FAQs
Essential Reading
FCA Cyber Incident Reporting
FCA expects notification of material operational incidents within 72 hours of becoming aware — a deadline that runs in parallel with the ICO's GDPR notification window.
FCA Operational Resilience Impact Tolerances
PS21/3 full compliance deadline was March 2025. The FCA has confirmed it will assess impact tolerance setting and testing as part of ongoing supervision — gaps will be found.
DORA Requirements for UK Firms
DORA entered into force 17 January 2025. UK firms with EU branches, EU-regulated subsidiaries, or EU ICT relationships may be directly in scope — and all serious UK firms should align to its standards.
APP Fraud Liability and FCA Rules
£459M lost to APP fraud in H1 2023 (UK Finance). PSR mandatory reimbursement scheme (effective October 2023) places direct liability on payment firms for the majority of APP fraud losses.
PCI DSS v4.0 for Financial Services
PCI DSS v4.0 fully in effect March 2024. New requirements for MFA everywhere, phishing-resistant authentication, and script management represent material changes from v3.2.1.