PRA SS1/21 Operational Resilience: synthetic data for continuous compliance.

§ 01 / The deadline that passed

What 31 March 2025 actually meant

PRA Supervisory Statement SS1/21, jointly with FCA PS21/3 and Bank of England policy for FMIs, came into force on 31 March 2022. The policy required firms to identify their Important Business Services, set impact tolerances for each, and complete mapping, scenario testing and self-assessment work to evidence the ability to remain within those tolerances by 31 March 2025. Three years to build the apparatus, three years to demonstrate it works.

The deadline has now passed. The post-deadline supervisory posture is different from the build phase in three specific ways. First, the self-assessment is no longer a one-off document but a living artefact that the firm's Board has to refresh with regulator-grade evidence. Second, impact tolerances are no longer aspirational targets but commitments that must be substantively defended every supervisory cycle. Third, severe-but-plausible scenarios are not a 2024 testing campaign but a continuous testing programme — and supervisors expect to see evidence from the most recent twelve months, not from the build-up to the deadline.

UK firms with EU operations face an overlapping but distinct regime. DORA Article 11 covers operational resilience for in-scope EU financial entities, with Article 26 requiring threat-led penetration testing on production-like systems. The UK SS1/21 regime is broader in scope but methodologically lighter on the testing-evidence side than DORA. Firms operating under both regimes typically run a unified resilience programme and produce two different evidence packs.

§ 02 / Important Business Services

Where the granularity decision is made

The Important Business Service is the unit of analysis in SS1/21. A service whose failure would cause intolerable harm to consumers, market integrity, or the firm's safety and soundness must be on the register. The PRA explicitly resisted a definitional list because the granularity decision depends on firm size, customer base, and business model — but the policy gives clear examples: payments, deposit-taking, lending decisions, claims handling for insurers, market access for investment firms.

The granularity decision is a supervisory pressure point. A firm whose register lists eight IBSes is making a different statement to the PRA than a firm whose register lists twenty-eight. The first firm is signalling a small set of high-impact services; the second is signalling careful decomposition. Neither is automatically right, but the conversation with the supervisor differs. Firms that revisited their IBS register after the deadline are increasingly moving toward higher granularity, on the basis that decomposed services produce decomposed mappings, which produce decomposed scenarios, which produce more credible impact-tolerance evidence.

§ 03 / Impact tolerances

The substantive commitment, not the metric

An impact tolerance is the maximum tolerable level of disruption to an IBS. It is expressed in time (how long can the service be down), but the underlying commitment is broader: tolerance for customer harm, financial loss, reputational damage, market integrity impact. The PRA expects tolerances to be set at the level where further disruption would become intolerable — not at the level the firm thinks it can comfortably meet today.

This is the part of SS1/21 that produces the most board-level discomfort. A bank that sets its faster-payments impact tolerance at 24 hours is making a public commitment to a level of resilience that its current architecture probably cannot deliver. A bank that sets the same tolerance at 4 hours is making a substantively harder commitment but one the supervisor will respect. Setting tolerances honestly means accepting that gaps exist between current capability and committed tolerance — and accepting the supervisory expectation that the firm will close those gaps.

The post-deadline reality is that tolerances set in 2022 with a 2025 demonstration date are now being challenged. Supervisors are asking firms whether tolerances remain calibrated to the actual harm landscape — including the harm a customer experiences when locked out of their account for six hours in 2026, versus the equivalent harm in 2022. The honest answer in most cases is that customer-harm thresholds have tightened with consumer-protection developments and that tolerances may need to be tightened in response.

§ 04 / Severe-but-plausible

The testing standard the supervisor reads

The SS1/21 test programme rests on severe-but-plausible scenarios — disruptions that are individually unlikely but collectively foreseeable, severe enough to challenge the firm's resilience but not so extreme as to be unfalsifiable. The policy gives examples: cyber attack on a critical third party, loss of a primary data centre, simultaneous unavailability of two key services.

The methodological challenge is that genuinely realistic scenarios require genuinely realistic data substrates. A ransomware scenario that uses synthetic customer records with no behavioural pattern fails to exercise the call-centre load model. A cloud-region-outage scenario that uses a sub-sampled production extract fails to exercise the data-quality reconciliation logic that activates in volume. Severe-but-plausible needs production-grade substrate.

