FCA: AI providers could face UK financial services regulation

In a new ‘AI update’ (26-page / 399KB PDF), the regulator confirmed that AI providers could be designated as ‘critical third parties’ (CTPs) in future, depending on how use of AI in UK financial services evolves.

“Although [the CTP] regime is not specific to AI, the concept of services a CTP provides is broad enough to encompass considerations around the systemic use of a common AI model (e.g. data bias, model robustness),” the FCA said. “The adoption of AI may lead to the emergence of third-party providers of AI services who are critical to the financial sector. If that were to be the case, these systemic AI providers could come within scope of the proposed regime for CTPs, if they were designated by HM Treasury.”

The financial sector is increasingly reliant in its daily operations on outsourced technology and third-party service providers. In that context, the Bank of England (the Bank), Prudential Regulation Authority (PRA) and the FCA have moved collectively to introduce rules to try and ensure sector stability and operational resilience.

The CTP regime formally came into effect in UK law on 1 January 2025 but has not yet been implemented in practice.

Under the CTP regime, CTPs will be obliged to adhere to a suite of regulatory requirements, including governance and transparency standards. However, those rules only have practical impact where a business has been designated a CTP by the Treasury. No business has yet been designated a CTP in the UK.

In its update, the FCA said it, the Bank, and the PRA, are “currently assessing their approach” to CTPs.

Luke Scanlon, an expert in financial services technology contracts at Pinsent Masons, said: “The UK CTP regime in many respects mirrors the system of regulation provided for under the EU’s Digital Operational Resilience Act (DORA).”

“DORA began applying in January and, like the UK CTP regime, provides for so-called critical ICT third-party service providers to fall subject to direct financial services regulation upon their designation by the European supervisory authorities. We expect news on DORA designations to emerge over the coming months. It seems likely that the Treasury will then follow with its own initial CTP designations thereafter,” he said.

“For providers of AI models, they are facing increased scrutiny and compliance obligations. In EU terms, the AI Act’s provisions impact providers of so-called ‘general purpose AI models’ came into effect in August – with a new code of practice helping to spell out how those providers can meet the underlying legislative requirements. The potential extension of the UK’s CTP regime to some AI model providers would represent a continuation of this trend and, potentially, could result in an overlap of compliance requirements across the different frameworks. More guidance from policymakers and regulators on navigating overlapping requirements would be helpful in that scenario, to assist AI providers operating in an increasingly complex regulatory environment,” Scanlon said.

The CTP regime builds on, but is distinct from, operational resilience obligations UK financial institutions are separately subject to.