UK financial regulators recently published their supervisory expectations for critical third party service providers (CTPs) to the financial sector under the United Kingdom’s new regime extending regulatory oversight to CTPs. The final rules align with key themes of other regulatory regimes seeking to reinforce operational resilience (e.g., the EU Digital Operational Resilience Act (DORA)) around risk management, supply chain management, and incident management, among other areas.
The final rules will take effect from January 1, 2025, however, the statutory obligations on a CTP will only apply from the date an entity is designated by the UK government as a CTP based on the recommendation of the financial regulators.
Context
Financial services firms and financial market infrastructures have become increasingly reliant on the services of third parties. Under the UK Financial Markets and Services Act 2023, the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) are granted oversight powers in relation to CTPs, which includes technology and other service providers to financial services firms.
This enables the FCA and PRA to intervene to raise the resilience of the services that CTPs provide (or to prohibit the use of a CTP whose services are deemed deficient by the regulators), thereby mitigating the risk of systemic disruption to the financial sector.
The global disruption arising from the CrowdStrike IT outage in July 2024 highlighted the importance of ensuring operational resilience in order to minimize the potential impact on consumers and markets. The FCA separately published observations and key lessons from that event, which tie in with requirements under the CTP regime and operational resilience rules.
Key Factors for Designating CTPs
The UK government (through HM Treasury) may designate an entity as a CTP only if it is satisfied that a failure in, or disruption to, services it provides to firms could threaten the stability of, or confidence in, the UK financial system. This designation process takes into account the following:
- Materiality of services: One of the most important considerations is the materiality of the third party’s services to the delivery of essential activities, services, or operations of regulated financial services firms. This will take into account notifications to regulators by regulated firms of their “important business services” and material outsourcings.
- Concentration of services: Concentration risk arises when a limited number of providers dominate a crucial service, such as IT infrastructure. A failure of any one provider in such a concentrated market could pose systemic risks to the financial sector. The number and types of firms to which the third party provides services will be taken into account.
- Substitutability of services: Whether a third party’s services are difficult to migrate or replace is another key factor, as is whether the third party has direct access to regulated firms’ personnel, processes, technology, and data that supports the delivery of important business services.
- Location of the CTP is irrelevant: Regardless of whether the provider is based in the UK or abroad, they may be designated as a CTP if their services are integral to firms’ services or operations.
CTPs are designated by HM Treasury on the recommendation of the FCA and PRA, and the designations process is expected to take around six months. HM Treasury will allow for the third party and potentially other stakeholders to make representations as to a proposed designation.
Resilience Standards and CTP Fundamental Rules
From the effective date contained in the designation order, a CTP must comply with operational resilience rules that are contained in the PRA and Bank of England rulebooks and the FCA Handbook regarding the following areas:
- Governance and risk management, e.g., establishing a central contact point for the regulator and defining clear roles and responsibilities for delivering systemically important services.
- Supply chain risk management, e.g., ensuring that third-party suppliers are informed on the duties that apply to the CTP and putting in place measures to mitigate any disruption to third-party suppliers on their services.
- Cyber resilience, e.g., having comprehensive cyber resilience strategies and processes and regularly testing the same.
- Change management, e.g., ensuring that prior to implementation any change is appropriately risk-assessed, recorded, tested, verified, and approved.
- Mapping resources and interdependencies for systemic third-party services that it provides, within 12 months of being designated as a CTP.
- Incident management and reporting, e.g., maintaining an “incident management playbook” for responding to and recovering from operational disruptions such as cyberattacks or system outages.
- Termination of services, e.g., having in place arrangements to support the effective, orderly, and timely termination (for any reason) of systemic third-party services that it provides, including ensuring access to any relevant firm’s assets.
In addition to the above resilience standards, CTPs must adhere to conduct requirements in the form of six Fundamental Rules, which broadly align with the FCA Principles for regulated firms: conducting business with integrity; conducting business with due skill, care, and diligence; acting in a prudent manner; having effective risk strategies and risk management systems; controlling its affairs responsibility and effectively; and dealing with each regulator in an open and cooperative way.
Changes in the Final Supervisory Expectations
The final version of the supervisory expectations did not differ significantly from the proposals, with changes being primarily either clarificatory or taking a more proportionate approach.
For example, the term “systemic third party service” replaces “material service” in the proposed rules in order to reduce potential confusion with other existing terms, such as “material outsourcing.” The final rules also provide more flexibility in the approach to incident management by removing the requirement to create a bespoke “financial sector incident management playbook.” Instead, CTPs can use their existing documented incident management policies and procedures provided that they meet the required outcomes. These examples reflect feedback that the regulators received from certain technology industry participants.
Potential Sanctions for Noncompliance
The CTP regime comes with disciplinary measures that the regulators may take against CTPs if they fail to comply with the resilience requirements, including public censure, prohibiting the CTP from entering into arrangements or continuing to provide services to authorized firms, and issuing conditions or limitations on a CTP’s services to authorized firms.
Analysis
These supervisory expectations under the UK CTP regime align with international regulatory trends toward ensuring operational resilience. For example, the EU’s DORA requires regulated financial entities to implement many of the resilience standards above through contractual arrangements with the third-party service providers supporting critical or important functions. CTPs should be able to leverage existing processes and, once the UK CTP designations are published, some EU financial entities may point to these obligations of services providers.
The CTP regime’s extraterritorial effect for service providers also aligns with the approach in DORA, with which many non-EU providers are currently grappling. However, it is important to highlight that a CTP must be of critical importance to the UK financial sector as a whole, and not solely in respect of a single customer.
Trainee solicitor Ava Bajrami assisted with this blog post.