Critical Third Parties to the financial services sector: the dawn of a new era

Background

HMT has confirmed that it will legislate to permit UK financial regulators to directly oversee and supervise (previously unregulated) “critical” third parties (“CTPs”) that provide services to the finance sector.

Financial services firms have become increasingly reliant upon cloud and other third-party providers in recent years, coming to rely upon a small number of service providers for material services. There is concern that the failure or disruption of one of these critical service providers could have a systemic impact across the financial sector and threaten the stability of the UK financial system. This, together with the recent increased risk of cyber incidents due to geopolitical issues, has led HMT to publish a policy statement setting out its proposed new regime for CTPs.

The risk posed by CTPs to financial stability and the regulators’ objectives has been on the regulatory agenda for some time, and some form of direct regulatory recourse to CTPs was expected. However, the proposals in HMT’s policy statement would not only directly expand the regulatory perimeter, which in itself is controversial, but are more far-reaching than many will have expected.

What are the new proposals?

HMT (after consultation with the Bank of England, PRA and FCA) will be able to decide that a third party providing services to regulated firms is ‘critical’. This might be in response to a recommendation by one of the regulators or representations from financial services firms. In making its decision, HMT will take into account criteria such as the number and type of services provided and the materiality of those services.

The UK regulators will be able to exercise an extensive range of powers over those deemed to be ‘critical’, including:

• Setting minimum resilience standards that CTPs must meet in respect of any material services that they provide to the UK finance sector
• Requiring CTPs to take part in a range of resilience testing to assess whether these resilience standards are being complied with
• Requesting information directly from CTPs on the resilience of their material services or their compliance with requirements
• Commissioning an independent ‘skilled person’ to report on certain aspects of a CTP’s services
• Appointing an investigator to look into potential breaches of requirements
• Interviewing a representative of a CTP and requiring the production of documents
• Entering a CTP’s premises under warrant as part of an investigation
• Directing that CTPs take or refrain from taking specific actions
• Taking enforcement action, including publicising failings, and (as a last resort) prohibiting a critical third party from providing future services, or continuing to provide services to firms.

When will this new regime come into effect?

When this will happen is not yet clear, but it won’t be soon given the various steps needed to bring the new regime into action: primary and secondary legislation “when parliamentary time allows”, BoE/PRA and FCA Discussion Papers, Consultation Papers and Policy Statements.

We know that the regulators plan to publish a joint Discussion Paper sometime this year and so we can probably expect the Consultation Paper in the first half of 2023 with the regime going live at some point in 2024. Once the FCA and PRA rules are finalised, HMT will begin designating the first CTPs under the new regime.

Analysis

The regulators have been voicing concerns about the resilience of CTPs and concentration risk for some time; something they regard as unfinished business as far as developing the UK’s operational resilience regime is concerned. Therefore, the subject is not new and of course the EU has already taken steps to address this issue with its new digital operational resilience framework (DORA) with provisional agreement being reached on this by the EU Council and Parliament last month. Industry, too, has recognised the potential risks and has been broadly supportive of some form of direct oversight of certain key services.

There were, however, various options open to HMT and the regulators as to what form any oversight of CTPs would take. The proposals put forward in HMT’s Policy Statement represent a significant and unexpectedly forceful intervention. The new regime introduces a very extensive range of powers for the regulators over unregulated entities, and constitutes a material shift of the regulatory perimeter in respect of outsourcing.

We don’t yet know the detail of the new regime, including what the designation criteria will be or how the oversight structure or enforcement mechanisms will operate in practice. In the meantime providers of unregulated services to financial entities may wish to get a jump start on considering whether they may be caught e.g., by referring to the designation criteria in DORA, which we may see reflected to a greater or lesser extent in the UK regime. It would be prudent for service providers to engage with the proposals as much and, as soon, as possible to ensure that their feedback is taken into account as the new rules are being formed. The first draft of DORA attracted widespread criticism for appearing to put forward unworkable proposals. Based on experience then, the new regime proposed by HMT in this policy statement will greatly benefit from rigorous industry scrutiny and debate to ensure a sensible outcome.