Content Options

Content Options

View Options

Status: Please note you should read all Brexit changes to the FCA Handbook and BTS alongside the main FCA transitional directions. Where these directions apply the 'standstill', firms have the choice between complying with the pre-IP completion day rules, or the post-IP completion day rules. To see a full list of Handbook modules affected, please see Annex B to the main FCA transitional directions.

You are viewing the version of the document as on 2021-01-01.

Status: In this content, we have included all amendments made by EU exit-related instruments up to end September 2020. There will be more amendments to be made later this year, further to the September QCP.

Article 8 Testing and capacity

  1. (1)

    A data reporting services provider shall implement clearly delineated development and testing methodologies, ensuring that:

    1. (a)

      the operation of the IT systems satisfies the data reporting services provider's regulatory obligations;

    2. (b)

      compliance and risk management controls embedded in IT systems work as intended;

    3. (c)

      the IT systems can continue to work effectively at all times.

  2. (2)

    A data reporting services provider shall also use the methodologies referred to in paragraph 1 prior to and following the deployment of any updates of the IT systems.

  3. (3)

    A data reporting services provider shall promptly notify the competent authority of any planned significant changes to the IT system prior to their implementation.

  4. (5)

    A data reporting services provider shall set up an on-going programme for periodically reviewing and, where needed, modifying the development and testing methodologies.

  5. (6)

    A data reporting services provider shall run stress tests periodically at least on an annual basis. A data reporting services provider shall include in the adverse scenarios of the stress test unexpected behaviour of critical constituent elements of its systems and communication lines. The stress testing shall identify how hardware, software and communications respond to potential threats, specifying systems unable to cope with the adverse scenarios. A data reporting services provider shall take measures to address identified shortcomings in those systems.

  6. (7)

    A data reporting services provider shall:

    1. (a)

      have sufficient capacity to perform its functions without outages or failures, including missing or incorrect data;

    2. (b)

      have sufficient scalability to accommodate without undue delay any increase in the amount of information to be processed and in the number of access requests from its clients.