Skip to main content
Article | FI Observer

Operational Resilience in the UK Financial Sector: A new regime for critical third parties

By Samantha Magennis | January 12, 2023

Supervisory authorities are working on the implementation of a new regime to assess the resilience of services provided by critical third parties to the UK financial sector.
Financial, Executive and Professional Risks (FINEX)

The Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) (collectively the ‘supervisory authorities’) are working on the implementation of a new regime to assess and strengthen the resilience of material services provided by critical third parties (CTPs) to the UK financial sector. What does this mean for financial institutions going forward?

In July 2022, the supervisory authorities published a discussion paper (DP22/31) on this subject with the purpose to share and obtain views on potential measures to manage systemic risks posed by third party providers and sets out how the regulators could use new powers under the Financial Services and Markets Bill (FSM Bill) to achieve this2.

The FSM Bill3 was introduced to parliament on 20 July 2022 and includes a framework for the designation of certain third parties to be determined as ‘critical’ by HM Treasury (HMT). The Bill needs to be passed by parliament before legislative change can be made.

Why is change needed?

The supervisory authorities have developed and implemented an operational resilience framework for regulated financial services firms and financial market infrastructure firms (FMIs). However, it has been widely acknowledged (within the discussion paper noted above) that the current powers are not sufficient in monitoring the risk which disruption at a third party simultaneously providing key services to several firms could cause to the UK financial services industry.

What approach will be taken by the supervisory authorities?

The discussion paper includes the following potential measures that the supervisory authorities could use with their proposed powers:

  • A framework to identify potential CTPs who would then be recommended for formal designation by HMT.
  • Minimum resilience standards which would apply to the services that designated CTPs provide to firms and FMIs.
  • A range of tools for resilience testing of material services that CTPs provide to firms and FMIs, including scenario testing, cyber resilience testing, sector-wide exercises, and skilled person reviews of CTPs.

How will CTPs be identified?

The supervisory authorities only expect a small number of third-party service providers to the financial services sector to be designated as a CTP. The discussion paper suggests that cloud providers and other providers of Information and Communication Technology (ICT) services and some non-ICT services are possible examples of third-party providers that could fall into the CTP category with the potential for new CTPs to be identified going forward.

Under the FSM Bill, HMT would be able to designate a third party as ‘critical’ if it was satisfied that a failure in, or disruption to, the provision of the services that it provides to firms and FMIs (either individually or where more than one service is provided, taken together) could threaten the stability of, or confidence in, the financial system of the UK.

There are two high-level criteria that the Bill proposes HMT consider when determining if a third-party provider should be designated as a CTP and these are:

  1. The materiality of the services the third party provides to the delivery of firms and FMIs (including other persons on their behalf) activities, services or operations that are vital to the economy of, or financial stability in, the United Kingdom (materiality); and
  2. The number and type of firms and FMIs to which the third party provides services (concentration).

What powers would the supervisory authorities have over the CTPs?

It is important to note that the supervisory authorities would take a service-led approach, regulating only the material services that the CTPs provide to UK firms and FMIs, and not the CTP entities.

The supervisory authorities will have a vast range of new powers over CTPs in their provision of services to firms and FMIs, including rulemaking, controlling activities undertaken by the CTP, gathering information, and conducting investigations. They would also be able to appoint experts or initiate a skilled person review as well as having the ability to impose limitations on the CTP should they be in breach of the requirements. They cannot however impose a financial penalty on the CTPs given the regime is designed to provide protection in terms of the services the CTPs provide and not to regulate the companies themselves.

The Bill will see that each of the three regulators will be allocated responsibilities and they will be required to consult one another before issuing rules, gathering information or taking enforcement action.

The new regime is intended to work alongside the current regulatory requirements on firms and FMIs and will not be a replacement of the current operational resilience framework4.

Next steps

The FSM Bill passed through the House of commons at the end of 2022, it is now at the House of Lords stage and the 2nd reading was scheduled for 10th January 2023.

The supervisory authorities will be able to consult on the proposed requirements and expectations for CTPs once they have considered the responses to the discussion paper which closed on 23rd December 2022 and after the passing of the FSM Bill.

Third party service providers (especially ICT service providers) that service the UK financial sector may want to consider if they have the potential to be designated as CTPs and whether any early steps can be taken to ease the process of any future regulatory requirements. It is also important for companies to consider whether they have adequate insurance cover in place as part of their risk management strategy.


1 DP22/3: Operational resilience: critical third parties to the UK financial sector

2 The Bank of England, PRA and FCA set out potential measures to oversee critical third parties in a move to increase resilience of the financial sector

3 Financial Services and Markets Bill

4 Operational Resilience



GB Head of FINEX Financial Institutions

Susan Finbow
Global Head of FINEX Financial Institutions

Contact Us