The Bank of England (the Bank), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) (collectively the ‘regulators’) are consulting on proposals to oversee and strengthen the resilience of services provided by critical third parties (CTPs) to UK regulated financial services firms (‘firms’) and financial market infrastructure entities (FMIs).
CTPs supply an array of services to firms and FMIs, providing benefits, including greater operational resilience and innovation. However, if they are disrupted or fail, there are potential risks to UK financial stability. Managing these risks fully is beyond the ability of any individual firm or FMI and requires an appropriate but proportionate level of direct regulatory oversight. These proposals will therefore complement but not blur, eliminate or dilute the responsibilities of individual firms and FMIs relating to operational resilience and third-party risk management.
Sam Woods, Deputy Governor of Prudential Regulation and the CEO of the PRA said:
‘Third party service providers often play a vital role in the delivery of important services by banks and insurers. These arrangements bring benefits, but also potential risks. We are consulting today on proposals to implement new powers given to us by Parliament to manage these risks for those providers who could present risks to financial stability, in an effective and proportionate way.’
Sarah Breeden, Deputy Governor for Financial Stability said:
‘Financial market infrastructure firms are becoming increasingly dependent on third-party technology providers for services that could impact UK financial stability if they were to fail or be disrupted. The proposals in this consultation paper (CP) build on last year’s discussion paper to enable the Bank of England, in coordination with the PRA and the FCA, to manage these systemic risks, while enabling UK FMIs also to benefit from using such providers.’
Nikhil Rathi, Chief Executive of the FCA said:
‘Well managed outsourcing can bring efficiencies, accelerate innovation and boost operational resilience. With a concentration of third parties serving multiple clients in financial services, there is, however, a risk of major impact if they are disrupted or fail. We believe these proposals will improve the resilience of the critical third-party services that financial firms and their customers depend on, support market integrity and enhance UK competitiveness and growth.’
The proposals in this CP follow the discussion paper published in July 2022. They include how the regulators may identify potential CTPs and recommend them for designation to HM Treasury (HMT).
Other proposals in the CP include:
- A set of fundamental rules that would apply to all the services CTPs provide to UK firms and FMIs, and act as a general statement of their obligations under the proposed regime;
- A set of more granular operational risk and resilience requirements, to apply only to CTPs’ material services to firms and FMIs, such as requirements on technology and cyber resilience, as well as on supply chain risk, change and incident management;
- Requirements for CTPs to provide certain information and assurance to the regulators, including submitting an annual self-assessment, and conducting regular testing of their ability to provide material services in severe but plausible disruption (‘scenario testing’);
- Requirements for CTPs to notify the regulators, the firms and FMIs they provide services to, of specific disruptions which may adversely impact the services provided
CTPs will not be authorised or overseen in their entirety by the regulators, but the third-party services they provide will be overseen against these proposals, once finalised.
Feedback to the CP is open until 15 March 2024. Subject to feedback, the regulators propose to publish final requirements and expectations for CTPs in H2 2024.
Notes to editors
- Operational Resilience Critical Third Parties to the UK Financial Sector. 7 December 2023
- The proposals in this CP follow Parliament’s adoption of the Financial Services and Markets Act 2023 , which gave (i) HMT the power to designate certain third party service providers to UK firms and FMIs as CTPs and (ii) the regulators powers to make rules for, and oversee, CTPs designated by HMT. They also reflect feedback to regulators’ 2022 joint discussion paper (DP) 3/22 – Operational resilience: Critical third parties to the UK financial sector.
- The proposals in this CP draw on global standards and toolkits, such as the Final report on enhancing third-party risk management and oversight – a toolkit for financial institutions and financial authorities recently published by the Financial Stability Board (FSB). They are also designed to be interoperable with similar rules for CTPs in other jurisdictions.
- Supervisory Statement SS2/21 Outsourcing and third party risk management. 29 March 2021.
- Financial Stability Report July 2021: Building the resilience of the financial system. 13 July 2021.