Out-Law Analysis 9 min. read

Actions for critical providers in UK financial services ahead of new regulatory regime


Critical third-party providers (CTPs) – a term that is likely to include ‘cloud’ and other ICT service providers –are facing increased direct regulation in the UK’s financial services market. That prospect requires would-be CTPs to undertake a wide range of actions, including reviews, documentation, mapping and testing exercises.

Businesses that could fall subject to the new CTPs regime can get a sense of the expectations that may fall on them from the draft rules that the UK financial regulators – the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority – have issued, as well as from their accompanying supervisory statement.

Here we outline some of the steps CTPs can take to meet these expectations, and areas where they should consider asking for further clarification via the regulators’ public consultation on the new regime.

Assess the proposal for designation

Third-party providers to the sector will fall within the oversight regime if they are designated by HM Treasury as CTPs. A designation will only take place after an opportunity has been given to the potential CTP to make representations about its proposed designation.

CTPs will have a limited opportunity to challenge a potential designation where they assess it to be unwarranted. As the regulators will be in part relying on market data and information gathered about CTPs from their regulated customers, CTPs may, for example, choose to investigate whether any incorrect assumptions or outdated data has been relied on in forming the basis for designation.

Appoint a central person as the point of contact

Once designated, CTPs will be required to appoint a central point of contact within their businesses to lead communications with the regulator. While this person will be the key contact, the regulator may at times also wish to speak to other members of staff, for example, specialists on technical matters.

The key contact must be available during UK business hours but need not be located in the UK. Out of hours contact details will be required for stressed circumstances. This is in contrast to the EU’s parallel critical third-party regime set out in the Digital Operational Resilience Act (DORA), which creates an expectation of presence within the jurisdiction. DORA requires CTPs to establish a subsidiary in the EU within the 12 months following designation.

In considering how best to resource this role, CTPs will need to assess whether the person selected has all necessary skills relevant to ensuring that effective communication channels with the regulators are maintained. A key aspect of the role will be to balance the requirement for the business to communicate with regulators in an open and cooperative manner against the need to clearly understand the circumstances in which it is permissible for information to be lawfully withheld for commercial or other reasons.

Carry out an annual self-assessment

CTPs will need to provide regulators with a self-assessment demonstrating compliance with the oversight requirements on an annual basis. While a template has not been provided, expectations for the content of self-assessments have been set out in the supervisory statement.

Self-assessments are to be “balanced, thorough and transparent”. They should also “openly highlight identified vulnerabilities, areas for improvement, and proposed remediation".

A general requirement to openly identify vulnerabilities will be of concern to CTPs. The consultation period, which ends on 15 March 2024, provides an opportunity to clarify the circumstances in which information may be withheld, for example, where disclosure could lead to an undue increase in security or operational risk.

Create and maintain a financial sector incident management playbook

The supervisory statement requires CTPs to produce and maintain a financial sector incident playbook as an identifiable document. While this document may leverage existing response and recovery measures, it must be prepared specifically for incidents which relate to the financial sector.

The playbook should focus on how the CTP will coordinate its crisis communications processes and provide all relevant stakeholders, including regulated customers and regulators, with "accurate, consistent, and timely information and support throughout the lifecycle of the incident". The playbook must be made available to the regulator on request.

Test the financial sector incident management playbook

The financial sector incident management playbook is to be tested annually and may need to be re-tested if required by the regulator. The tests are to be carried out collaboratively “with an appropriately representative sample” of regulated customers.

CTPs must prepare and provide a report to the regulator after each test is conducted. The report will need to set out the key findings from the test, propose revisions to the playbook and provide “general, non-attributable feedback” such as any best practices identified as a result of the tests.

CTPs will need to consider what mechanisms they have in place for engaging with their financial sector customers to achieve this specific stream of testing. For some it may require new bilateral or multilateral arrangements to be put in place. For others, where their material contracts likely include requirements for testing customer plans, there may be a need to revise or augment the arrangements already in place. 

Meet scenario testing requirements

In addition to playbook testing, CTPs will also need to carry out scenario testing. These tests should include scenarios which relate to supply chain disruption.

CTPs may be familiar with the approaches that their customers have taken to scenario testing to meet their own operational resilience regulatory requirements. The supervisory statement does not specifically address whether both regulated entities and CTPs may use the same scenario testing exercise to meet their own regulatory testing requirements. While it is likely the regulator will accept that one test could serve both purposes if practically it could have that effect, an explicit confirmation of this in the supervisory statement would remove uncertainty.

Carry out extensive mapping exercises 

CTPs will need to prepare extensive resource maps for each of their material services. Each map will need to identify the resources required to deliver the service, including internal and external interconnections and interdependencies between resources.

The purpose of the mapping exercise is to identify vulnerabilities and facilitate scenario testing. The maps should therefore “focus on the resources that are essential to the CTP’s delivery of material services”. While the supervisory statement provides an illustrative example of the types of data and information about facilities, people, technology and supporting infrastructure that should be mapped, CTPs may want to use the consultation period as an opportunity to clarify the level of granularity that will be expected. 

Set maximum levels of tolerable disruption 

CTPs will be aware of the extent to which their services reflect the maximum levels of tolerable disruption set by their regulated customers. However, prior to these rules, although providers will have taken steps to support customers in meeting maximum levels of tolerable disruption through service level and business continuity commitments, they have not themselves needed to define their services in these terms.

