Critical Third Parties serving the UK financial sector must ready themselves for compliance with the newly proposed operational resilience requirements.
On 7 December 2023, the PRA, FCA, and BoE jointly published a Consultation Paper (PRA CP26/23 and FCA CP23/30) which proposes a set of regulatory requirements and expectations for critical third parties (CTPs) that provide services to authorised persons, relevant service providers, and financial market infrastructure entities (FMIs). The key aim of the proposals is to manage potential risks to the stability of, or confidence in, the UK financial system that may arise due to a failure in, or disruption to, the services that a CTP provides to such entities.
The consultation is a direct response to the earlier Discussion Paper DP3/22, which explored the systemic risks that CTPs pose to the UK financial sector, and notes that the feedback from the Discussion Paper highlighted the sector’s increasing dependency on third-party services. The consultation was completed in the context of the new powers granted to the regulators by the Financial Services and Markets Act 2023, which, among other things, empower the regulators to establish minimum resilience standards for CTPs via rule-setting, pertaining to the services they offer.
The regulators’ focus on CTP regulation is informed by the understanding, as previously underscored by the FPC, the regulators, and the FSB, that individual firms may find it challenging to effectively manage the risks associated with relying on a single third party, or a limited number of third parties, for the provision of critical services to multiple firms.
We have outlined the current proposals below, which are set to be implemented through three identical but separate rule instruments issued by each of the regulators. The three rule instruments are intended to be identical in effect and substance and should be interpreted accordingly. The proposals are particularly focused on enhancing the governance models of CTPs, requiring them to demonstrate robust internal controls and clear accountability mechanisms.
Identification of a CTP
The designation of a CTP is the responsibility of HM Treasury, which will make its decision based on the regulators’ recommendations. HM Treasury has not yet designated any third parties as CTPs. These recommendations will be informed by an analysis of data and information gathered from various sources, including regulatory returns, supervisory engagement, and direct engagement with the third parties themselves. The regulators have emphasised the need for a data-driven approach. They propose to identify potential CTPs for designation by HM Treasury by assessing third parties against the following three criteria: (i) materiality of the services the third party provides to firms and FMIs; (ii) concentration of the services which the third party provides to firms and FMIs; and (iii) other drivers of potential systemic impact. However, the regulators are unlikely to recommend a third party whose services are already subject to a level of regulation and oversight that delivers at least equivalent outcomes to the proposed CTP regime. Further, the regulators would usually discuss potential designations privately with the CTP in advance of an announcement.
Once a third party is designated as a CTP, it would be subject to the new regulatory framework proposed in the consultation. This framework includes the Fundamental Rules and Operational Risk and Resilience Requirements (as described below).
The consultation also discusses the ongoing nature of the designation process, noting that the regulators will periodically review the list of designated CTPs to ensure that it remains up to date with the evolving landscape of the financial sector. This includes the possibility of removing the designation from third parties that no longer meet the criteria or adding new designations as the market changes and new systemic risks emerge.
Regulatory Framework Proposals
The regulators propose a dual framework for CTPs comprising Fundamental Rules and Operational Risk and Resilience Requirements.The proposals also include some additional obligations outside of the dual framework (discussed below), but there are no conduct of business type rules proposed for CTPs.
The Fundamental Rules
The Fundamental Rules are six broad principles that apply to all services that CTPs provide to firms and FMIs, irrespective of the service location. They are similar to, but generally less extensive than, the PRA’s Fundamental Rules and the FCA’s Principles for Businesses. The current proposal for the CTP Fundamental Rules include:
- CTP Fundamental Rule 1 (Integrity): CTPs must conduct their business with integrity.
- CTP Fundamental Rule 2 (Skill, Care, and Diligence): CTPs are required to conduct their business with due skill, care, and diligence.
- CTP Fundamental Rule 3 (Prudence): CTPs must act in a prudent manner.
- CTP Fundamental Rule 4 (Risk Management): CTPs are expected to have effective risk strategies and risk management systems in place.
- CTP Fundamental Rule 5 (Organisation and Control): CTPs must organise and control their affairs responsibly and effectively.
- CTP Fundamental Rule 6 (Openness and Cooperation): CTPs must deal with the regulators in an open and cooperative way, disclosing any relevant information that the regulators would reasonably expect to be notified of.
The Operational Risk and Resilience Requirements
The proposed Operational Risk and Resilience Requirements consist of eight detailed outcomes-focused mandates. These mandates, which would only apply to a CTP’s material services, aim to ensure that CTPs can prevent, adapt to, respond to, recover from, and learn from disruptions to their services. The consultation indicates that compliance with these requirements will be a key aspect of the regulatory oversight of CTPs. The current proposal for the CTP Operational Risk and Resilience Requirements includes:
- Requirement 1 (Governance): CTPs must establish clear governance structures with defined roles and responsibilities, ensuring effective oversight of material services and a central point of contact for regulatory engagement.
- Requirement 2 (Risk Management): CTPs are required to implement comprehensive risk management processes that identify, monitor, and manage both internal and external risks that could impact the delivery of material services.
- Requirement 3 (Dependency and Supply Chain Risk Management): CTPs must manage risks associated with their supply chain and key third-party dependencies to ensure the continuous delivery of material services.
