Disaster Recovery for Document Signing Platforms in Financial Services

Operational Resilience: The Regulatory Context

The FCA's operational resilience framework, which came into full effect on 31 March 2025, requires financial services firms to identify their important business services, set impact tolerances for disruption, and ensure they can remain within those tolerances in severe but plausible scenarios. For firms that rely on electronic document signing as part of client onboarding, policy issuance, or other critical workflows, the document signing platform falls squarely within the scope of this framework.

The operational resilience rules (PS21/3) do not prescribe specific technical measures. Instead, they require firms to take a service-oriented view: identify the important business service (e.g., "client onboarding"), determine the maximum tolerable disruption, and then assess whether the underlying technology — including third-party platforms — can support continued service delivery within that tolerance.

For document signing platforms, this assessment must address two distinct scenarios: disruption to the signing service (inability to send documents for signature) and disruption to the document vault (inability to access previously signed documents). Each has different impact characteristics and different recovery requirements.

Recovery Point Objective and Recovery Time Objective

The two fundamental metrics in disaster recovery planning are the Recovery Point Objective (RPO) and the Recovery Time Objective (RTO).

RPO defines the maximum acceptable data loss, measured in time. An RPO of one hour means the firm accepts losing up to one hour of data in a disaster. For a document signing platform, RPO translates directly into the number of signed documents and audit trail events that could be lost.

RTO defines the maximum acceptable downtime before the service must be restored. An RTO of four hours means the signing service must be operational within four hours of a failure.

For financial services firms, the appropriate RPO and RTO depend on the criticality of the signing workflow:

• Client onboarding and policy issuance: These are typically important business services with impact tolerances measured in hours. An RPO of zero (no data loss) and an RTO of four hours or less is appropriate for most firms.
• Document vault access: Access to previously signed documents is typically less time-sensitive than the signing service itself. An RTO of 24 hours may be acceptable, but RPO should remain at zero — losing signed documents and their audit trails is not recoverable.
• Audit trail integrity: Audit trail data must have an RPO of zero. Any gap in the audit trail undermines the evidentiary value of the entire document lifecycle record.

Multi-Region Storage Architecture

The foundation of disaster recovery for document storage is geographic redundancy. A document signing platform that stores all data in a single geographic region is vulnerable to region-level failures — events such as data centre outages, network partitions, or regional infrastructure incidents that affect all resources in that location.

Multi-region storage addresses this vulnerability by replicating data across two or more geographically separated regions. The design considerations include:

• Synchronous vs. asynchronous replication: Synchronous replication ensures that data is written to both regions before confirming the write. This provides RPO zero (no data loss) but introduces latency. Asynchronous replication confirms the write to the primary region immediately and replicates to the secondary region with a delay. This provides better performance but introduces a non-zero RPO — typically seconds to minutes.
• Data residency constraints: UK financial services firms may have data residency requirements that limit replication targets. For firms requiring UK data residency, replication between AWS eu-west-2 (London) and eu-west-1 (Ireland) provides geographic separation while remaining within jurisdictions acceptable to most UK regulators. Firms with strict UK-only requirements may use multiple availability zones within eu-west-2.
• Consistency model: In a multi-region architecture, there is an inherent tension between consistency (all regions have the same data) and availability (the service continues operating if a region fails). For document signing, consistency of the audit trail is paramount — an audit trail that differs between regions would undermine its evidentiary value. This favours designs that prioritise consistency, accepting a brief period of unavailability during failover.

Vault Integrity During Failover

The most critical aspect of disaster recovery for a document vault is maintaining integrity during failover. When the primary region fails and operations switch to the secondary region, the system must ensure that:

• All documents in the vault are present and unmodified in the secondary region.
• All audit trail events are complete and in the correct sequence.
• Cryptographic hashes in the secondary region match those in the primary region.
• Immutability constraints (object lock, retention periods) are enforced identically in the secondary region.

These requirements argue for a verification step during failover: before the secondary region accepts live traffic, the system should verify the integrity of the replicated data by checking cryptographic hashes and audit trail chain integrity. This verification adds time to the failover process but prevents a scenario where the system fails over to corrupted or incomplete data.

Testing: The Overlooked Obligation

The FCA's operational resilience framework explicitly requires firms to test their ability to remain within impact tolerances. Testing is not optional, and it must be realistic — scenario-based exercises that simulate severe but plausible disruptions, not merely tabletop discussions.

For document signing platforms, testing should cover the following scenarios:

• Primary region failure: Simulate the loss of the primary storage region and verify that the signing service fails over to the secondary region within the RTO. Verify that all documents and audit trails are intact after failover.
• Data corruption: Introduce controlled corruption to replicated data and verify that cryptographic verification detects the corruption before it is served to users.
• Prolonged outage: Test the system's behaviour during an extended outage (24-72 hours) of the primary region. Verify that the secondary region can sustain full operations for this period.
• Recovery and reconciliation: After the primary region is restored, verify that data reconciliation between primary and secondary regions is correct and that no documents or audit events are duplicated or missing.

Testing should be conducted at least annually, with results documented and reviewed by the firm's operational resilience governance function. The FCA expects firms to be able to provide evidence of testing when asked.

Third-Party Dependency Management

When the document signing platform is provided by a third party (as is typically the case), the firm's disaster recovery assessment must extend to the provider's capabilities. The FCA's expectations regarding third-party operational resilience are clear: the firm remains accountable for the resilience of its important business services, regardless of whether the underlying technology is operated internally or externally.

Due diligence on a document signing provider's disaster recovery should include review of the provider's architecture documentation (particularly replication strategy and failover mechanisms), their RPO and RTO commitments (with contractual backing, not just marketing claims), their testing programme and results, their incident response procedures and communication protocols, and their compliance with relevant standards (ISO 27001, SOC 2) as they relate to business continuity.

Disaster recovery for document signing is not merely a technology concern — it is a regulatory obligation. The FCA expects firms to demonstrate that their important business services, including those dependent on third-party platforms, can withstand severe disruptions without breaching impact tolerances. The evidence of this capability is documented, tested, and current.

Financial services firms that approach disaster recovery as an integral component of their document signing infrastructure — rather than an afterthought — will find themselves well-positioned for both regulatory scrutiny and genuine operational incidents. The cost of preparation is predictable. The cost of unpreparedness is not.