The new regime will take effect on 1 January 2025, but will not diminish the responsibilities of financial services firms relying on the services of critical third parties.

By Rob Moulton, Fiona Maclean, Alain Traill, and Charlotte Collins

On 12 November 2024, the PRA, FCA, and Bank of England jointly published a Policy Statement (PRA PS16/24 and FCA PS24/16), setting out their final rules for critical third parties (CTPs). The regulators consulted on this framework in December 2023, having been granted new powers to establish minimum resilience standards for CTPs by the Financial Services and Markets Act 2023 (see this Latham blog post for more detail).

The key aim of the new regime is to manage potential risks to the stability of, or confidence in, the UK financial system that may arise due to a failure in, or disruption to, the systemic service(s) that a CTP provides to financial services firms. To this end, the regulators proposed a set of Fundamental Rules for CTPs, along with Operational Risk and Resilience Requirements. Notably, the regulators will be able to apply the framework to any designated CTP, including those based overseas.

Alongside the Policy Statement and final rules, the regulators published the final version of Supervisory Statement (SS6/24), which underpins the regulators’ approach for applying the CTP rules. To enhance coordination between the regulators, HM Treasury will lay before Parliament a Memorandum of Understanding. The intention is that each regulator will apply the rules to every CTP designated by HM Treasury, regardless of the firms to which the CTP provides services.

General Feedback Observations

The regulators received 62 responses to the consultation, representing a broad spectrum of views held by third-party service providers and firms. They explain that the responses have not resulted in significant changes to the final rules. However, the regulators made a number of amendments addressing issues raised during the consultation. Some respondents wanted to reduce the potential compliance costs as much as possible by relying on CTPs’ existing assurance mechanisms, recognised industry certifications, internal processes, and testing. Other respondents welcomed the increased accountability and information-sharing requirements for CTPs.

Providing Context for CTPs

One recurring theme that emerged in the feedback was that CTPs may not fully understand all the expectations that are imposed by the new regulatory regime. In particular, CTPs may not be familiar with the style of the regulatory rules or the approach of financial service regulators. To address these problems, the regulators introduced a new Chapter 3 in SS6/24 that elaborates on key aspects of the rules. For instance, Chapter 3 clarifies the regulators’ approach to systemic risks associated with potential failures or disruptions in CTP services and contextualises regulatory requirements.

Also, Chapter 3 provides further guidance on the approach the regulators will take in identifying CTPs for potential designation by HM Treasury. However, even with this additional guidance, there is less clarity for CTPs on whether or not they may be caught as compared with the new EU regulation on digital operational resilience for the financial sector (DORA) (see this Latham blog post for more detail).

CTP Fundamental Rules

In light of the feedback received, the regulators amended the scope of the CTP Fundamental Rules. Rules 1-5 will now apply only when a CTP is providing systemic third-party services. The regulators consider this proportionate because of the potential burden on CTPs which may provide hundreds of services to the financial sector. However, Fundamental Rule 6 will still apply to all services that a CTP provides. This requires CTPs to deal with each regulator in an open and cooperative way and obliges CTPs to disclose anything related to the provision of their services that a regulator would reasonably expect to be notified about.

Communication Arrangements

The regulators replaced the proposed requirement to nominate a UK legal person for a CTP without a UK establishment with a simpler requirement for all CTPs to provide an address for service in the UK.

Dependency and Supply Chain Risk Management

The operation of the dependency and supply chain risk management obligations in Requirement 3 of the proposed Operational Risk and Resilience Requirements generated extensive feedback. Notably, four respondents raised concerns about a lack of proportionality and the burden of obligations. The regulators addressed this by adjusting Requirement 3 to enhance proportionality while effectively managing supply chain risks. The general requirement for CTPs to identify and manage these risks remains, but specific obligations are now limited to key nth party providers and persons connected to a CTP. Additionally, the definition of key nth party providers has been expanded by removing the term “service” from the criteria, thereby ensuring that all essential providers for delivering systemic third-party services to firms are included.

Incident Management

The incident management obligations in Requirement 7 of the Operational Risk and Resilience Requirements received the most comments of the whole consultation. The regulators amended certain aspects of SS6/24 to clarify their expectations. For instance, the regulators emphasise that CTPs may use existing incident management policies and procedures that comply with the outcomes outlined in SS6/24, rather than needing to develop a bespoke “financial sector incident management playbook”. Similarly, the regulators have provided further information on how CTPs should approach setting their impact tolerances. This included removing the expectation that an impact tolerance set by a CTP needs “to take into account and be compatible with the impact tolerance that firms have set”.

Interestingly, the regulators decided against aligning the definition of ICT-related incidents with DORA. The rationale is that DORA targets financial service firms which are expected to pass certain responsibilities onto CTPs, whereas the UK regime imposes high-level obligations directly on CTPs. A consequence of this divergence is that CTPs expecting to be caught by both regimes will need to prepare to comply with two different frameworks.

Self-Assessments

The regulators decided to distinguish between the two self-assessments that CTPs are mandated to produce. First, the self-assessment that a CTP must provide to the regulators within three months of designation has been renamed as an “interim self-assessment”. Second, a full annual self-assessment must be submitted to the regulators and to the firms to which a CTP provides systemic third-party services. This contrasts with the position under DORA, which sets out a formalised assessment framework in which regulators can hold CTPs accountable to a dedicated plan that is updated annually, rather than relying on self-assessment. A number of respondents were conscious about the potential ramifications for confidentiality and security if CTPs are required to provide their self-assessment directly to firms, but the regulators stress that these issues are mitigated by giving CTPs the ability to redact confidential or sensitive information.

Respondents also requested that the regulators provide further information about the format of the self-assessment. The regulators emphasise that the self-assessment is not meant to be a tick-box exercise, and it would be inappropriate to provide excessively granular detail on how CTPs should complete them. Instead, the regulators have set out common expectations for interim and annual self-assessments, which explicitly include additional guidance in SS6/24 under the heading of “information for CTPs to include in their self-assessment”.

Implementation

The new CTP regime will enter into force on 1 January 2025. However, the framework will only apply to designated CTPs, and each HM Treasury designation order will state when the regime will start to apply to the relevant CTP. Each designation order will also set out transitional periods for compliance with certain regulatory requirements. HM Treasury has yet to designate any CTPs, but now that the regime has been finalised the regulators and HM Treasury will likely look to discuss and move forward with any initial designations.

Implications for Regulated Firms

Going forward, designated CTPs will be subject to enhanced regulatory requirements, but the regulators have emphasised that designation does not imply an endorsement by the regulators, or that a CTP’s services are superior to those of non-designated third parties providing similar services. The regulators are also clear that regulated firms should continue to enhance their operational resilience and outsourcing arrangements, as working with a CTP will not diminish this responsibility. In addition, firms should continue to monitor their relationships with third-party service providers and embrace lessons learnt from operational incidents.

This post was prepared with the assistance of Gregory Slevin in the London office of Latham & Watkins.