Community
Subsequent to a joint discussion paper (3/22 – Operational resilience: Critical third parties to the UK financial sector) published in July 2022, the Bank of England (the Bank), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) issued joint proposals on 7 December 2023 to increase resilience of the financial sector by overseeing critical third parties, consulting on how to oversee and strengthen the resilience of services provided by critical third parties (CTPs) to financial services firms and financial market infrastructure entities (FMIs).
The proposals follow Parliament’s adoption of the Financial Services and Markets Act 2023, which gave HM Treasury (HMT) the power to designate certain third party service providers to UK firms and FMIs as CTPs and the regulators powers to make rules for, and oversee, CTPs designated by HMT. The consultation paper (CP) build on the July 2022 discussion paper, which set out the regulators’ plans to oversee the critical services provided by CTPs to the financial sector. The CP provides details of the new regime which will enable the regulators to manage CTP-related systemic risks, while allowing firms and FMIs to continue benefiting from the technology services they provide.
The regulators are concerned that some firms and FMIs are becoming increasingly dependent on third-party technology providers for services such as cloud computing and data analytics that could impact UK financial stability if they were to fail or be disrupted, and set out that this requires “an appropriate but proportionate level of direct regulatory oversight” particularly as CTPs continue to be a concentrated group.
In DP3/22, the regulators acknowledged the potential benefits that services provided by third parties can bring to firms and FMIs and underscored the regulators’ support for the safe and sustainable use of these services. However, they also expressed specific concerns that "the failure of certain third parties, or severe disruption to the material services that they provide to firms and FMIs, could pose risks to the financial stability of the UK, which provided a case for regulatory intervention".
The proposals in the CP are, therefore, expected to improve the resilience of the critical third-party services that financial firms and their customers depend on, support market integrity and enhance UK competitiveness and growth. The question is what “an appropriate but proportionate level of direct regulatory oversight” of CTPs would mean in practice. While financial services firms are responsible for their operational resilience and are accountable for their own arrangements with third party service providers, they are unable to address the systemic risks that CTPs may pose. Therefore, regulators are stepping in with a regulator framework that target third party resilience.
The proposals in the CP set out the rules and principles that would apply to all the services CTPs provide to UK firms and FMIs. The regulators' proposed approach relies on the provision of information by CTPs to the supervisory authorities to assess the resilience of material services. These include granular operational risk and resilience requirements, which will apply only to CTPs’ material services to firms and FMIs, particularly with respect to cyber resilience, supply chain risk and incident management. It is proposed that CTPs submit their first self-assessment "within three months of designation and annually thereafter" and complete their first map of the resources including the assets and technology used to deliver, support, and maintain each material service it provides and version of their financial sector incident management playbook "within the first twelve months following their designation, and annually thereafter".
The CP also sets out the regulatory framework through which potential CTPs would be identified, which includes criteria such as the number and type of services they provide to financial services firms and the materiality of those services. However, it should also be noted that they also clarify that "a CTP’s designated status will not necessarily mean that it is inherently more resilient, safer, or more suitable to provide a given service to a given firm or FMI than non-designated third parties providing the same or similar services".
The regulators clarify that they plan to recommend third parties for designation as CTPs "based on their assessment of the potential impact that a failure in, or disruption to, these third parties’ services could have on the stability of, or confidence in, the UK financial system". According to the CP, before designating a third party service provider as a CTP, HMT will have regard to "the materiality of the services that the third party provides to firms and FMIs to the delivery of essential activities, services, or operations; and the number and type of firms and FMIs to which the person provides services".
The regulators also clarify that they will also have regard to "whether firms and FMIs have reported in the outsourcing and third party register that a third party supports their delivery of ‘Important Business Services’ as defined under the regulators’ respective operational resilience policies". They further explain that "the fact that a firm or FMI does or does not identify a third party as supporting the delivery of an important business service would not override or substitute the regulators’ own assessment of whether a third party meets the ‘materiality’ criterion". Through the CP, the regulators further propose to "treat multiple distinct services provided by the same service provider to firms and FMIs as material in aggregate if they consider that their combined disruption or failure could threaten the stability of, or confidence in, the UK financial system".
From a compliance perspective, the proposed CTP regime will push CTPs in scope to demonstrate that they can improve the resilience of their own operations that support financial services firms. The CP introduces specific supervisory requirements for CTPs, which primarily include regulatory submission requirements that would notify the regulators of specific disruptions which may adversely impact the services provided and, that would provide assurance to the regulators of their ability to provide material services in severe but plausible disruption through an annual self-assessment and regular scenario testing.
It is noteworthy that the proposed requirements would apply to services provided to firms and FMIs regulated by the Bank, PRA, and/or FCA, regardless of where they are carried out. This means that the proposals are "agnostic as to the location of a CTP". The regulators clarify that "there is no requirement for a CTP to set up a UK establishment (e.g. a subsidiary) where one does not already exist. This proposed approach recognises that CTPs may provide services from multiple jurisdictions (which can help improve the efficiency and resilience of these services)". The CP specifies that "the firms and FMIs that receive services from CTPs may operate in multiple jurisdictions. This proposed approach could also reduce compliance costs for CTPs, firms and FMIs compared to an approach that required CTPs to localise entities, infrastructure, personnel, or services in the UK".
The proposals are aligned with the Financial Stability Board’s (FSB) recent report on enhancing third-party risk management and oversight and the European Union’s Digital Operational Resilience Act (DORA), which established binding rules for information and communication technology (ICT) risk management, incident reporting, resilience testing and third-party risk management (TPRM) in 2020, allowing supervisors to oversee Critical ICT Third Party Providers (CTPPs) including Cloud Service Providers (CSPs). For instance, in line with the FSB, the CP does not consider that concentration in the provision of third-party services to firms or FMIs automatically pose systemic risks and that "concentration can reflect the quality, including the resilience, of a third party’s services".
The proposed requirements in the CP aim to complement, but not override the existing regulatory responsibilities of financial services firms and FMIs with respect to their operational resilience, providing much-needed clarity on their obligations and those of CTPs. Given its focus on third-party risk management, the CP is also relevant to the Supervisory Statement SS2/21 Outsourcing and Third Party Risk Management published in 2021, which sets out the PRA expectations of how firms should comply with regulatory requirements and expectations relating to outsourcing and third party risk management.
Finally, it should be noted that the regulators remind that "firms and FMIs will remain accountable and responsible for assessing the materiality and risks for each of their outsourcing and third party arrangements and performing appropriate and proportionate due diligence on potential third parties". They further specify that the proposals will complement but "not blur, eliminate, or reduce the accountability and responsibility of firms, FMIs, their boards, and senior management" including "any individuals performing Senior Management Functions (SMFs) from continuing to fulfil their existing regulatory obligations on operational resilience and third-party risk management".
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Elaine Mullan Head of Marketing and Business Development at Corlytics
12 August
Abhinav Paliwal CEO at PayNet Systems- A Neo Banking Software Platform
Donica Venter Marketing coordinator at Traderoot
Dmytro Spilka Director and Founder at Solvid, Coinprompter
11 August
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.