impossible to meet if that vendor fails. The FCA expects firms to stress-test vendor failure scenarios and demonstrate that their resilience arrangements — including exit and substitution arrangements — allow them to remain within tolerance.
"Firms should consider how the failure of a third-party service provider would affect important business services and whether this could result in an important business service being unable to operate within its impact tolerance."
— FCA SS1/21, Chapter 8
For trading venues, investment managers, and firms providing execution, clearing, or settlement services, the relevant impact tolerances are typically measured in hours, not days. A recovery timeline of 6–12 months — implicit in a code escrow model — is structurally incompatible with these tolerances.
The FCA has been explicit that impact tolerances set at levels firms cannot actually demonstrate are not acceptable. Where a firm's resilience arrangements are inadequate to support a credible tolerance, supervisors may require the firm to either reduce its exposure to the relevant vendor or implement credible backstop arrangements.
SS2/21: PRA Expectations on Outsourcing
The PRA's Supervisory Statement SS2/21 on outsourcing and third-party risk management reinforces these expectations for PRA-regulated firms. It requires robust written exit strategies, testing of those strategies, and specific provisions for "exit in stressed conditions" — scenarios where the vendor fails suddenly or becomes insolvent.
Critically, SS2/21 requires that exit strategies be "based on realistic assumptions" about the firm's internal capabilities. Most firms do not have the engineering depth to operate a bespoke vendor-built system from source code alone — and the PRA knows it. Overstated internal capability claims in exit plans are a supervisory red flag.
UK Alignment with DORA
While DORA applies directly to EU-regulated entities and activities, the FCA has signalled its intention to align the UK framework with DORA's structure for ICT third-party risk. The FCA's Critical Third Parties (CTP) regime — introduced under the Financial Services and Markets Act 2023 — creates direct supervision of technology providers whose failure could cause systemic disruption.
For firms operating across UK and EU jurisdictions, DORAssure's DORA-aligned architecture provides a single continuity framework that satisfies both regulatory environments — avoiding the complexity of maintaining separate exit plans for UK and EU regulated activities.
DORAssure's FCA-Aligned Architecture
Impact tolerance support
DORAssure's 48-hour step-in SLA is designed to support realistic impact tolerances for important business services — allowing firms to set tolerances they can actually demonstrate, not aspirational figures.
Scenario testing evidence
Quarterly full activation exercises produce documented evidence for PS21/3 scenario-based testing requirements. Test reports are structured for regulatory presentation.
Credible stressed-exit capability
Our architecture is independent of the incumbent vendor's infrastructure — not a relay or sub-arrangement. In a vendor insolvency scenario, DORAssure can activate without requiring any vendor cooperation.
UK–EU dual jurisdiction coverage
A single DORAssure engagement covers both UK (PS21/3, SS2/21) and EU (DORA) regulatory environments — reducing compliance overhead for cross-jurisdictional firms.
Meet your FCA resilience obligations
Request an assessment of your impact tolerance gap against your current exit arrangements.