Out-Law News | 18 May 2022 | 2:33 pm | 2 min. read
UK financial regulators are to get new powers to bring some cloud service providers and other technology suppliers within their direct scope of regulation in a move designed to safeguard against the increasing dependency on those providers within the sector, Out-Law understands.
The necessary powers are expected to be set out in provisions of the Financial Services and Markets Bill – proposed new legislation trailed in last week’s Queen’s Speech.
Businesses designated as critical third parties would have to establish risk and control management frameworks that meet essentially the same standards that authorised firms have to meet in relation to the resilience of their core services
A background document issued by the government alongside the Queen’s Speech refers to the government’s plans for new legislation to support resilient outsourcing to technology providers in the financial services sector. However, details of the nature and purpose of the proposed legislation was not specified at the time.
Out-Law now understands, however, that the government intends to take forward recommendations made by the Bank of England’s Financial Policy Committee (FPC) last year. It said that “additional policy measures, some requiring legislative change, are likely to be needed to mitigate the financial stability risks stemming from concentration in the provision of some third-party services”.
The FPC highlighted how “critical third parties” (CTPs) are becoming increasingly relied on within the UK financial services sector. While it said that this can bring benefits such as “improved operational resilience”, it said that “the increasing criticality of the services that CTPs provide, alongside concentration in a small number of providers, pose a threat to financial stability in the absence of greater direct regulatory oversight”.
At the time, the FPC listed some policy measures it believes are necessary, including “an appropriate framework to designate certain third-party service providers as critical; resilience standards; and resilience testing”. Out-Law understands it is policy measures such as these that the new Financial Services and Markets Bill will provide for.
Angus McFadyen of Pinsent Masons, specialist in the application of technology law in the financial services sector, said: “It is a logical leap to expect that new UK rules would align with the EU proposals for a new Digital Operational Resilience Act (DORA) given the similar objectives and concerns of the regulators across Europe.”
“UK regulators already collect data from firms about their use of third party providers, so we would expect them to form a short list of CTPs from that information and for that list to then be reviewed annually. Businesses designated as CTPs would have to establish risk and control management frameworks that meet essentially the same standards that authorised firms have to meet in relation to the resilience of their core services. They are also likely to have a direct duty to cooperate with the regulators on things like regulatory investigations, and we might expect the CTPs to face significant fines – as they will under DORA – if they fail to cooperate properly,” he said.
The EU’s proposed new Digital Operational Resilience Act (DORA) envisages direct regulation of major technology providers to financial entities under a framework that would give powers to European supervisory authorities to designate specific ICT third-party service providers as subject to regulation and to then oversee their compliance. Provisional agreement on the EU DORA was reached by the EU’s two law-making bodies – the European Parliament and Council of Ministers – last week.
UK regulators are expected to publish a joint discussion paper on CTPs in UK financial services later this year.
11 May 2022
12 May 2022