SS5/21: What It Requires and Who It Applies To

What is SS5/21?

PRA Supervisory Statement 5/21 is the Prudential Regulation Authority's definitive policy on operational resilience for UK-regulated financial firms. The PRA published it on 29 March 2021, alongside Bank of England Policy Statement PS6/21 and the FCA's coordinated PS21/3, as a joint regulatory package.

The regulation arrived in direct response to a string of serious IT failures across UK banks. TSB's 2018 IT migration locked out 1.9 million customers for weeks and generated hundreds of thousands of complaints. The PRA looked at that incident, and at others, and concluded that banks were managing technology, people, and outsourcing risk in silos, without a consistent picture of which operational failures actually caused customer harm or threatened financial stability.

SS5/21 changes the frame. Instead of auditing controls in isolation, regulators now expect firms to reason from outcomes. The question is no longer "do we have a failover server?" It's "if our payment processing service fails, how long can customers tolerate that, and can we prove we'd recover within that window?"

The framework aligns directly with the Basel Committee on Banking Supervision's Principles for Operational Resilience, published by the BIS in March 2021 alongside SS5/21 (BCBS Principles for Operational Resilience, BIS, 2021). It also anticipated the direction of EU policy, which later crystallised in the Digital Operational Resilience Act (DORA) from January 2025.

Firms had until 31 March 2022 to complete initial self-assessments and identify their important business services. The harder deadline was 31 March 2025. By that date, firms had to demonstrate they could actually remain within their stated impact tolerances, not just document an aspiration to do so. That second deadline is what separates SS5/21 from earlier guidance that sat in binders.

Who does SS5/21 apply to?

SS5/21 applies to all PRA-authorised firms. That covers a broader set of entities than many compliance teams initially assume:

• UK banks and building societies holding a PRA banking licence, from high-street institutions to challenger banks and specialist lenders
• PRA-designated investment firms, including those that became dual-regulated following Investment Firm Prudential Regime changes
• UK branches of overseas banks, to the extent of their UK operations
• Lloyd's of London and its managing agents
• PRA-authorised insurers, including life insurers and general insurers above the Solvency II threshold (gross written premium above £10 million, or technical provisions above £50 million)
• Central counterparties and clearing houses supervised by the PRA

The FCA published its own PS21/3 on the same date, applying equivalent obligations to FCA solo-regulated firms. Both frameworks use the same definitions of important business services and impact tolerances. Dual-regulated firms must satisfy both regulators. In practice, the PRA's version is more demanding for banks because the Bank of England considers systemic risk alongside consumer harm.

There's no minimum size threshold. The PRA acknowledges that important business services differ by firm complexity. A community lender serving 50,000 customers won't map the same services as a global systemically important institution. Both, however, must complete the self-assessment and scenario testing. Scale determines scope, not whether the obligation applies.

For UK branches of overseas banks, the PRA expects branch-level mapping of services critical to UK customers. A group-level resilience plan that has never been tested against UK-specific failure scenarios won't satisfy this requirement.

What does SS5/21 require?

The framework has six interlocking obligations. Everything flows from getting the foundations right.

1. Identify important business services. A service is "important" if its disruption would cause intolerable harm to consumers, market integrity, or financial stability. Common examples: retail payments, custody of assets, mortgage servicing, insurance claims handling, securities settlement. The PRA doesn't publish a mandatory list; each firm determines its own through a structured impact assessment.

2. Set impact tolerances. For each important business service, define the maximum duration of disruption before harm becomes intolerable. These tolerances are expressed in time (hours or days) and optionally in volume (transactions affected, customers unable to access services). The PRA expects outcome-based tolerances, not technology metrics. "Servers restored within 4 hours" is a technology target. "Customers can access account information within 24 hours" is the correct framing.

3. Map supporting resources. Document the people, processes, technology, facilities, and third-party suppliers that each important business service depends on. This mapping must go deep enough to identify concentration risk. If a payment service depends on a single cloud provider, that dependency must be visible in the map. This connects directly to the operational risk data principles in BCBS 323.