- Requirement 4 (Technology and Cyber Resilience): CTPs should have robust measures in place to protect against technology and cyber-related threats, ensuring the resilience of the technology that supports material services.
- Requirement 5 (Change Management): CTPs are expected to manage changes to material services systematically, minimising the risk of disruption and ensuring that changes are tested, verified, and approved before implementation.
- Requirement 6 (Mapping): CTPs must map the resources, including assets and technology, that are necessary to deliver, support, and maintain each material service, identifying key internal and external interconnections and interdependencies.
- Requirement 7 (Incident Management): CTPs should have appropriate measures to respond to and recover from incidents that could disrupt material services, including setting a maximum tolerable level of disruption and maintaining a financial sector incident management playbook.
- Requirement 8 (Termination of Services): CTPs must have plans in place for the orderly and timely termination of material services, including arrangements for transferring services to another provider or back to the firm or FMI, if necessary.
The regulators are also proposing additional requirements beyond the Fundamental Rules and Operational Risk and Resilience Requirements. These requirements are designed to cover a range of activities from internal assessments and external communications to specific actions in response to incidents or changes in the CTP’s status. For example, echoing responses to the Discussion Paper, the consultation introduces new obligations for incident notification, ensuring CTPs communicate disruptions promptly, as stakeholders emphasised the need for timely information during crises.
Additional obligations include:
- Information-Gathering, Testing, and Incident Notification. The consultation proposes a series of information-gathering and testing requirements designed to validate CTPs’ compliance with the proposed rules. CTPs are expected to submit annual self-assessments, conduct scenario testing, and test their incident management playbooks. The regulators would also have the power to require skilled person reviews. Additionally, the proposals would mandate CTPs to notify the regulators and their firm and FMI customers of certain incidents, following a structured process that includes initial, intermediate, and final notifications. The format of the notification is not currently prescribed, but this may change in the future.
- Marketing Restrictions and Legal Person Nomination. To prevent the misuse of the CTP designation for marketing purposes, the consultation includes provisions that would restrict CTPs from implying regulatory endorsement or suggesting superiority of services due to their designated status. Furthermore, CTPs with head offices outside the UK are required to nominate a legal person in the UK authorised to receive documents and notices from the regulators, ensuring effective communication and compliance.
- Record Keeping and Emergency Relief. The proposed rules outline the obligation for CTPs to maintain orderly records of their business and internal organisation, facilitating the regulators’ oversight functions. They also provide for emergency relief in circumstances in which compliance with the rules is impossible, acknowledging the need for flexibility in exceptional situations.
The regulators have been clear that the new framework will not absolve firms of their responsibility to complete their own checks on third parties. They stress that the proposals “will complement but not blur, eliminate, or reduce the accountability and responsibility of firms, FMIs, their boards, and senior management…from continuing to fulfil their existing regulatory obligations on operational resilience and third-party risk management”. Firms that rely on services provided by CTPs should evaluate their current dependencies on CTPs and assess how changes in CTP operations could affect their own compliance and business continuity. Firms should engage with their CTPs to understand how they plan to meet the new Fundamental Rules and Operational Risk and Resilience Requirements, and what this means for the services they receive. Additionally, firms should review their own incident management and risk assessment procedures to ensure they align with the enhanced communication and reporting protocols that CTPs will be adopting.
With respect to CTPs, the proposed framework is expected to significantly impact CTPs that provide services to the UK financial sector. CTPs would be required to undertake a comprehensive review of their current operational resilience practices and align them with the new Fundamental Rules and Operational Risk and Resilience Requirements. This alignment may necessitate substantial changes to their governance structures, risk management processes, and incident response strategies. CTPs would likely need to invest in enhanced technology and cybersecurity measures, develop robust supply chain oversight, and implement systematic change management procedures to comply with the new regulations.
Furthermore, the requirement for annual self-assessments and regular scenario testing would introduce an ongoing compliance obligation requiring CTPs to dedicate resources to continuous monitoring and improvement of their resilience capabilities. The incident notification process would demand swift and transparent communication with both regulators and clients in the event of service disruptions, which would require CTPs to establish or refine their incident management protocols. The additional obligations, such as record-keeping, legal person nomination for non-UK CTPs, and restrictions on marketing practices, would also require CTPs to review and potentially revise their internal policies and external communication strategies.
Whilst the regulators acknowledge the potential for increased operational costs for CTPs as a result of these new requirements, the regulators’ view is that these changes will, in the long term, benefit the financial sector through enhanced trust and reduced systemic risk.
The consultation is open until 15 March 2024. The BoE and PRA have indicated their intention to consult on a joint Statement of Policy regarding the use of disciplinary powers over CTPs, aligning with an ongoing wider review of enforcement. The FCA plans to release a corresponding Statement of Policy to maintain a consistent approach across the three regulators.
In addition, the regulators will publish a document detailing their oversight roles in relation to CTPs. This document will provide clarity on the practical aspects of regulatory oversight and reinforce the regulators’ commitment to transparency and accountability to the public and Parliament.
This post was prepared with the assistance of Mark Shakkour in the London office of Latham & Watkins.