Out-Law / Your Daily Need-To-Know

Details of critical third parties regime in UK financial services emerge

Out-Law News | 09 Jun 2022 | 7:49 am | 4 min. read

‘Critical third parties’ (CTPs) serving financial institutions will be subject to direct regulation by the UK’s financial regulators, the Treasury has said in a move expected to impact some cloud computing providers and other technology suppliers active in the UK financial services sector.

In a policy paper that confirms previous reporting by Out-Law, the Treasury explained how the new CTPs regime would operate and provided insight into the nature of regulatory requirements CTPs could face.

Businesses can expect legislative proposals to underpin the new regime to be published later this year.

The UK Treasury

'Critical third parties to the finance sector' policy statement

No single firm can manage risks originating from a concentration in the provision of critical services by one third party to multiple firms

Angus McFadyen of Pinsent Masons, an expert in technology law in financial services, said the UK proposals are well timed and align with proposals put forward for a new Digital Operational Resilience Act (DORA) in the EU.

McFadyen said: “Concentration risk has long been a concern in the financial services sector. Firms have been unsure how best to address it at a market level, and even struggle within their own groups.”

“We are seeing a high degree of reliance on a small number of providers, particularly cloud service providers, but also sector-focused technology providers that perform essential roles supporting some business lines. This is reaching a stage where problems affecting those providers could have an impact equivalent to outage in financial market infrastructure,” he said.

Under the proposed new regime, the Treasury would be responsible for designating service providers as CTPs subject to regulation by the Financial Conduct Authority, Prudential Regulation Authority or Bank of England. Each of those regulators will be able to input into the decision-making process. Once a CTP has been designated, the regulators would then be able to impose minimum standards of resilience on those businesses and subject them to rigorous testing.

Regulators are to be given a broad suite of powers to support their effective oversight of the regime, according to the plans. These include information gathering powers in relation to the resilience of their material services to firms, scope to commission a report by an independent ‘skilled person’ on certain aspects of a CTP’s services, and powers to appoint an investigator to look into potential breaches of requirements under the legislation. The regulators will also have the power to interview a representative of a CTP and require the production of documents and to enter a CTP’s premises under warrant as part of an investigation.

Further statutory powers would underpin the regime. According to the Treasury, the regulators would be able to direct CTPs from taking or refraining from taking specific actions, while their powers of enforcement would enable them to publicise failings and, as a last resort, prohibit a CTP from providing future services, or continuing to provide services to firms. It is unclear from the policy paper whether the regulators would have powers to issue fines in relation to non-compliance.

The Treasury set out the case for reform in its policy paper. It said many financial institutions are relying on a relatively small number of third party service providers to deliver material services and it said the risk of disruption to third parties and their supply chains is increasing, citing the rising number of cyber incidents reported by the National Cyber Security Centre as evidence for this.

The Treasury also identified limitations with the existing regulatory framework. The current framework has enabled regulators to impose operational resilience obligations on financial institutions. These have flowed down into contracts those institutions have with third parties. However, the Treasury said the powers the regulators have currently are “[not] sufficient to tackle the systemic risk that disruption at a third party providing key services to multiple firms could cause”.

“No single firm can manage risks originating from a concentration in the provision of critical services by one third party to multiple firms – for example, if these services cannot be easily restored or substituted promptly and without undue costs and risks in the event of the third party’s failure or disruption,” the Treasury said. “There may also be significant information and power asymmetries between certain third parties and firms, which may prevent firms from obtaining adequate assurances that their contractual arrangements achieve an appropriate level of operational resilience.”

The Treasury confirmed that primary legislation is required to provide for the new CTP regime, with secondary legislation to follow to give effect to the designation of businesses as CTPs. It pledged a “flexible and proportionate” regime that supports a “competitive and innovative” finance sector and its supply chain.

In its policy paper the Treasury referred to plans the UK financial regulators have to issue a joint discussion paper on CTPs. A Bank of England official confirmed in April that the regulators plan to publish that paper this year. In a strong indication that the legislative proposals the Treasury is working on will be published before the end of 2022, the Treasury said that the discussion paper will be published “shortly after” the legislative proposals are set out.

According to the Treasury, the regulators’ discussion paper will outline “in detail how any powers granted to [the regulators] in legislation might be exercised” and also invite industry to share their views on how they might exercise those powers in “the most effective and proportionate way”. The paper will also “explore the role of the financial regulators during designation” and “explore potential specific ways for the financial regulators to coordinate the exercise of their powers with overseas financial regulators, and UK authorities and regulators from outside the financial services sector”.

Publication of the Treasury’s plans come after a background document published alongside the recent Queen’s Speech suggested that the government plans to legislate this next parliamentary year to support resilient outsourcing to technology providers in the financial services sector via a new Financial Services and Markets Bill. Out-Law understood that initiative to reflect recommendations made by the Bank of England’s Financial Policy Committee (FPC) last year, and this was confirmed by the Treasury in its policy paper.