4. Run scenario tests. Test the firm's ability to remain within each impact tolerance using severe but plausible scenarios. Scenarios must cover third-party failures, cyber attacks, and extreme combinations of disruptions. All important business services must be tested at least annually.

5. Document the self-assessment. Produce a written document covering each important business service, its tolerance, test results, identified gaps, and remediation plans. The board must approve this document. The PRA expects honesty about residual vulnerabilities. Firms with self-assessments showing no gaps are likely not testing hard enough.

6. Remediate gaps. Where testing shows the firm can't stay within tolerances, it must invest to close the gap. The 31 March 2025 deadline required completion of that investment phase. The PRA expects continuous improvement going forward, updated annually.

Board accountability is individual. Named Senior Management Function holders under the SM&CR carry personal responsibility for operational resilience. There's no hiding behind a committee.

What evidence do regulators expect?

PRA supervisors reviewing operational resilience will ask for specific documentation on the day. Here's a practical audit checklist:

• Board-approved self-assessment, current within the last 12 months, covering all important business services, their tolerances, test outcomes, and known gaps
• Important business services register with documented rationale for inclusion and exclusion decisions; regulators probe the "why not" as closely as the "why"
• Impact tolerance statements with evidence of the assumptions behind them: consumer research, financial stability analysis, or regulatory guidance used to set the level
• Resource maps showing people, processes, technology, third-party dependencies, and facilities for each service; detailed enough that a supervisor can trace how a failure propagates through the firm
• Scenario test scripts and results, covering at least one severe disruption per important business service, conducted within the last 12 months
• Third-party resilience evidence: contracts with critical suppliers should include resilience obligations, and firms should hold testing reports or equivalent assurances from those suppliers. The PRA's expectations here are consistent with those in DORA Article 28 for EU firms, which the Bank of England has acknowledged as a reference point for good practice
• Board and committee minutes showing operational resilience was discussed substantively, that gaps were escalated, and that remediation plans received genuine board challenge
• Training records for staff involved in incident response, business continuity, and recovery procedures
• Incident logs from at least the past 24 months, showing how actual disruptions were managed and whether any breached an impact tolerance

Supervisors look for version control on documents, evidence that the self-assessment changed after real incidents, and proof that board members challenged assumptions rather than rubber-stamping submissions.

Common failure modes

Most SS5/21 failures aren't technical. They're organisational.

• Underscoping important business services. Retail payments and core banking are obvious. Foreign exchange settlement, securities custody, and institutional clients' cash management often get left off lists. Supervisors press firms to justify every exclusion; "we didn't think it was important" is not an answer.
• Impact tolerances set for comfort, not reality. A 72-hour tolerance for retail payment access looks like a commitment on paper. Most retail customers would call their bank after 4 hours. Tolerances must be grounded in evidence: customer surveys, complaints data, prior incident analysis.
• Shallow resource mapping. Firms map their own systems but miss the dependencies within those systems. If core banking runs on a cloud provider that uses a third-party authentication service, that second-layer dependency must appear in the map.
• Tests designed to pass. Scenario tests that always succeed aren't tests; they're rehearsals. The PRA explicitly expects testing to reveal gaps. Firms with spotless self-assessments typically get more supervisory scrutiny, not less.
• Board sign-off without substance. Minutes showing the board "received and approved" the self-assessment, with no record of challenge, won't satisfy supervisors. They want evidence that board members asked hard questions about tolerance assumptions and remediation timelines.
• Treating resilience as separate from change management. TSB's 2018 IT failure was caused by underestimating the resilience implications of a single technical migration. The FCA Final Notice against TSB Bank plc (December 2022, £48.65 million in combined fines) is the clearest enforcement benchmark. Firms that run their operational resilience programme separately from technology change governance are recreating the same risk.

Penalties for non-compliance

The PRA's enforcement toolkit under FSMA 2000 includes unlimited financial penalties, public censure, restriction of regulated activities, and individual sanctions against senior managers. These aren't hypothetical.

