The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

Firms must demonstrate their ability to prevent, adapt to, and recover from disruptions in line with the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) mandates. However, compliance is just one milestone—by June 2025, regulators expect firms to have fully embedded resilience measures into their long-term operational strategies. The journey to achieving this is riddled with challenges, including the increasingly complex role of cash accessibility within the realm of critical national infrastructure (CNI).

The quiet revolution in cash access

Amid the drive toward digital payments, an unexpected player has taken center stage in the resilience narrative: cash. Once deemed passé, cash is now enshrined as a cornerstone of financial stability, courtesy of the Financial Services and Markets Act 2023. By requiring the FCA to safeguard cash accessibility, the Act underscores the dual reality of our times: while digital is dominant, cash remains indispensable for millions. As of August 2023, the FCA has been empowered to maintain cash access within a reasonable distance for all citizens, particularly benefiting rural and vulnerable populations, ensuring that most urban dwellers are within one mile of a cash withdrawal service, and rural users no more than three miles away (GOV.UK Cash Access Policy Statement).

The FCA’s new rules, effective September 2024, obligate banks and building societies to assess local cash access and plug gaps before shutting down ATMs or branches. This proactive measure has been bolstered by the Payment Systems Regulator (PSR) to ensure tangible action rather than token compliance. Countries like Sweden and Norway, which are further along the digital payment adoption curve, are now revisiting policies to mandate ATM networks in underserved regions, aligning with the UK's balanced approach to inclusivity and innovation (GOV.UK Cash Access Policy Statement).

A system under strain

Operational resilience is about more than cash access. The FCA and PRA mandates compel firms to withstand severe disruptions, from cyberattacks to natural disasters, without jeopardizing critical services. While scenario testing has become commonplace, many firms are criticized for rehearsing predictable disruptions rather than the complex, concurrent crises regulators demand they prepare for (FCA Resilience Reports).

The cybersecurity gauntlet

Operational resilience in 2025 will also hinge on cybersecurity. As Fortinet's analysis highlights, the digitization of ATM networks introduces sophisticated vulnerabilities, necessitating advanced tools like AI-powered defenses and predictive analytics to detect and thwart breaches preemptively (Fortinet Smart ATMs eBook). Cybercriminals are no longer just targeting financial systems—they're leveraging advanced methods to exploit vulnerabilities in ATM networks, which can have devastating ripple effects across communities reliant on cash. AI-powered defenses and real-time monitoring are becoming lifelines in these battles.

Toward 2025: Building for the future

To meet the June 2025 deadline and beyond, UK financial institutions should strongly consider:

1. Diversify scenario testing: Address severe, unpredictable disruptions, including simultaneous or prolonged crises. Fortinet underscores the importance of using real-world insights to create robust scenarios that mirror potential threats (Fortinet FSI Regulations eBook).
2. Invest in technology: Embrace AI, machine learning, and robust cybersecurity solutions for real-time threat response.
3. Redefine governance: Elevate resilience to a boardroom priority, integrating it into overall corporate strategy.
4. Prioritize cash access: Enforce rigorous assessments to identify and resolve cash accessibility gaps swiftly (GOV.UK Cash Access Policy Statement).
5. Foster continuous improvement: Treat resilience as an evolving process, integrating lessons learned.

The bigger picture

Operational resilience is no longer a regulatory checkbox—it’s a lifeline. With cash access regulations and technological transformation at the forefront, institutions have the opportunity to not just comply but lead. The Financial Services and Markets Act 2023 is emblematic of this shift, blending technological innovation with safeguarding traditional systems like cash to ensure no one is left behind.

As Fortinet, we stand ready to assist financial institutions on this journey, providing cutting-edge tools to strengthen their operational resilience. Resilience isn’t just about weathering the storm—it’s about charting a course through it and emerging stronger on the other side.

Read more about how European banks are balancing digital innovation, cybersecurity, and regulatory compliance in 2025 in our latest report: The Evolving Landscape for European Banks.