The FCA's March 2025 operational resilience deadline has passed. What it means for IFA managing directors right now.

In March 2021, the FCA published PS21/3, its policy statement on operational resilience for the UK financial services sector. Firms were given four years to comply. That window closed in March 2025. For IFA managing directors who have not yet acted, the question is no longer whether to comply - it is how exposed you are right now and what you do about it in the next 90 days.

What PS21/3 actually requires

The FCA's operational resilience framework has three core requirements that apply to all FCA-authorised firms, including directly authorised IFA practices and appointed representatives of larger networks.

First, firms must identify their Important Business Services - the specific services they deliver to retail clients that, if disrupted, would cause harm. For an IFA firm, this typically includes portfolio management, client reporting, financial advice delivery and client data access. The key word is specific: broad categories are not sufficient. The FCA expects firms to name and document the exact services and the systems and people that support them.

Second, firms must set impact tolerances for each Important Business Service - the maximum time a service can be disrupted before causing intolerable harm to clients or market integrity. For most IFA practices, the FCA expects this to be expressed in hours for client-facing services, not days.

Third, firms must test their ability to remain within those tolerances during severe but plausible disruption scenarios. Testing must be documented, reviewed and the results must feed back into the firm's governance processes.

Why cyber risk sits at the centre of this

Operational resilience and cyber governance are not separate obligations. A ransomware attack that locks advisers out of client data, a phishing attack that compromises a client's investment instructions, or an IT supplier incident that takes down your practice management system - each of these is an operational resilience failure. Each of these will be assessed against your documented impact tolerances.

The question the FCA will ask is not whether you experienced an incident. It is whether you had governance in place to understand the risk, whether you had documented tolerances in place to measure the impact and whether your board was aware of and accountable for the firm's posture before the incident occurred.

If the answer to any of those questions is no, the incident is also a governance failure - and governance failures attract regulatory consequences that technical incidents on their own do not.

What a non-compliant firm looks like in practice

In our work with IFA firms, we regularly encounter the same patterns. The managing director is aware of operational resilience as a concept but has never formally documented the firm's Important Business Services. The IT provider manages the systems but has never been asked to produce a documented recovery timeline. The board has never discussed cyber risk as a standing agenda item. There is no documented incident response plan that the managing director has read, let alone tested.

None of these firms consider themselves non-compliant. Most would say they are "working on it" or that their IT provider has it covered. The FCA's position is clear: intent is not compliance. Documentation is compliance.

What to do in the next 90 days

The good news is that the compliance gap for most IFA firms is not vast. The starting point is documentation, not infrastructure. You do not need new technology. You need structured governance oversight that translates your existing posture into a documented, board-level position.

A practical 90-day path for a non-compliant IFA firm looks like this. In the first 30 days, commission an independent assessment of where your firm actually stands across the eight governance domains that the FCA and NCSC align to - not a self-assessment, but an independent one that you can reference if challenged. In days 30 to 60, produce the governance documentation: Important Business Services, impact tolerances, IT dependency map and an incident response plan that names the people responsible and the order in which they act. In days 60 to 90, present the output to your board, record the board discussion and file the documentation in your FCA compliance file.

That is the minimum viable compliance position. It will not eliminate risk, but it will create the documented, defensible governance record that the FCA is looking for.

The role of third-party providers

One of the most common misunderstandings we encounter is the belief that outsourcing IT operations to a managed service provider transfers the operational resilience obligation. It does not. The FCA is explicit: firms remain accountable for the operational resilience of their Important Business Services regardless of whether delivery is outsourced. This includes your investment platforms (Transact, Nucleus, Parmenion), your practice management system, your CRM and your IT MSP.

What this means in practice is that your firm needs to have reviewed the security posture and resilience commitments of each of those providers and documented that review. Most IFA firms have never asked their MSP for a SOC 2 report or their Cyber Essentials certificate. That conversation needs to happen before your next FCA visit.

One question to ask yourself today

If an FCA supervisor called you tomorrow and asked you to describe your firm's Important Business Services and the impact tolerances you have set for each one, could you answer without hesitation? Could you point them to a document in your compliance file that evidences the answer?

If the answer is no, the March 2025 deadline has already passed and you are operating without the governance documentation that the FCA's framework requires. The time to act is now - not because a deadline is approaching, but because one has already passed.