The TSB Bank enforcement action in December 2022 is the sector benchmark. The PRA and FCA issued coordinated Final Notices. The combined fine totalled £48.65 million (PRA: £29.75 million; FCA: £18.9 million) for failures during the 2018 IT migration. See the PRA Final Notice against TSB Bank plc. The PRA's portion specifically cited inadequate systems and controls and failure to maintain operational resilience standards. SS5/21 formalised those standards in writing; future enforcement will measure firms against explicit obligations, not inferred expectations.

Beyond financial penalties, the PRA can impose:

• Variation or cancellation of permissions: removing or restricting a firm's ability to carry out regulated activities
• Section 166 Skilled Person reviews: the firm funds an independent expert to assess and report on its resilience programme; the cost and management distraction are substantial
• Public statements of censure: even without a financial penalty, these carry serious reputational consequences in a sector where confidence matters
• Pillar 2 capital add-ons: operational resilience deficiencies can result in the PRA requiring additional capital, directly increasing funding costs and reducing return on equity

Individual accountability is real. SMF holders under the SM&CR can face personal fines and prohibition from regulated financial services. The compliance officer who approved an optimistic self-assessment without challenge has direct personal exposure, not just corporate exposure.

The Bank of England's 2024 operational incidents report recorded 264 incidents across the sector in 2023, of which 33 caused material customer harm. That data shapes supervisory intensity. Firms with weak self-assessments are likely to receive more intrusive engagement.

Related regulations and frameworks

SS5/21 sits within a broader international and domestic framework. Compliance teams need to understand where it overlaps and where it creates distinct obligations.

Basel Committee Principles for Operational Resilience (2021): The BIS published these principles simultaneously with SS5/21. The PRA framework is directly consistent with the international standard. The BCBS 239 risk data aggregation principles also underpin the resource mapping obligations: firms that can't aggregate data about their critical systems can't build credible dependency maps.

EU DORA: The Digital Operational Resilience Act applies to EU financial firms from January 2025. The conceptual framework is materially similar to SS5/21: identify critical functions, test resilience, manage third-party ICT risk, and document everything. Key differences: DORA focuses explicitly on ICT systems, covers a wider range of financial entities including crypto-asset service providers, requires reporting major ICT incidents within 4 hours of classification, and mandates threat-led penetration testing for significant firms. Firms operating in both jurisdictions can align their core frameworks, but the reporting cadences and ICT-specific obligations differ and require separate tracking.

FCA PS21/3: The FCA's operational resilience policy applies to FCA solo-regulated firms, using the same definitions. Dual-regulated firms must satisfy both regulators; where standards differ, meet the higher bar.

Bank of England CBEST framework: CBEST is the Bank's intelligence-led penetration testing programme for critical financial infrastructure. SS5/21 scenario testing should incorporate cyber disruption scenarios. CBEST results feed directly into the self-assessment for firms in scope.

Senior Managers and Certification Regime (SM&CR): Operational resilience accountability maps to named SMF holders. This is the enforcement mechanism for individual failures, separate from but linked to SS5/21 obligations.

PCI DSS 4.0: Firms processing payment card data should ensure their SS5/21 resource maps and PCI compliance programmes align. Resilience controls protecting card data processing infrastructure are relevant to both frameworks simultaneously, and gaps identified in one audit will be visible in the other.

How FluxForce supports SS5/21 compliance

FluxForce's AI agents automate the continuous monitoring and evidence collection that SS5/21 demands. Nova Sentinel tracks system health and interdependencies in real time and produces audit-ready logs that feed directly into SS5/21 resource mapping and incident documentation. Aiden Flux runs configurable scenario simulations so compliance teams can test impact tolerances without waiting for real incidents. Every automated action comes with a full decision trail, which means outputs are explainable to PRA supervisors on the day of a review. See how FluxForce's regulatory compliance automation capabilities can support your operational resilience programme.