This is where the GDPR Article 32 collision becomes acute. A firm that conducts its severe-but-plausible scenario testing on raw production data is processing personal data for testing purposes — a use that requires explicit Article 32 controls, separate access governance, and incident-response readiness for the test environment itself. A firm that conducts the same testing on masked or sub-sampled production data produces evidence the supervisor can reasonably challenge as unrealistic. The architectural answer is a synthetic substrate carrying production fidelity without retaining real customer records.

§ 05 / TSB and the post-incident bar

What good evidence actually looks like

The TSB Bank case from December 2022 remains the reference point UK supervisors return to when explaining what good operational resilience evidence looks like. The PRA and FCA jointly fined TSB a combined £48.65 million for failures associated with the 2018 IT migration that left customers locked out of their accounts. A subsequent PRA Final Notice on 13 April 2023 fined TSB's then-CIO Carlos Abarca £81,620 (reduced from £116,600 on settlement) under Senior Manager Conduct Rule 2 of the SMCR — the first individual SMCR enforcement of that rule, focused on outsourcing-management failures during the migration programme.

The case predated SS1/21 in calendar terms but defined its evidence expectation. The PRA's Final Notice against TSB identified the absence of effective pre-migration testing on production-like environments as a primary contributor to the customer-impact harm. Post-SS1/21, the equivalent finding would attach to a firm that could not evidence severe-but-plausible scenario testing on a substrate carrying production fidelity. The post-TSB supervisory bar is therefore lower than many firms assume on the policy side and higher than many assume on the testing-evidence side.

The continuous-evidence framing matters here. Pre-deadline, a firm could plausibly tell the supervisor that the SS1/21 self-assessment was a work in progress. Post-deadline, the same statement reads as non-compliance with a policy that has been operative for over a year. The firms that have since drawn supervisory attention have not been firms with bad luck. They have been firms whose testing evidence pre-incident was thin, whose self-assessment was generic, and whose post-incident remediation work was less mature than the supervisor expected at the date of the incident.

§ 06 / SS2/21 and third parties

The outsourcing dependency

SS1/21 has a sibling: SS2/21 on Outsourcing and Third-Party Risk Management, in force since the same date. SS2/21 is broader in scope than SS1/21 — it covers all material outsourcing arrangements, not just those supporting IBSes — but its operational-resilience clauses interact directly. A firm's ability to remain within impact tolerance for an IBS depends on its third-party arrangements for the systems supporting that IBS. Concentration risk against a single cloud provider, fragility in a managed-service relationship, or lack of substitutability for a critical vendor all surface as impact-tolerance risks in SS1/21 terms.

The post-deadline interaction is most visible in concentration risk. The PRA has signalled, including in Dear CEO letters across 2024 and 2025, that concentrations against critical third parties — particularly the major cloud providers — are an active supervisory concern. Firms whose IBS-supporting systems sit predominantly with one hyperscaler are being asked to evidence their substitutability strategy, including realistic recovery-time evidence in a scenario where the primary provider becomes unavailable.

The HM Treasury and Bank of England Critical Third Parties regime, in force from 1 January 2025 under the Financial Services and Markets Act 2023, gives the PRA direct supervisory tools over a small number of critical third parties. The regime does not displace SS1/21 — firms remain accountable for the resilience of their own services regardless of how their suppliers are supervised — but it shifts some of the analytical burden by formalising what "critical" means at sector level.

§ 07 / Synthetic substrate

Where production fidelity meets Article 32 controls

The continuous-evidence problem reduces, in technical terms, to the question of where the firm tests. Three answers and their failure modes:

• Raw production data in a test environment. Highest realism, highest Article 32 exposure. A breach in the test environment is treated as a breach in production. Reasonable for time-bounded controlled exercises with explicit DPIA cover; not reasonable as a continuous-testing posture.
• Masked or sub-sampled production data. Reduced Article 32 exposure, reduced realism. Masking breaks referential integrity at the scale of a typical IBS-supporting system stack. Sub-sampling smooths the tail behaviour where severe-but-plausible scenarios bite hardest. Produces evidence the supervisor can challenge on quality grounds.
• Synthetic substrate preserving causal multi-table structure. Realism approaching production for the tail behaviours that matter, minimised Article 32 exposure (no row in the synthesis corresponds to a real customer), and the ability to regenerate the substrate continuously to track production evolution.

