Data protection specialists working in organisations engaged in banking activities or payment services will need to participate in compliance efforts to ensure operational resilience in 2022.
As we alerted at the time, in March 2021 the UK Financial Conduct Authority (FCA) and Prudential Regulation Authority published new rules (SS1/21) on operational resilience for firms in the financial sector.
The rules on operational resilience will come into effect on 31 March 2022, and firms are expected to complete their initial mapping to self-identify important business functions by then. Firms should then identify vulnerabilities and put measures in place to remedy those vulnerabilities so that their important business services fall within set impact tolerances as soon as possible and in any case by no later than 31 March 2025. If a firm fails to meet the impact tolerances, it must notify the FCA.
Compliance with operational resilience requirements entails a considerable investment of resources and effort on the part of firms. There is an overlap with the data protection compliance efforts firms have already undertaken due to accountability also being at the core of operational resilience requirements, the focus likewise shifting from the firm’s own commercial business interests towards the interests of consumers, and the similarly risk-based approach. Firms will likely look at processes and procedures already put in place by their data protection teams as a useful starting point, because of the similarity in the steps that were required for GDPR compliance: the mapping exercise required to identify the necessary resources to deliver important business services, the governance framework, internal training and accountability, risk assessment and management of risk.
What is in scope: important business services only
The focus of operational resilience is on preventing disruptions to important business services provided by firms that may cause intolerable harm to consumers or market integrity. Therefore, internal processes such as payroll management may not be covered by the requirements. It is the firm’s responsibility to determine what those important business services are.
Risk to consumers: intolerable harm vs any risk
Firms are required to consider people, processes, technology, facilities and information as necessary resources to deliver important business services. Loss of confidentiality, integrity and availability of data are listed as risks that may cause intolerable harm to consumers by the FCA (section 15A2.7(9) of the Operational Resilience Instrument 2021). These risks are also addressed by the GDPR in line with the principles of integrity and confidentiality of personal data. However, in the operational resilience context, it is not just any risk, but intolerable harm, that must be addressed. “Intolerable harm” is defined as “harm from which consumers cannot easily recover. This could be, for example, where a firm is unable to put a client back into a correct financial position, post-disruption, or where there have been serious non-financial impacts that cannot be effectively remedied. Intolerable harm is much more severe than inconvenience or harm” (section 3.8 of PS21/3).
No requirements to process personal data
The FCA requires that, in identifying an important business service, firms also identify the users of the service (section 2.6 of the SS1/21). Users are understood to mean both individual customers and business customers (“The users of the service may include retail customers, business customers, other legal entities, trustees, market participants, the supervisory authorities, or other members of a regulated entity’s group”). The FCA clarified that in identifying an important business service there is no need to “identify consumers by name or change existing requirements for the handling of customer data” (section 2.21 PS21/3).
Also, as part of the mapping exercise, firms are required to “identify and document the necessary people, processes, technology, facilities and information (the ‘resources’) to deliver each of their important business services” (section 5.1 of the SS1/21). This means firms will need to identify individuals in key roles in sufficient detail so that measures can be taken when these individuals are not available. In identifying people responsible for processes, technology and implementing and monitoring controls, firms should avoid identifying key individuals and refer to their roles instead, where possible. Overall, any new processing activities linked to operational resilience purposes must comply with data protection principles, including data minimisation to ensure no personal data is processed unless it is sufficiently justified (including when testing vulnerabilities or weaknesses of systems, technologies, services and processes). Where personal data is processed, the lawful bases for such new processing activities must be determined and documented and any risks in processing such personal data assessed as usual. Personal data should not be retained for longer than is necessary for each step of the operational resilience compliance efforts.