Friction was a bug
The FCA just made it a feature
EDITION 2
For years, fintech has sought to remove friction from the system via faster payments, invisible onboarding, and one-click everything. That logic built the industry but also created a dependency problem nobody wanted to look at too closely.
Then last week the FCA published an overhaul of its operational resilience and incident reporting rules. Firms have 12 months to comply and the direction of travel is clear: friction belongs in the system.
What the FCA changed
The new framework consolidates cyber and third-party incident reporting across the FCA, PRA, and Bank of England into a single, unified regime. The 12-month runway runs to 18 March 2027. That’s not a long lead time for firms that have deferred this work.
The trigger is instructive. Over 40% of cyber incidents reported to the FCA in 2025 involved third-party providers. Cloudflare went down and AWS had outages. A lot of firms discovered that they’d optimised their operations to the point where they’d outsourced their ability to recover.
The shared responsibility problem
A 2023 Raconteur piece on XaaS adoption gets at the structural issue: if company data is held by a third-party provider, what happens in a catastrophe? The article goes on to say that most businesses are “amazed at the lack of understanding people have of their shared responsibility model.” The example used is Office 365, where Microsoft’s own documentation says users should provision their own backup and restoration capability — but most don’t read that far.
This is the same dynamic playing out across fintech. Firms assumed that because Cloudflare or AWS were running, they were covered. They weren’t.
Why friction is the point
There’s a chin-scratching argument here that I think makes the compliance burden easier to accept: there can’t be progress without friction. It’s what takes an athlete to elite level. It’s what gives a piece of art its value. The annoying, the difficult — these could be seen as bugs in the system but actually they’re the system working.
A fintech CEO’s first reaction to the new compliance layer is probably irritation. But if you widen the aperture, what the FCA is actually asking firms to build is a set of instruments — incident detection, escalation procedures, vendor risk management — that will make them better operators. The regulator is mandating the cockpit.
The firms that treat this as a 2027 deadline problem will scramble but the ones that treat it as an infrastructure investment will compound.
If you’re a fintech leader thinking about this
I work with financial services companies to build content systems that earn belief before the sales call and before the funding conversation.
If you want to talk through what that looks like for your business, connect with me on LinkedIn or drop me a line at nick@almsford.com.