Operational resilience expectations apply to PSPs too – are you ready for the FCA test?

Think Operational Resilience is just for Banks? If you are a Payments Service Provider, think again! 

The FCA is turning its focus to PSPs, and they’re ready to test how well your resilience framework really works. 

What Does Operational Resilience Mean for PSPs? 

At its core, operational resilience is about your ability to prevent, respond to, recover from, and learn from operational disruptions. For PSPs that means identifying your most critical business services, understanding what could disrupt them, and having robust plans in place to keep those services running – or restore them quickly when they fail.  

Operational disruptions for PSPs aren’t just inconvenient, they cascade! A systems outage, processing delay or cyber incident can have serious knock-on effects, they can halt merchant sales,   freeze consumer transactions, and create issues across the wider payments' ecosystem. One small glitch in your environment can have big and immediate consequences.  

The FCA reinforced this when it extended operational resilience requirements to payment and e-money firms in 2022. Since then, firms have been expected to identify their important business services, map dependencies, set impact tolerances, and build resilience into their day-to-day operations, and not just document on paper. 

But identifying services is just the start. The real test is whether your plans actually work when things go wrong. 

The FCA Is Watching – And Testing 

The FCA has been clear: it expects firms to test their operational resilience regularly and rigorously. Firms are expected to run regular, rigorous scenario tests to ensure their plans can withstand realistic disruptions, from cyber-attacks and IT failures to third-party outages and even pandemics. 

Recent supervisory work suggests the FCA is increasing scrutiny on how well firms are testing their resilience in practice. For PSPs, that means your operational resilience framework isn't just a compliance tick-box exercise. It's something you need to be able to demonstrate, evidence, and – critically – defend under scrutiny. 

Ask yourself: 

• Have you clearly identified your important business services? 

  
  

• Do you know the maximum tolerable level of disruption for each one? 

  
  

• Have you mapped out all your critical dependencies – including third parties, cloud providers, and key personnel? 

  
  

• Are your scenario tests realistic, challenging, and documented? 

  
  

• Can you show how you've acted on the lessons learned from testing? 

If you're hesitating on any of these, it's time to revisit your resilience planning. 

Common Pitfalls for PSPs   

From what we see, common gaps in PSP operational resilience frameworks include: 

• Impact tolerance without evidence. Many firms declare impact tolerances (e.g., “Service must be restored within 4 hours”) without showing how that figure was calculated, or whether it’s operationally achievable. 

  
  

• Underestimating third-party risk. Many PSPs rely heavily on third-party providers for everything from cloud infrastructure to payment rails. If those providers fail, can you continue operating? Do you have contingency plans in place? Have you tested them? 

  
  

• Overlooking people risk. Operational resilience isn't just about technology. What happens if key staff are unavailable? Do you have clear succession plans and documented procedures that others can follow? In smaller PSPs, this can be a real vulnerability – when one person holds all the knowledge about a critical process. 

  
  

• Weak testing regimes. Running a desktop exercise once a year isn't enough. The FCA expects regular, realistic testing that challenges your assumptions and uncovers vulnerabilities before a real incident does. That means going beyond the comfortable scenarios and testing what genuinely keeps you up at night. 

  
  

• Poor governance and oversight. Senior management and the board need to own operational resilience. It's not something you can delegate entirely to IT or operations teams. The FCA will want to see board-level engagement and clear accountability. This needs to be a regular agenda item, not an annual review that gets squeezed between other priorities. 

What Should You Do Now?  

If you haven't already, start by reviewing your operational resilience framework against the FCA's expectations.

Focus on: 

1. Mapping and testing. Identify your important business services and map out all dependencies. Then test, test, test. Use realistic scenarios and document what you learn. Don't just test the easy stuff – challenge yourselves with scenarios that would genuinely stress your systems and people. 

2. Third-party assurance. Make sure you understand the resilience of your critical third parties. What are their recovery times? Do they align with your impact tolerances? Have you seen evidence of their testing? And crucially – what happens if they go down? Do you have alternatives lined up? 

   
   

3. Governance. Ensure your board and senior management are actively involved in overseeing resilience. This should be a regular agenda item, with clear ownership at the top. Your board needs to understand not just what could go wrong, but what you're doing about it. 

   
   

4. Response playbooks and runbooks. Documentation needs to be more than a high-level policy. You need practical, step-by-step playbooks for when incidents occur: who does what, in what order, with what tools, and how communication is handled. These should be rehearsed, not written once and shelved. 

   
   

5. Documentation. The FCA will want to see clear evidence of your approach, your testing, and how you've responded to findings. Make sure you can produce this quickly and confidently. Good documentation isn't just about satisfying the regulator – it's about being able to act fast when something goes wrong. 

The Bottom Line 

Operational resilience isn't optional for PSPs, and it's not going away. The FCA is watching, and firms that haven't taken it seriously risk supervisory action, reputational damage, or worse – real operational failures that disrupt customers and the wider market. 

The question isn't "How do we avoid disruption?" It's "When disruption happens – and it will – can we keep our critical services running?" 

If you're not confident you'd pass the FCA's test, now is the time to act. 

Not sure where to start with operational resilience, or need help stress-testing your framework?

Adempi's FCA compliance consultants can help you build a resilient, regulator-ready approach  

Get in touch with Adempi’s Payments & E-Money team to discuss how the upcoming FCA framework might affect your operations and future product strategy.  contact@adempi.co.uk or on 0203 925 4761

Or to find out more about our services you can head to our webpage: Adempi - FCA Compliance Consultants.