What Operational Resilience Assurance Should I Seek From My Platform Provider?
Quick Answer
Operational resilience is not just a buzzword; it's a regulatory requirement. Learn what assurance you should seek from your platform provider.
Detailed Answer
This article is for informational purposes only and does not constitute financial or legal advice. You should consult with a qualified professional before making any decisions about your choice of platform.
What Operational Resilience Assurance Should I Seek From My Platform Provider?
Operational resilience is no longer a back-office IT issue; it is a board-level strategic imperative, and it is at the very top of the FCA’s supervisory agenda. For financial advisers, the operational resilience of your platform provider is a direct risk to your clients and your business. The deadline for full compliance with the FCA’s rules (PS21/3) was 31 March 2025. The time for asking polite questions is over. You need to be seeking, and receiving, concrete assurance.
When your platform goes down, your clients cannot see their valuations, they cannot place trades, and they cannot access their money. This is not a minor inconvenience; it is a fundamental failure of an important business service. The FCA has made it clear that it will not tolerate firms that cannot demonstrate they can prevent, adapt to, and recover from operational disruptions.
As an adviser, you are placing your clients’ assets and your professional reputation in the hands of your platform provider. You have a duty to satisfy yourself that they are taking their operational resilience obligations seriously.
Moving Beyond the Marketing Spiel
Your platform provider will tell you they are “committed to operational resilience.” They will show you their business continuity plan and talk about their disaster recovery sites. This is not enough.
The FCA’s framework requires a far more sophisticated and evidence-based approach. It is based on a simple but powerful logic:
- Identify Important Business Services: What are the critical services you provide to your customers?
- Set Impact Tolerances: How long can each of those services be disrupted before it causes intolerable harm to your customers or the market?
- Map the Dependencies: What are the people, processes, technology, and third parties that support each important business service?
- Test Your Ability to Remain Within Tolerance: You must conduct regular, robust scenario testing to prove that you can continue to deliver your important business services, even in the face of severe but plausible disruption.
Your Operational Resilience Due Diligence Questionnaire
You need to be asking your platform provider for specific evidence that they are meeting these requirements. Your due diligence questionnaire should include the following questions:
| Due Diligence Area | Key Questions for Your Platform Provider |
|---|---|
| 1. Important Business Services | Can you provide us with a list of your identified important business services that are relevant to us and our clients (e.g., client onboarding, dealing, valuations, transfers)? |
| 2. Impact Tolerances | What are the impact tolerances you have set for these services? Can you explain the methodology you used to determine these tolerances and how you have considered the risk of consumer harm? |
| 3. Scenario Testing | Can you provide us with a summary of your scenario testing programme for 2025/2026? What severe but plausible scenarios have you tested against (e.g., a major cyber-attack, a key third-party supplier failure, a prolonged data centre outage)? What were the outcomes of these tests, and what lessons have you learned? |
| 4. Third-Party Dependencies | Can you provide us with a mapping of your key third-party dependencies, particularly your underlying technology provider? What assurance have you obtained from them about their own operational resilience? What is your contingency plan if one of these key third parties fails? |
| 5. Governance and Accountability | Who is the Senior Manager on your board responsible for operational resilience? How does the board satisfy itself that the firm is meeting its operational resilience obligations? Can you provide us with a summary of your operational resilience self-assessment? |
What Good Assurance Looks Like
A platform that is truly on top of its operational resilience obligations will be able to provide you with clear, detailed, and evidenced answers to these questions. They will be able to talk you through their methodology, share the key findings from their testing, and demonstrate a culture of continuous improvement.
A platform that is struggling will be evasive. They will give you vague assurances, point you to their generic business continuity plan, and be unable to provide concrete evidence of their testing programme.
The Bottom Line: Resilience is a Condition of Trust
In the post-PS21/3 world, operational resilience is a fundamental condition of doing business in the UK financial services market.
As a financial adviser, you cannot afford to place your trust in a platform provider that cannot demonstrate its resilience. The risks to your clients and your business are simply too great.
Seeking this assurance is not an optional extra; it is a core part of your professional duty. And if a platform is unwilling or unable to provide it, you need to ask yourself a very simple question: why are you still doing business with them?
Take the Next Step
If you are ready to move from theory to action, I can help. My AI Audit gives you a comprehensive assessment of your firm's AI readiness, identifying the gaps in your governance, the risks in your current tooling, and a clear roadmap to get you where you need to be.
Book a Discovery Call → or learn more about the AI Audit.