Financial Services

Operational resilience for fintech SMEs

FCA PS21/3 and the operational resilience rules apply to firms of every size — not just systemically important banks. For a fintech SME, the practical question is how to identify important business services, set impact tolerances, and map third-party dependencies without drowning in framework.

Financial Services9 min read

The rules in plain English

The FCA expects firms to identify their important business services (IBS), set impact tolerances (the maximum tolerable disruption), map the people, processes, technology and third parties supporting each IBS, and demonstrate they can remain within tolerance during severe-but-plausible scenarios.

For a 30-person fintech, this is not optional and not a paperwork exercise — supervisors are now asking direct, evidence-based questions during routine engagement.

Identifying important business services

An IBS is a service provided to an external customer the disruption of which could cause intolerable harm. For a payments fintech, that's typically the ability to initiate and settle a payment. For a wealth platform, it's the ability to view holdings and place orders. Internal functions like HR or finance are not IBS.

  • Start with the customer outcome, not the system.
  • Keep the list short — most SMEs have between two and five IBS.
  • Validate the list with the executive and the board.

Setting impact tolerances

Impact tolerance is a quantified maximum — usually expressed in time (e.g. 'payment initiation must resume within 4 hours') or volume (e.g. 'no more than 1% of daily payment volume lost'). It is not the same as a recovery time objective, although the two should be reconciled.

  • Express tolerances in customer-impact terms, not internal IT terms.
  • Test tolerances against severe-but-plausible scenarios — cloud region outage, ransomware, payment-rail failure.
  • Setting tolerances based on what the current architecture can deliver — that defeats the purpose.

Third-party risk: the part the FCA will actually ask about

Most fintech SMEs run on third parties — AWS or Azure, Stripe or Modulr, identity providers, ledger systems. The FCA expects firms to understand concentration risk, contractual rights to audit, exit and substitution plans, and the resilience posture of each material supplier.

The new DORA-aligned expectations also push firms to maintain a register of ICT third-party arrangements with service criticality and dependency mapping.

  • Maintain a third-party register with criticality, data flows and contractual rights.
  • Document exit and substitution plans for every material supplier.
  • Obtain SOC 2 Type II or equivalent assurance — and read it, don't just file it.
  • Run a supplier failure scenario test annually.

Demonstrating resilience

The FCA expects evidence: scenario test plans and outcomes, board minutes discussing the self-assessment, lessons learned from real incidents, and remediation roadmaps with owners and dates. The self-assessment document itself must be reviewed at least annually and after any material change.

Key takeaways
  • Operational resilience rules apply to fintech SMEs, not just large banks.
  • Identify a small, customer-outcome-focused list of important business services.
  • Set impact tolerances in customer terms and test against severe-but-plausible scenarios.
  • Third-party concentration and exit planning is the area supervisors probe hardest.
  • Maintain evidence continuously — board oversight is part of the requirement.
Talk to us
Book a cyber security assessment
More reading
Back to all resources