Industry · Banking

Banking-grade IT, ready for an operational-resilience review

Building societies, challenger banks, payment institutions and clearing brokers operate under PRA SS1/21, FCA PS21/3 and DORA. We run the IT services that sit underneath your important business services, with the third-party risk paperwork, the immutable backups, and the tested ransomware recovery your auditor expects.

Speak to a banking specialist

What's at stake

PRA/FCA SS1/21 operational resilience

You have to identify Important Business Services, set Impact Tolerances, and prove you can stay within them through severe-but-plausible scenarios. Your IT supplier needs to give you the evidence, not a glossy slide.

DORA & ICT third-party risk

From January 2025 your ICT third parties have to be on a register, classified, exit-planned, and contractually pinned to a long list of resilience clauses. Your supplier should hand you their register entry on request, not refer you to legal.

Ransomware recovery, tested

"We have backups" is not the same as "we have tested recovery". PRA expects evidence of a recent recovery test against an immutable backup, end-to-end. Your supplier's last test date should be on a page like this one.

How we help

Operational resilience evidence pack

We'll map our services to your Important Business Services, document the impact-tolerance scenarios we participate in, and supply tested evidence on request. Annual operational-resilience review baked into the contract.

ICT third-party register entry

Pre-populated entry for your DORA register: services we supply, locations, sub-processors, exit plan, KRIs we report on, contract clauses already in place. Updated whenever anything changes.

Immutable backups with tested recovery

Object-locked off-site backups (S3 Object Lock or equivalent) with quarterly tested recovery against an isolated environment. Recovery time and integrity checksum recorded each time.

CIF / IBS classification support

We help you classify which of our services touch a Critical or Important Function. Where we do, you get the heightened SLA at no extra cost.

Section 166 ready

If a skilled persons review lands on your desk, the IT-supplier section is already documented — controls inventory, test evidence, breach log, third-party register, audit trail. We've worked with reviewers before.

Frameworks we map to

Cyber Essentials Plus UK GDPR PRA / FCA SS1/21 operational-resilience evidence (Q3 2026) DORA ICT third-party register entry (Q3 2026) FCA PS21/3 alignment (Q3 2026) ISO 22301 readiness (Q4 2026)

See /trust/ for the full controls-to-frameworks mapping.

Selected client work

Available on request

Banking client work

Detailed writeups are shared under NDA on a 30-minute discovery call. Published case studies are coming soon, with each named client's explicit sign-off.

All case studies →

Frequently asked questions

How do you map to PRA/FCA operational resilience (SS1/21) and DORA?

Our services are mapped to your Important Business Services with documented impact tolerances and tested resilience scenarios. For DORA we maintain a per-customer register entry (services, locations, sub-processors, exit plan, KRIs) and an "ICT third-party services" contract addendum already aligned to the regulatory technical standards. Annual joint review built into the contract.

What is your ICT third-party risk register and how do you supply our register entries?

Per-customer entry covering: services delivered, criticality classification, locations, sub-processors (this list is also on /trust/), data flows, contractual rights (audit, termination, sub-contracting), exit plan, KRIs, last review date. We send this to you in CSV and PDF every quarter; ad-hoc on request within 1 working day. We follow the EBA Guidelines on Outsourcing Arrangements format.

What evidence do you provide for immutable backups and ransomware recovery testing?

Backups land on object-locked storage (Azure Blob immutability or AWS S3 Object Lock, depending on your tier). Quarterly tested recovery in an isolated environment, with recovery time and a SHA-256 of the recovered dataset logged. Last test report is on a per-customer dashboard. We've had to actually use this twice in production for clients — both times under 4 hours.

How do you handle critical or important function (CIF) classification?

On onboarding we go through your IBS / CIF list with you and classify each service we deliver. Anything classified CIF moves to the Regulated tier (see /service-levels/) at no upcharge if you're already on Business; the contract addendum reflects the heightened SLAs and audit rights. Reclassification triggered by material change in our service or your business model.

Can you provide a Section 166 (skilled persons) ready evidence pack?

Yes. We maintain a continuously-updated "IT-supplier evidence pack" per regulated client, covering: controls inventory, last test results, breach log, third-party register, ICT contract clauses, RACI for incident response. When a Section 166 lands, you don't spend two weeks chasing your IT supplier — we have it ready inside 48 hours.

Speak to a banking specialist

30-minute discovery call. No slide deck — we'll ask about your auditor, your incumbent supplier, and what would change if your IT actually understood your sector.

Book a consultation