In requiring CTPs to set maximum levels of tolerable disruption for their material services, regulators will expect CTPs to be prepared for “severe but plausible disruption” scenarios. There is no regulatory definition for severe but plausible disruption. There is also not much evidence of wholly consistent practices on distinguishing circumstances which may be considered implausible at a granular level with quantitative or qualitative metrics from those that are not. CTPs, therefore, may assist the regulators during the consultation period by providing reasoned evidence as to the practical considerations which should be taken into account when determining whether circumstances are plausible or not.

Prepare for termination

The supervisory statement requires CTPs to plan for the termination of material services provided to regulated customers. This requirement is not intended to replace the requirements for mandatory contractual provisions relating to termination imposed on regulated financial entities.

The supervisory statement requires CTPs to “draw on examples (actual or hypothetical) to illustrate how it would support [a regulated customer] in the event of a termination of its service(s)”. The purpose of the requirement appears to be to give regulators direct insight into the choices CTPs make in fulfilling their commitments made under contract to regulated customers to facilitate orderly termination and exit.

CTPs are to include information regarding their approach towards termination in their self-assessments. The information provided should cover different scenarios including those which result due to a change of control, corporate reorganisation, insolvency, judicial, legal, political or regulatory issues arising, or as a result of disruption from which the service cannot recover.

Review subcontracting arrangements for compliance

A lot of attention is given to the CTP's supply chain in the supervisory statement. It is defined broadly to be "the network of persons that provide infrastructure, goods or services and other inputs directly or indirectly utilised by a CTP to deliver, support, and maintain a material service."

CTPs must "take all reasonable steps" to ensure its supply chain understands its oversight regulatory requirements. It is expected that supply chains will facilitate CTPs in meeting their requirements and provide regulators with access to relevant information.

CTPs are required to ensure that the due diligence they perform on their supply chains is appropriate, that they are transparent with the regulator about the supply chain and that sub-contracting arrangements do not act as impediments to sharing necessary information with regulators.

While the supervisory statement requires CTPs to focus on “key Nth service providers” or sub-contractors and refers to the principle of proportionality, there are requirements which apply to “each person” in the supply chain. CTPs may therefore want to clarify the extent to which they will be expected to obtain contractual commitments from different parts of their supply chain, including those that are not essential to the delivery of material services.   

Communicate as required with regulators

CTPs will come under the requirement to disclose "appropriately anything relating to the CTP" of which the regulator "would reasonably expect notice". This is a requirement that in principle also currently applies to regulated entities. Due to its generality, CTPs may have difficulties ensuring that it is effectively operationalised and may want to advocate for more guidance on expectations around policies, processes and controls required to support its implementation.

CTPs must also notify regulators if civil proceedings or alternative dispute resolution pose a significant threat to their reputations or service delivery, if they are subject to criminal proceedings or convictions for fraud or dishonesty, if they face disciplinary measures from other authorities, if they have financial difficulties that could lead to insolvency proceeding, or if there are circumstances that seriously impact their ability to meet CTP requirements. Sufficient records to enable the regulator to perform their oversight functions and assess the CTP's compliance must be kept.

Prepare for incident response notification requirements

The supervisory statement requires CTPs to make regulators aware of “relevant incidents” through a phased approach. After an initial notification is made, CTPs are also required to make intermediate notifications and a final incident notification.

The process is detailed and broadly reflects that of the EU’s Digital Operational Resilience Act (DORA). The regulators have suggested that they intend for the requirements to be interoperable with those of parallel regulatory regimes in other jurisdictions, such as DORA, but only to the extent that all supervisory statement requirements are met. During the consultation period, CTPs that operate in both the UK and other jurisdictions, may want to review the supervisory statement’s incident response requirements against those of other jurisdictions to understand whether there are any unexpected deviations which could cause unnecessary administrative burdens.

Prepare for skilled person reviews

CTPs will need to ensure that they are familiar with the regulators’ powers to appoint skilled persons to conduct reviews and issue reports. A skilled person report may be commissioned to support a broad range of objectives that the regulators may have.

Broadly the purpose of the report, for diagnostic purposes, may fall into one of four categories: to identify and assess risk; for ongoing monitoring purposes; to support preventative action; or to confirm the need for remedial action. Skilled person reviews may also be used to support enforcement action contemplated by the regulators.

CTPs will want to ensure that they are aware of their obligations when skilled persons are appointed and the extent of their discretion to contract with a skilled person of their choosing on approval by the regulators. CTPs will be responsible for the costs associated with these reports.

Ensure sales teams, agents and distributors do not ‘sell’ their designation status

It will be tempting for a CTP to use its designated status as a means to give customers assurance of its ability to conform to regulatory requirements and provide services within the sector. The supervisory statement, however, strictly prohibits this.

CTPs cannot indicate that designation is an "endorsement" by the regulator, that designation "means its services are superior" or that it "confers any advantage" for a regulated customer as compared to using the services of a non-designated provider. This applies to any communication made by the CTP or on its behalf.

Sales staff and third parties engaged in sales and distribution activities will need to be made aware of this rule early on. Effective policies and processes may need to be put in place to ensure that it continues to be met.

Respond to the consultation

Businesses that may fall within scope of this oversight regime have until 15 March 2024 to respond to the consultation. The consultation period provides a significant opportunity to help the regulators form rules and guidance which takes into account practical implications and avoids unintended consequences.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.