Important business services: how to identify them in practice

Important business services: how to identify them in practice

The concept of the important business service sits at the centre of the FCA’s operational resilience framework. Under Policy Statement PS21/3, firms must identify the services they provide to external clients which, if disrupted, would cause intolerable harm to consumers or market integrity. The identification exercise is the foundation on which impact tolerances, scenario testing and the entire operational resilience programme are built — yet the FCA has consistently noted in its supervisory feedback that firms approach it incorrectly, either casting the net too widely or excluding services that clearly meet the harm threshold.

This article sets out how to approach the identification exercise correctly, the criteria the FCA expects firms to apply, and the common errors that lead to identification frameworks that do not hold up under regulatory scrutiny.

The starting point: the external client perspective

An important business service is a service provided to external clients — not an internal process, a support function, or an activity that exists solely to enable the firm to operate. This distinction is fundamental and frequently misapplied. Compliance monitoring, risk management, financial reporting, and HR are not important business services regardless of how critical they are to the firm’s operations. They are internal functions that support the delivery of services to clients but are not themselves services the firm provides to external parties.

The exercise begins by asking what services the firm’s clients or customers actually receive. A payment institution’s clients receive the ability to initiate and receive payments. A wealth manager’s clients receive portfolio management and custody services. An FCA-authorised investment firm’s clients receive trade execution, order management and settlement. Each of these is a candidate important business service — they are delivered to external parties, and their disruption would have consequences the client experiences directly.

Applying the harm test

Not every service a firm provides to external clients is an important business service. The test is whether disruption to the service — for a period beyond the firm’s control — would cause intolerable harm to consumers, damage market integrity, threaten financial stability, or undermine confidence in the UK financial system. The FCA is explicit that firms must apply a genuine harm assessment, not simply list every service the firm offers.

The relevant factors in the harm assessment include: the number of consumers affected; whether affected consumers could readily access the same service from an alternative provider; the vulnerability of the consumer population using the service; the time-sensitivity of the service (a payment that must clear before a contractual deadline has higher harm potential than a reporting service with a weekly cycle); and whether the firm plays a critical role in a market that would be disrupted if its service failed.

A consumer-facing payment firm that processes salary payments for corporate clients has an important business service — if its payment service fails, consumers cannot access funds they rely on for essential expenditure, and there is no immediate substitute. The same firm’s business current account opening process is probably not an important business service — disruption to account opening causes inconvenience but not intolerable harm, and clients can use existing accounts or open accounts elsewhere.

Mapping the service end-to-end

Once candidate important business services are identified, the firm must map each service from the point of the client’s interaction with the firm to the point at which the service is delivered to the client. This mapping identifies the people, processes, technology, facilities and third-party dependencies that together constitute the service. The mapping serves two purposes: it ensures the firm understands what needs to be maintained to keep the service running within its impact tolerance, and it reveals dependencies that might not be apparent from a high-level view of the service.

A trade execution service, for example, may depend on: the firm’s order management system, its connectivity to an exchange or MTF, its prime brokerage or clearing arrangements, its post-trade settlement system, and its reconciliation processes. Each of these is a component of the important business service. The operational resilience programme must address the resilience of each component, not just the front-end interface that clients interact with.

The level of granularity

The FCA does not specify how many important business services a firm should identify, but its supervisory feedback has been clear that firms with long lists of granular IBS — sometimes running to dozens of entries — have typically miscategorised sub-functions as services rather than mapping at the appropriate level. A wealth management firm does not have separate important business services for “equities portfolio management,” “fixed income portfolio management,” and “alternative investments portfolio management” if all three are delivered through a single client-facing portfolio management service. The appropriate level is the service as experienced by the client, not the internal process breakdown.

Equally, firms that identify only one or two important business services across complex, multi-product businesses have typically drawn the boundary too broadly. A bank that identifies “banking services” as its single important business service and then sets a single impact tolerance for it has not engaged substantively with the exercise.

Common identification errors

The FCA’s supervisory work has identified several recurring errors in the important business service identification exercise. Including internal functions — operational risk management, financial crime compliance, technology infrastructure — as important business services is the most common. These functions are critical enablers but they are not services delivered to external clients.

A second common error is identifying important business services at the wrong level of abstraction — either too granular (individual transactions, product types) or too broad (the entire firm’s regulated activity). The firm’s board should be able to read the list of important business services and recognise each as a coherent, client-facing activity with a defined scope.

A third error is failing to review the identification as the business evolves. Firms that completed their initial identification exercise in 2022 and have not updated it since may have services that have grown significantly, new services that were not covered, or services that have been discontinued but remain on the list.

Documentation and board approval

The firm’s identification of its important business services must be documented with a clear rationale for each service included and for any service that was considered but excluded. The board must be involved in approving the firm’s important business services — this is not a purely technical determination that can be delegated to the operational resilience or technology function. The board’s approval creates accountability for the identification decision and ensures that the organisation’s most senior decision-makers understand what the firm considers essential to its clients.

FD Capital places operational resilience professionals and heads of compliance in FCA-regulated firms where the PS21/3 framework is a primary governance obligation. The specific knowledge required to lead an important business service identification exercise — combining regulatory knowledge with business analysis and board-level communication skills — is a defining capability for this type of appointment.

Related Services

• Operational Resilience Recruitment
• Compliance Recruitment
• SMCR Compliance Recruitment
• Recruitment for FCA Regulated Firms

Related Guides

• FCA Impact Tolerances: Setting, Testing and Reviewing
• Operational Resilience Guide
• DORA: What UK Firms Need to Know
• SMCR: A Complete UK Guide