The architectural value of the third path is not the absence of customer records — that is the regulatory benefit. The architectural value is that the synthesis can be deliberately stressed in ways production cannot. A firm that wants to test its retail-payments IBS against a scenario carrying twice the historical peak transaction volume cannot produce that scenario from production. A firm with a synthesis layer can.

§ 08 / CAUSA AI Data Engine

How CAUSA fits the continuous-evidence model

Three framing notes. First: CAUSA is pre-MVP. What follows describes design intent, not a shipped feature set. First version completed end-of-2024 as a solo R&D effort. Architecture details beyond what is published here are available to in-scope firms under NDA. Second: CAUSA is designed for self-hosted deployment inside the firm's perimeter — Docker-first, no outbound calls, no telemetry. The SS2/21 third-party risk decision a firm makes about an external synthetic-data SaaS vendor is exactly the decision CAUSA is designed not to force. Third: CAUSA's contribution to continuous SS1/21 evidence is substrate plus provenance, not a compliance opinion. The firm's resilience team remains the author of the self-assessment.

Within that envelope, CAUSA's targeted contribution to a continuous SS1/21 evidence model is a synthesis layer producing:

• A causal multi-table snapshot reflecting the IBS-supporting systems' production fidelity, regenerated on a cadence matching the production-change cycle so test results remain representative.
• A generation provenance manifest for every synthesis run — source schema, causal structure, statistical fidelity tests, random-seed lineage — readable as evidence that test-environment data carried no link to real customers.
• A scenario-amplification capability in which the substrate can be deliberately stressed beyond historical maxima for severe-but-plausible scenario testing, while remaining structurally coherent.
• An audit trail of every test run conducted on the substrate, with timestamps, test definitions, and results, suitable for inclusion in the firm's continuous self-assessment refresh.

None of this replaces the resilience team's own work. It removes the most common bottleneck — the production-data dependency for severe-but-plausible testing — that makes continuous evidence harder to sustain than build-phase evidence ever was.

§ 09 / The next supervisory cycle

What to prepare for in the next twelve months

The PRA's supervisory cadence post-deadline favours firms with credible continuous evidence and weighs against firms whose evidence base is the 2024 self-assessment refreshed by light annotation. The cluster of questions a firm should be able to answer in 2026 looks like this:

• Has every IBS been tested under at least one severe-but-plausible scenario in the past twelve months, with results documented and reviewed at the appropriate governance level?
• Has the impact-tolerance calibration been reviewed against actual customer-harm developments, including consumer-protection and Consumer Duty developments?
• Has the third-party dependency map been refreshed, particularly for any critical third parties designated under the FSMA 2023 regime?
• Has the testing programme exercised compound scenarios — simultaneous failure of two IBSes with shared dependency — and not only single-point failures?
• Is the testing substrate defensible — both in terms of fidelity to production behaviour and in terms of Article 32 controls?

The firms that produce confident answers to all five questions in 2026 are firms that built continuous-evidence infrastructure during 2025 rather than treating 31 March 2025 as a finish line. The firms that struggle with the fifth question — testing substrate defensibility — are the firms for whom CAUSA's design intent is most directly relevant.

§ 10 / Related

Regulatory context

For the related UK model-risk framework see PRA SS1/23 Model Risk Management: validating multi-table banking models without PII exposure. For the FCA SDEG governance considerations on synthetic data in UK financial services see FCA SDEG governance considerations for synthetic data in UK financial services. For the EU operational-resilience analogue see DORA Article 26 test data for European banks: TIBER-EU and the first cycle to January 2028.

Conclusion

SS1/21 is no longer a build problem. The 31 March 2025 deadline has passed; the supervisory bar moved from "are you ready" to "can you continuously evidence that you remain inside tolerance". Continuous evidence rests on testing severe-but-plausible scenarios on substrates that carry production fidelity without retaining personal data. Masked production breaks; sub-sampled production smooths; raw production is governance overhead the firm cannot sustain continuously. A causal multi-table synthesis layer, with audit-grade generation provenance and scenario-amplification capability, is the architectural answer. CAUSA is the engine Infundum is designing for that role.