Skip to content

Critical third parties update – new UK regime

Briefing
29 November 2024
3 MIN READ
1 AUTHOR

The FCA, the Bank of England and the PRA have jointly published a policy statement (PS 16/24) and other documents1 setting out details of the final rules on the critical third parties (“CTP”) regime which will take effect from 1 January 2025. This will allow the financial regulators directly to oversee the services that CTPs provide to the industry. We summarise the CTP regime below.

Regime

The Bank of England had been monitoring the risk posed by CTPs for some time, due to concerns that, for example, high widespread reliance on particular cloud service providers could lead to disruption to vital services in the event of a cyber attack. 

The overall objective of the new oversight regime for CTPs is to manage risks to the stability of, or confidence in, the UK financial system that may arise due to a failure in, or disruption to, the services (either individually or, where more than one service is provided, taken together) that a CTP provides.

HM Treasury may designate a third party that provides services to firms (either dual or solo regulated or a UK authorised branch of a non-UK firm) as a CTP. HMT may only designate an entity2 if, in its opinion, a failure in or disruption to the provision of the services that the third party provides to firms (either individually or, where more than one service is provided, taken together) could threaten the stability of, or confidence in, the UK financial system. This is referred to as a “systemic third party service”. HMT must consult each of the regulators before designating a third party as a CTP.  In practice, the regulators recommend to HMT which third parties they consider to have met the statutory test for designation.

Rules

Within three months of being designated as such, and on an annual basis, the CTP must provide the regulators with a self-assessment. Within 12 months of being designated, a CTP must identify and document various matters, including resources used to deliver, support and maintain each systemic third party service that it provides; and any internal and external interconnections and interdependencies between the resources identified.  This must be kept updated.

A CTP is required to comply with the Fundamental Rules (similar to but less extensive than the PRA Fundamental Rules and FCA Principles for Business) including: conducting its business with integrity and with due skill, care and diligence; having effective risk strategies and risk management systems; dealing with each regulator in an open and cooperative way, and disclosing to each regulator anything relating to the CTP of which it would reasonably expect notice.

In relation to the provision of systemic third party services to firms, a CTP is required to meet certain Operational Risk and Resilience Requirements3, including that a CTP must: ensure that its governance arrangements promote the resilience of any systemic third party service; effectively manage risks to its ability to deliver the service; identify and manage any risks to its supply chain that could affect its ability to deliver; carry out regular scenario testing; effectively manage operational incidents; and have in place appropriate measures to respond to a termination.

A CTP also has information and testing requirements, including being able to demonstrate to the regulators its ability to comply with their rules.

Finally, a CTP must comply with requests by regulators for information, and have in place secure processes and procedures to provide information to firms to which it provides services to enable them adequately to manage their risks related to the service. It must also notify regulators and these firms of serious incidents.

Conclusion

The CTP duties complement but do not add to the requirements and expectations for firms on operational resilience, outsourcing and third party risk management. Therefore, firms will, for example, have to carry out due diligence on third party service providers, and develop contingency plans in the usual way.

Footnotes

  1. Approach to the oversight of critical third parties SS7/24 – Reports by skilled persons: Critical third parties | Bank of England SS6/24 – Critical third parties to the UK financial sector | Bank of England Memorandum of Understanding between the Bank of England, FCA and PRA – GOV.UK.
  2. S312L FSMA.
  3. In Chapter 4 of the CTP sourcebook of the FVA Handbook and chapter 4 in the draft CTP Parts of the PRA and Bank Rulebooks.

Main Bulletin
Insurance bulletin, November 2024