FCA Operational Resilience in 2026: What Your IT Infrastructure Must Actually Deliver

Operational resilience is not a policy document. It is a live, tested, continuously maintained state of your IT infrastructure. The FCA does not want to read about your resilience plans — it wants evidence that you have mapped your systems, tested your tolerances, and can demonstrate that your important business services would continue through a disruption. That evidence lives in your IT environment.

This guide explains what PS21/3 and the FCA's evolving resilience framework actually require from your technology infrastructure in 2026, what the March 2027 incident reporting changes mean for your IT team, and how a specialist financial services IT provider can bridge the gap between regulatory obligation and operational reality.

What FCA PS21/3 Actually Requires Your IT to Do

PS21/3 applies to banks, building societies, PRA-designated investment firms, insurers, payment providers, and enhanced scope SM&CR firms. If your firm is FCA-regulated and falls into any of these categories, full compliance was mandatory by 31 March 2025.

The core requirements are deceptively simple to state and genuinely difficult to operationalise without specialist IT support:

What the March 2027 Incident Reporting Changes Mean for Your IT Team

On 18 March 2026, the FCA published new incident reporting and third-party notification requirements, giving firms 12 months to prepare before these come into force on 18 March 2027. The changes introduce:

• Clearer reporting obligations for operational incidents — what triggers a report, when it must be submitted, and what information is required
• Material third-party notifications — firms must report significant operational issues affecting their IT outsourcers and cloud providers to the FCA
• Tighter timelines — the FCA is reducing the window between incident detection and initial notification for the most serious disruptions

For your IT team, this means your monitoring and alerting infrastructure must be capable of detecting incidents quickly enough for your compliance team to file accurate notifications within the regulatory window. It also means your IT provider must be able to supply incident timelines, root cause analysis, and remediation evidence on short notice.

Firms whose IT environments generate poor logging, whose monitoring is reactive rather than proactive, or whose IT providers cannot produce structured incident reports will find the March 2027 requirements extremely difficult to meet.

The IT Infrastructure Requirements Behind FCA Compliance

Translating PS21/3 obligations into specific IT requirements, your infrastructure needs to deliver the following:

Comprehensive system dependency mapping

Your IT provider must be able to produce and maintain a live map of every system, application, and third-party service your important business services depend on. This is not a spreadsheet — it is a maintained, versioned, accurate record of your IT architecture that your compliance team can cite in FCA submissions.

Recovery time objectives under your impact tolerances

If your impact tolerance for client account access is four hours, your IT disaster recovery plan must guarantee recovery within that window — and must have been tested to prove it. A theoretical RTO that has never been validated is worthless for FCA purposes.

Immutable audit logging across all critical systems

Every access event, system change, and incident must be logged in tamper-proof storage. These logs are the evidential foundation of your FCA compliance position. They are also your primary resource when investigating a breach or responding to an FCA supervisory review.

Communication archiving for COBS record-keeping

FCA COBS 11.8 and MiFID II require firms to retain records of relevant communications. Microsoft 365 Compliance Centre, properly configured and actively managed, provides the archiving capability you need — but the default M365 configuration does not satisfy these requirements out of the box. It requires specialist configuration and ongoing management.

Information barriers between front and back office

For firms with both advisory and execution functions, information barriers are a regulatory requirement — not just a governance nicety. In Microsoft 365, these are implemented through Information Barrier Policies, which must be configured, tested, and maintained by an IT team with specific M365 compliance expertise.

What to Expect From a Financial Services IT Provider

The difference between a generalist IT provider and one that genuinely understands the FCA environment is measurable. When Foxcomm onboards a financial services client, we produce:

• A full SYSC 8 outsourcing contract pack with audit access rights, security controls documentation, and sub-contractor disclosure
• System dependency mapping documentation in the format required for PS21/3 self-assessment
• A written disaster recovery plan with tested RTOs aligned to your stated impact tolerances
• Microsoft 365 hardening and compliance configuration including archiving, information barriers, DLP policies, and Conditional Access
• Monthly security and uptime reporting that gives your compliance team real data rather than verbal assurances
• Structured incident reports with timeline, root cause, and remediation — in the format the FCA expects

A generalist provider will deliver infrastructure. A financial services specialist delivers infrastructure and the compliance documentation layer that sits on top of it.

The Honest Assessment: Is Your IT Currently FCA-Ready?

If you cannot answer yes to the following questions, there are gaps in your FCA compliance position that your IT infrastructure needs to address:

• Do you have a written, tested, and dated disaster recovery plan with RTOs aligned to your PS21/3 impact tolerances?
• Has your IT provider supplied SYSC 8-compliant contractual documentation including audit access rights?
• Are your Microsoft 365 communications archived in tamper-proof storage for the required retention periods?
• Have you run at least one formal IT resilience scenario test in the last 12 months and documented the outcome?
• Does your IT monitoring give you the logging depth needed to file accurate FCA incident reports within regulatory timelines?
• Are information barriers configured and tested if your firm has conflicting business functions?

If any of these are answered with "we're not sure" or "our IT provider handles it", the answer is no — and it is worth finding out precisely what your provider is and isn't delivering before the FCA asks the same questions.