Out-Law News 2 min. read

Systemic risk to drive FCA regulation of ‘critical third parties’

Major cloud service providers and other businesses that provide services to financial services institutions could face direct regulation by the UK’s Financial Conduct Authority (FCA) in future, the regulator’s chief executive has confirmed.

Speaking earlier this month at an event in London, Nikhil Rathi said the FCA would move to regulate ‘critical third parties’ (CTPs) in a bid to address systemic risk in UK financial services.

“With so many financial services using critical third parties – indeed, as of 2020, nearly two thirds of UK firms used the same few cloud service providers – we must be clear where responsibility lies when things go wrong,” Rathi said. “Principally this will be with the outsourcing firm, but we want to mitigate the potential systemic impact that could be triggered by a critical third party. Together with the Bank of England and PRA, we will therefore be regulating these Critical Third Parties – setting standards for their services – including AI services – to the UK financial sector. That also means making sure they meet those standards and ensuring resilience.”

The recently enacted Financial Services and Markets Act 2023 provides for a new legal framework for the designation of CTPs by the Treasury and the subsequent regulation of their services by UK financial services regulators – including the FCA. In a policy paper published last summer, the Treasury confirmed that that it plans for UK regulators to be empowered to impose minimum resilience standards on CTPs and subject them to rigorous testing, once designated.

Mival Mhairi

Mhairi Mival


Critical third parties can expect the FCA to adopt an outcomes-based approach to regulation

Mhairi Mival of Pinsent Masons, who specialises in technology contracts in financial services, said: “UK moves to regulate CTPs mirror what is happening in the EU with the introduction of DORA. We would expect that any standards that the FCA imposes on CTPs will be in consultation with the other UK financial regulators, the Bank of England and Prudential Regulation Authority (PRA). CTPs can expect the FCA to adopt an outcomes-based approach to regulation. For financial institutions, the prospect of CTPs being directly regulated in the UK will not absolve them of their responsibilities for managing risks – including those arising from arrangements with third parties – to their operational resilience.”

In its policy paper last year, the Treasury said that after the FSMA 2023 received Royal Assent, businesses could expect the UK’s financial regulators to consult on their proposed rules for CTP regulation. Out-Law has asked the FCA for more details on the process ahead and likely timeframes.

In his speech, Rathi also commented on the use of AI – saying that the FCA is already seeing “AI-based business models” emerging in UK financial services. He stressed the need for proportionate regulation to balance the risks AI present with the benefits to be derived from innovation. He also suggested firms’ investment “in fraud prevention and operational and cyber resilience will have to accelerate” at the same pace as AI is adopted.

“We will take a robust line on this – full support for beneficial innovation alongside proportionate protections,” he said.

Mival said: “There remains a lack of clarity on who will be responsible if something went wrong in the use of AI – whether that should sit with the firm, the AI developer or the user. Rathi did stress that any regulation would be proportionate, that its focus remained on ensuring that the technology protects the most vulnerable and safeguards financial access and inclusion, and confirmed that any new rules would only be introduced if necessary. Firms are encouraged to work with the FCA through its upcoming AI sandbox to help create AI solutions that maximise innovation but minimise risk to the user.”

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.