UK financial regulators set out plans for ‘critical third parties’ regime

In a new consultation paper published on Thursday, the Bank of England, Prudential Regulation Authority, and Financial Conduct Authority (FCA) outlined proposals for the regulation of ‘critical third parties’ (CTPs) in UK financial services. The paper builds on a policy paper issued by the UK Treasury last year.

The regulators intend to develop virtually identical rulebooks for CTPs to “manage potential risks to the stability of, or confidence in, the UK financial system that may arise due to a failure in, or disruption to, the services that a CTP provides” to UK-authorised financial services firms and/or financial market infrastructure entities (FMIs).

Under their plans, all CTPs would be subject to six high-level “fundamental rules”, while a series of more detailed requirements on operational risk and resilience would apply to the “material services” CTPs provide.

The fundamental rules proposed include requirements to conduct business with integrity, and with due skill, care and diligence, and to act in a prudent manner. CTPs would also be required to have effective risk strategies and risk management systems, and to organise and control their affairs responsibly and effectively. Under the sixth proposed fundamental rule, CTPs would be obliged to deal with the regulators openly and in a cooperative way and make appropriate disclosures to the regulators of anything relating to the CTP that they would reasonably expect notice of.

The operational risk and resilience requirements proposed include requirements around governance, risk management, and managing supply chain risk – the regulators in this respect expect CTPs to, among other things, “perform appropriate due diligence before entering into sub-contracting arrangements that are key to its delivery of material services and monitor these arrangements on an ongoing, or regular (at least annual) basis thereafter”.

Proposed requirements around technology and cyber resilience, change management, mapping, incident management, and termination, are also included within the umbrella of operational risk and resilience requirements planned.

Yvonne Dunn of Pinsent Masons, who specialises in financial services technology contracts, said: “Many of these requirements are currently included in services contracts as obligations on suppliers to reflect the regulatory obligations to which financial services firms are subject. With the new fundamental rules and the operational risk and resilience requirements proposed, CTPs must address direct requirements from the regulators rather than be indirectly affected by the regulatory regime via their contracts with financial services firms.”

As well as proposing what the new rules applicable to CTPs should address, the regulators also provided an insight into the more fundamental question of which specific businesses will be brought within scope of the new regime.

Under the Financial Services and Markets Act (FSMA) 2023, it is the UK Treasury, not the regulators, that has the power to designate third party service providers as CTPs – the Treasury can make such a designation if the failure in or disruption to the relevant third party service provider’s services would pose a risk to the stability of, or confidence in, the UK financial system. In considering the question of whether to designate or not, the Treasury is obliged to have regard to the materiality of the services that the third party provides to firms and FMIs to the delivery of essential activities, services, or operations, as well as the number and type of firms and FMIs to which the person provides services.

However, while the designation powers rest with the Treasury, it is obliged under the FSMA 2023 to consult with the regulators before exercising those powers and in practice it is anticipated that the regulators will proactively recommend to Treasury that it exercises its power to designate a third party as a CTP. In their consultation paper, the regulators explained how they will form an initial assessment, and make recommendations to Treasury, on whether individual third parties should be designated.

The regulators said their views in this regard will be informed by information gathered from a range of sources – predominantly, in time, information they intend to collect under a new outsourcing and third-party (OATP) data collection policy. The regulators intend to consult on that policy next year.

When looking at all the information, the regulators said they would assess the materiality of the services provided, the concentration of those services, and other drivers of potential systemic impact.

Those other drivers, they said, could include “the lack of viable alternative providers for one or more services”, or the difficulties and risks that could arise in switching, as well as the extent to which the third party “has direct access to firms’ and FMIs’ people, processes, technology, facilities, data, and information (the ‘resources’) that support the delivery of important business services”. They said that where third parties have such access, it “may have the potential to increase the systemic risk of any disruption or failure and hence the likelihood of designation”.

Yvonne Dunn said: “One of the concerns arising from the regulators’ prior consultation through the earlier discussion paper on a new CTP regime was that the CTP designation would be used by suppliers as a sales tool. The regulators have addressed this in the consultation paper by requiring that CTPs refrain from indicating or implying that they have the endorsement of regulators by virtue of their designation as a CTP. The regulators have also made clear that financial services firms and FMIs must continue to conduct due diligence.”