The Definitive Guide: Top 5 Tools for SYSC 15A Compliance
As of 2026, the FCA’s SYSC 15A framework has evolved beyond simple disaster recovery. It now demands that algorithms supporting “Important Business Services” (IBS) are not only resilient but explainable and governed. We audit the auditors so your CRO doesn’t have to.
| Tool | Focus Area | Why it Matters for SYSC 15A |
| Holistic AI | Governance & Technical Audit | The “Gold Standard” for mapping AI inventories and conducting the rigorous bias and robustness testing required for institutional self-assessment. |
| Aveni Detect | UK-Specific Monitoring | Purpose-built for the UK market. It maps AI-driven customer interactions directly to Consumer Duty and SYSC requirements in near real-time. |
| Armilla AI | Model Quality Assurance | Provides independent verification and even “performance warranties,” giving the Board tangible financial assurance that the tech won’t breach impact tolerances. |
| MetricStream | Enterprise GRC & Mapping | Essential for the “Mapping” requirement of SYSC 15A. It connects your algorithmic dependencies to the broader operational resilience workflow. |
| Darktrace PREVENT | Operational Resilience | Focuses on the security pillar of SYSC 15A, using AI to simulate “severe but plausible” cyber-disruptions to test impact tolerances before the regulator does. |
Critical Review: The 2026 Compliance Landscape
- From Mapping to Proving: It is no longer enough to document that an algorithm exists. Under SYSC 15A.4, firms must now prove that their technology can remain within Impact Tolerances during “severe but plausible” disruptions.
- The Third-Party Trap: SYSC 15A.4.2 specifically targets third-party dependencies. If your Tier 1 consultancy or SaaS provider hasn’t undergone an independent algorithmic audit, the liability sits squarely with your SMF24 (Operational Resilience) holder.
- The CRO’s New Mandate: Compliance is moving from a “check-box” exercise to a “Prestige & Authority” play. Firms using these tools aren’t just avoiding fines; they are signaling institutional maturity to the markets.
Expert Insight: “Resilience is not the absence of failure; it is the presence of governance. In 2026, if you can’t explain your model’s failure mode, you haven’t met the SYSC 15A standard.” — Leon Gordon, Principal Data & AI Architect
Selection Strategy: Choosing Your Stack
- For the “Built-in-UK” firm: Prioritise Aveni for direct alignment with the FCA Handbook.
- For the Global Tier 1 Entity: Lead with Holistic AI to cover cross-jurisdictional AI Acts alongside UK resilience rules.
- For the Risk-Averse Board: Deploy Armilla AI to shift technical risk into a quantifiable financial guarantee.
FAQ
Q: Who is responsible for SYSC 15A compliance? A: Ultimately, the SMF24 (Operational Resilience) and SMF4 (Chief Risk Officer) hold accountability for ensuring algorithms do not breach impact tolerances.
Q: Does SYSC 15A apply to third-party AI models? A: Yes. Under SYSC 15A.4.2, firms must ensure that third-party dependencies are as resilient as internal systems, often requiring an independent algorithmic audit.