Out-Law News 5 min. read

UK financial regulators set out plans for ‘critical third parties’ regime

City of London financial district


Technology providers and other suppliers that provide material services to financial services firms could be brought into scope of UK financial services regulation, under plans outlined by regulators.

In a new consultation paper published on Thursday, the Bank of England, Prudential Regulation Authority, and Financial Conduct Authority (FCA) outlined proposals for the regulation of ‘critical third parties’ (CTPs) in UK financial services. The paper builds on a policy paper issued by the UK Treasury last year.

The regulators intend to develop virtually identical rulebooks for CTPs to “manage potential risks to the stability of, or confidence in, the UK financial system that may arise due to a failure in, or disruption to, the services that a CTP provides” to UK-authorised financial services firms and/or financial market infrastructure entities (FMIs).

Under their plans, all CTPs would be subject to six high-level “fundamental rules”, while a series of more detailed requirements on operational risk and resilience would apply to the “material services” CTPs provide.

Scanlon Luke

Luke Scanlon

Head of Fintech Propositions

Potential CTPs will likely want more clarification around the extent to which they are required to disclose commercial sensitive information relating to vulnerabilities, test results and the extent of their reliance on specific subcontractors or suppliers

The fundamental rules proposed include requirements to conduct business with integrity, and with due skill, care and diligence, and to act in a prudent manner. CTPs would also be required to have effective risk strategies and risk management systems, and to organise and control their affairs responsibly and effectively. Under the sixth proposed fundamental rule, CTPs would be obliged to deal with the regulators openly and in a cooperative way and make appropriate disclosures to the regulators of anything relating to the CTP that they would reasonably expect notice of.

The operational risk and resilience requirements proposed include requirements around governance, risk management, and managing supply chain risk – the regulators in this respect expect CTPs to, among other things, “perform appropriate due diligence before entering into sub-contracting arrangements that are key to its delivery of material services and monitor these arrangements on an ongoing, or regular (at least annual) basis thereafter”.

Proposed requirements around technology and cyber resilience, change management, mapping, incident management, and termination, are also included within the umbrella of operational risk and resilience requirements planned.

Dunn Yvonne_April 2020

Yvonne Dunn

Partner

CTPs must address direct requirements from the regulators rather than be indirectly affected by the regulatory regime via their contracts with financial services firms

Yvonne Dunn of Pinsent Masons, who specialises in financial services technology contracts, said: “Many of these requirements are currently included in services contracts as obligations on suppliers to reflect the regulatory obligations to which financial services firms are subject. With the new fundamental rules and the operational risk and resilience requirements proposed, CTPs must address direct requirements from the regulators rather than be indirectly affected by the regulatory regime via their contracts with financial services firms.”

As well as proposing what the new rules applicable to CTPs should address, the regulators also provided an insight into the more fundamental question of which specific businesses will be brought within scope of the new regime.

Under the Financial Services and Markets Act (FSMA) 2023, it is the UK Treasury, not the regulators, that has the power to designate third party service providers as CTPs – the Treasury can make such a designation if the failure in or disruption to the relevant third party service provider’s services would pose a risk to the stability of, or confidence in, the UK financial system. In considering the question of whether to designate or not, the Treasury is obliged to have regard to the materiality of the services that the third party provides to firms and FMIs to the delivery of essential activities, services, or operations, as well as the number and type of firms and FMIs to which the person provides services.

However, while the designation powers rest with the Treasury, it is obliged under the FSMA 2023 to consult with the regulators before exercising those powers and in practice it is anticipated that the regulators will proactively recommend to Treasury that it exercises its power to designate a third party as a CTP. In their consultation paper, the regulators explained how they will form an initial assessment, and make recommendations to Treasury, on whether individual third parties should be designated.

The regulators said their views in this regard will be informed by information gathered from a range of sources – predominantly, in time, information they intend to collect under a new outsourcing and third-party (OATP) data collection policy. The regulators intend to consult on that policy next year.

When looking at all the information, the regulators said they would assess the materiality of the services provided, the concentration of those services, and other drivers of potential systemic impact.

Those other drivers, they said, could include “the lack of viable alternative providers for one or more services”, or the difficulties and risks that could arise in switching, as well as the extent to which the third party “has direct access to firms’ and FMIs’ people, processes, technology, facilities, data, and information (the ‘resources’) that support the delivery of important business services”. They said that where third parties have such access, it “may have the potential to increase the systemic risk of any disruption or failure and hence the likelihood of designation”.

Yvonne Dunn said: “One of the concerns arising from the regulators’ prior consultation through the earlier discussion paper on a new CTP regime was that the CTP designation would be used by suppliers as a sales tool. The regulators have addressed this in the consultation paper by requiring that CTPs refrain from indicating or implying that they have the endorsement of regulators by virtue of their designation as a CTP. The regulators have also made clear that financial services firms and FMIs must continue to conduct due diligence.”

According to the regulators, third party service providers designated as CTPs can expect to incur both one-off and annual compliance costs – they estimate the initial one-off costs will amount to between £660,000 and £930,000, and that the annual ongoing compliance cost per CTP will be £500,000.

The regulators said their proposals “build on and complement” existing requirements around operational resilience that financial services firms and financial market infrastructure entities (FMIs) face, and added that they “do not blur, eliminate or reduce the accountability and responsibility” those organisations and their boards and senior managers face under the operational resilience requirements or other rules on outsourcing and third party risk management.

Luke Scanlon of Pinsent Masons, who specialises in financial services technology contracts, said: “Technology providers likely to be in-scope of these rules will welcome the intention to align it to developments taking place in other jurisdictions including the EU's Digital Operational Resilience Act and the Bank Service Company Act in the US. Substantial work, however, will be required to ensure that consistent processes across these different regimes are put in place as they evolve over time.”

“In particular, attention will need to be given to addressing new supply chain risk requirements and those relating to change management as both have been significant concerns highlighted by the regulators in the context of regulated entities for a number of years. Potential CTPs will also likely want more clarification around the extent to which they are required to disclose commercial sensitive information relating to vulnerabilities, test results and the extent of their reliance on specific subcontractors or suppliers, as the regulators have proposed that CTPs themselves develop their own ‘appropriate method’ for sharing the information with their financial services customer – including controls for adequately protecting confidential or sensitive information,” he said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.