The Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) (collectively the ‘supervisory authorities’) are working on the implementation of a new regime to assess and strengthen the resilience of material services provided by critical third parties (CTPs) to the UK financial sector. What does this mean for financial institutions going forward?
In July 2022, the supervisory authorities published a discussion paper (DP22/31) on this subject with the purpose to share and obtain views on potential measures to manage systemic risks posed by third party providers and sets out how the regulators could use new powers under the Financial Services and Markets Bill (FSM Bill) to achieve this2.
The FSM Bill3 was introduced to parliament on 20 July 2022 and includes a framework for the designation of certain third parties to be determined as ‘critical’ by HM Treasury (HMT). The Bill needs to be passed by parliament before legislative change can be made.
The supervisory authorities have developed and implemented an operational resilience framework for regulated financial services firms and financial market infrastructure firms (FMIs). However, it has been widely acknowledged (within the discussion paper noted above) that the current powers are not sufficient in monitoring the risk which disruption at a third party simultaneously providing key services to several firms could cause to the UK financial services industry.
The discussion paper includes the following potential measures that the supervisory authorities could use with their proposed powers:
The supervisory authorities only expect a small number of third-party service providers to the financial services sector to be designated as a CTP. The discussion paper suggests that cloud providers and other providers of Information and Communication Technology (ICT) services and some non-ICT services are possible examples of third-party providers that could fall into the CTP category with the potential for new CTPs to be identified going forward.
Under the FSM Bill, HMT would be able to designate a third party as ‘critical’ if it was satisfied that a failure in, or disruption to, the provision of the services that it provides to firms and FMIs (either individually or where more than one service is provided, taken together) could threaten the stability of, or confidence in, the financial system of the UK.
There are two high-level criteria that the Bill proposes HMT consider when determining if a third-party provider should be designated as a CTP and these are:
It is important to note that the supervisory authorities would take a service-led approach, regulating only the material services that the CTPs provide to UK firms and FMIs, and not the CTP entities.
The supervisory authorities will have a vast range of new powers over CTPs in their provision of services to firms and FMIs, including rulemaking, controlling activities undertaken by the CTP, gathering information, and conducting investigations. They would also be able to appoint experts or initiate a skilled person review as well as having the ability to impose limitations on the CTP should they be in breach of the requirements. They cannot however impose a financial penalty on the CTPs given the regime is designed to provide protection in terms of the services the CTPs provide and not to regulate the companies themselves.
The Bill will see that each of the three regulators will be allocated responsibilities and they will be required to consult one another before issuing rules, gathering information or taking enforcement action.
The new regime is intended to work alongside the current regulatory requirements on firms and FMIs and will not be a replacement of the current operational resilience framework4.
The FSM Bill passed through the House of commons at the end of 2022, it is now at the House of Lords stage and the 2nd reading was scheduled for 10th January 2023.
The supervisory authorities will be able to consult on the proposed requirements and expectations for CTPs once they have considered the responses to the discussion paper which closed on 23rd December 2022 and after the passing of the FSM Bill.
Third party service providers (especially ICT service providers) that service the UK financial sector may want to consider if they have the potential to be designated as CTPs and whether any early steps can be taken to ease the process of any future regulatory requirements. It is also important for companies to consider whether they have adequate insurance cover in place as part of their risk management strategy.
1 DP22/3: Operational resilience: critical third parties to the UK financial sector
3 Financial Services and Markets Bill
