Round-up of techUK’s Critical Third Party event and explainer
Last week, techUK held a one-day conference focusing on the forthcoming Operational Resilience for Critical Third Party regulatory regime in financial services. This work will bring third parties who are deemed ‘critical’ to the stability of the UK financial services system into the scope of their sector regulators for the first time. More on this below. The event featured speakers from across financial services regulation and HM Treasury.
Delivering a keynote address to the conference was Director of Prudential Risk, Gareth Truran, who not only set out the scope of the work and why the Bank of England were helping to deliver it. He also set out that we expect to see the final requirements published at the back end of 2024. The speech Gareth delivered can be found on the Bank of England’s website.
The event was hosted under Chatham House rule, so no quotes are directly attributable, but there was discussion around the definition of criticality and does this pertain to criticality to one firm or the entire system. To this end, we are expecting a paper to be published shortly after the close of the consultation which explains HM Treasury’s approach to designation which should provide greater clarity.
We are currently collecting feedback ahead of the regulators’ deadline of 15 March and given the dynamic nature of this work, also convening a working group to engage on the policy.
To help members understand the regime and the potential impacts, fellow member PWC have produced this helpful explainer which we’re happy to share.
Exploring the Critical Third Parties regime: a new regulatory frontier
Authors: Charles Rodger, Director, Tom Kohler, Director, Hugo Rousseau, Manager, PwC UK
The Bank of England, Prudential Regulation Authority, and Financial Conduct Authority (‘the regulators’) have released updated proposals for the Critical Third Parties (CTP) regime. In the consultation paper CP26/23, released on 7 December 2023, they detailed the operational resilience requirements that firms designated as CTPs will need to adhere to.
The CTP regime will have a profound impact on the technology sector in particular, as key providers to the financial services (FS) sector become subject to direct oversight by the regulators for the first time. In this article, we take a look at the requirements proposed in CP26/23 in more detail, and see how they fit into global regulatory developments of a similar nature.
Scope and objectives of the regime
The regime responds to concerns over the financial sector's growing reliance on a few key service providers, like cloud hyperscalers, now crucial to the UK and global financial system. Concerns that failure or disruption to these providers, and the material services they deliver could compromise financial stability have led the regulators to propose a new oversight regime, using new statutory powers granted to them in 2023.
To determine which firms should be designated by HM Treasury, the regulators will use a set of criteria including:
- the significance of the services provided
- market concentration
- other relevant factors, such as the absence of viable alternatives or potential risks during service migration.
The CTP regime will complement existing operational resilience and third-party risk management requirements for FS firms. The regulators clarify that CTP designation is not a 'regulatory kitemark,' and FS firms should not view CTPs as inherently more resilient or exempting them from their own obligations. CTPs will also be advised not to use their designation for marketing purposes.
A new regulatory frontier
The CTP regime will alter how CTPs manage their resilience strategies and interactions with regulators. They will come under direct regulatory oversight, needing to meet new requirements and expectations.
These include adherence to six 'fundamental rules' that apply to all services provided by CTPs. These proposed rules mirror some of the rules that FS firms are required to follow, compelling CTPs to:
- conduct business with integrity
- conduct business with due skill, care, and diligence
- act in a prudent manner
- implement effective risk strategies and risk management systems
- organise and control affairs responsibly and effectively
- deal with the regulators in an open and cooperative way.
Many potential CTPs may believe they are operating in accordance with the principles behind these fundamental rules. However, they may find that demonstrating compliance to the regulators presents new governance challenges.
In addition to the fundamental rules, the proposals include eight operational resilience requirements so CTPs can prevent or recover from disruptions to the material services they provide:
- Governance: CTPs need clear governance structures for effective oversight and regulatory contact.
- Risk management: Implement processes to identify and manage internal and external risks.
- Dependency and supply chain risk management: Manage risks in supply chain and third-party dependencies.
- Technology and cyber resilience: Establish measures against technological and cyber threats.
- Change management: Systematically manage service changes with risk minimisation.
- Mapping: Map necessary resources and identify interconnections for service delivery.
- Incident management: Have measures for incident response and recovery, including a disruption tolerance level.
- Termination of services: Plan for orderly termination of services, including transfer arrangements.
CTPs will be required to conduct regular self-assessments and scenario testing to ensure their capacity for ongoing delivery of material services (including in the event of a ‘severe but plausible disruption’). Additionally, they must report any incidents as part of their regulatory obligations.
As a result, CTP firms will need to review their material service arrangements, leading to potential updates in service delivery, contracts, supply chains, governance, skills, training, and incident management protocols. Some of these actions will need to be implemented rapidly, as the regulators proposed a compact time frame:
- submit the initial self-assessment to the regulators within three months of designation
- complete the inaugural resource map, covering the assets and technology that support and maintain each material service, and create the first version of their financial sector incident management playbook, including its initial testing within the first twelve months following designation.
The international dimension: what about DORA?
The CTP regime marks a significant development in the UK, continuing the trend towards an increased focus on comprehensive third-party risk management and operational resilience. This follows the extended scope of the UK implementation of the European Banking Authority Outsourcing Guidelines and aligns with global trends.
In the USA, the Bank Service Company Act (BSCA) empowers the US Federal Banking Agencies to supervise and regulate certain bank services provided by third parties. The EU's Digital Operational Resilience Act (DORA) sets standards for critical ICT service providers in risk management, incident reporting, and resilience testing, with a compliance deadline of 17 January 2025.
While varying regulatory regimes emerge in different jurisdictions, regulators have been discussing these issues and regimes internationally, including through the Financial Stability Board. This could support further harmonisation on the scope, principles and requirements embedded within each of those regimes.In the UK, the regulators indicated that they designed the CTP regime to be as 'interoperable as reasonably practicable' with other regimes. They will accept shared notifications and information provided to authorities in charge of DORA and BSCA, like incident reports, if they meet the UK's CTP requirements.
Despite these efforts and similarities in the overarching principles behind these regimes, firms are likely to face diverse regulatory demands. While aiming for global compliance, firms will need to tailor their frameworks to meet specific requirements in the jurisdictions in which they operate. Crucial to this is conducting thorough jurisdictional analysis and establishing a framework that enables clear demonstration of senior management's control and oversight, with direct engagement with regulatory bodies.
The CTP regime represents a significant shift, extending financial services regulation to the material services provided by CTPs and their supply chains. Firms likely to be in scope of the regime should reassess their arrangements and evaluate the regime's impact on services they provide to FS customers. Even firms outside the regime's scope may consider adopting some of its rules, responding to evolving expectations from customers and regulators across jurisdictions.
Financial Services updates
Sign-up to get the latest updates and opportunities from our Financial Services programme.
Ella Gago-Brookes
Ella joined techUK in November 2023 as a Markets Team Assistant, supporting the Justice and Emergency Services, Central Government and Financial Services Programmes.