Financial services firms increasingly depend on third-party companies to deliver important services, ranging from cloud services and data analytics to machine learning and cash delivery. As these third parties become more “essential” to the operations of financial sector companies, UK financial regulators have become concerned about the risk to financial stability and resilience. In July, the Financial Services and Markets Bill (the “Bill”) was submitted to Parliament. The bill establishes a framework for managing systemic risks posed by “critical third parties” (CTPs). At the same time, the FCA and PRA released a joint discussion paper detailing how regulators intend to use statutory powers. The document specifies that the regulatory mandate will be limited to the provision by CTPs of material services to the financial sector. This development reflects the increasing attention of regulators on operational resilience and the risks posed, in particular by cyber-attacks, to the sector in an increasingly interconnected and technological world.
The proposed regulatory framework
By mid-2019, a quarter of the business of major banks and almost a third of all payment business in the UK was hosted in the cloud.1 The Bank of England’s fourth quarter bulletin on the impact of Covid on machine learning and data science concluded that major banks have increased their reliance on outsourcing in the wake of the pandemic.2 There are few signs of this trend slowing down.
Outsourcing of functions and processes comes with a transfer of risk, which is concentrated on a handful of third-party companies. The Treasury Select Committee’s 2019 report on computer failures in the financial sector stated: “If one of the large third-party providers were to go bankrupt, it could potentially affect not only consumer access, but also the stability of the financial system itself.”3
Financial services firms are currently required to ensure that their contractual arrangements with third parties enable them to comply with the operational resilience framework currently in place. This covers areas such as data security, business continuity and exit planning. However, “No single company can manage the risks arising from a concentration in the provision of essential services by a third party to several companies on its own.”4 This practical reality, coupled with possible asymmetries of information and power between certain third parties and companies, has led HM Treasury to define a draft regulatory framework for the management of this risk. Articles of the bill5 will allow the designation of third-party providers as CTPs, the definition of minimum standards of resilience and enforcement measures when these standards are not met.
HM Treasury may designate certain third parties as “critical”, in order to place them under the regulatory umbrella. The working document states: “HMT’s designation of a CTP would recognize the potential systemic impact that a disruption of its services could have on the objectives of supervisory authorities, including financial stability, market integrity or consumer protection.”6 The appointment should be made in consultation with the regulators and with the representations of the proposed CTP. The designation will take into account the importance of the services provided by the third party, the number, type and size of authorized companies to which the third party provides services, as well as the potential impact of the failure or disruption of the services on duty.seven
The proposed bill allows regulators to set rules for CTPs, setting out minimum resilience standards and associated requirements. The current regulatory framework already relies on a set of global standards for CTPs in the form of Annex F of the CPMI-IOSCO Principles for Business. These cover risk identification and management, information security, reliability and resilience, technology planning and communication with users. Schedule F expectations are actively used in the oversight of essential business service providers, both in the UK and globally.
The PRA and FCA have said the minimum resilience standards will be “similar to those in Annex F, but applicable and suitable for CTPs for the financial sector as a whole.”8
It is expected that CTPs will need to demonstrate compliance with the new standards through resiliency testing and exercises, and certifications to regulators. There may also be a scoring system to assess compliance with the minimum standards.9
The working document states:Supervisors consider that a one-size-fits-all approach to CTP stress testing may not be effective, proportionate or resource-efficient.”ten Instead, a range of tests are offered, with the most appropriate being applied to each CTP in turn.
Regulators may require scenario testing to understand a CTP’s ability to continue providing services in the event of a severe failure or disruption. Regulators would be particularly interested in a CTP’s ability to prevent an operational disruption from creating or amplifying systemic risk, whether the disruption originated within or outside the CTP. Scenarios could be based on threat intelligence and past disruptions and near misses. Where possible, testing will include simulations or live system testing, unless this creates an undue risk of disruption to CTP services.11
Also offered are industry exercises involving multiple companies and CTPs, based on industry exercises currently used in the financial industry, such as cyber stress tests and exercises performed by the Cross-Market Business Continuity Group and industry groups. It is also possible to carry out these exercises internationally, in collaboration with foreign regulators.
Obligations and execution
The proposed bill gives regulators significant powers over designated CTPs. CTPs will be required to disclose to regulators any information they could reasonably expect to know, including incidents and threats to stability. Regulators will be able to order CTPs to do or refrain from doing an activity and will have the power to request information and documents from CTPs. If a CTP is found to be in violation of the requirements, the name of that CTP may be published.
Currently, there is no provision for the imposition of financial penalties on CTPs. Explanatory notes to the bill explain that the “ultimate sanction” is to prevent a CTP from
“to provide new or existing services to the financial services industry or to set conditions for the provision of such services.”12
Responses to the discussion paper are expected by December and regulators have said they expect to consult with stakeholders on CTP-specific resilience rules after the bill receives royal assent.13 Although the new regime could come into force no earlier than the end of 2023, CTPs should not delay in preparing to understand the impact of integration into the regulatory field.
David Rundle is a solicitor in the UK White Collar Defense and Investigations group at WilmerHale. David’s practice focuses on defending FCA enforcement investigations against corporations and senior executives.
This article was originally published on September 29, 2022 by Thomson Reuters Regulatory Intelligence.
1. Mark Carney, speech at the Lord Mayor’s Banquet for Bankers and Merchants of the City of London, Mansion House, London, 20 June 2019, https://www.bankofengland.co.uk/-/media/boe/files/speech /2019/enable-empower-assure-a-new-finance-for-the-new-economy-speech-by-mark-carney.pdf?la=en&hash=DC151B5E6286F304F0109ABB19B4D1C31DC39CD5
2. Bank of England, Quarterly Bulletin 2020 – Q4,
The impact of Covid on machine learning and data science in UK banking18 December 2020, https://www.bankofengland.co.uk/quarterly-bulletin/2020/2020-q4/the-impact-of-covid-on-machine-learning-and-data-science-in-uk – banking
3. House of Commons, Treasury Committee, Computer failures in the financial services sector, October 28, 2019, p. 3, https://publications.parliament.uk/pa/cm201919/cmselect/cmtreasy/224/224.pdf
4. Her Majesty’s Treasury, Critical third parties for the financial sector: policy statement, 8 June 2022, para. 1.10, https://www.gov.uk/government/publications/critical-third-parties-to-the-finance-sector-policy-statement/critical-third-parties-to-the-finance-sector-policy- statement
5. See Financial services and market billBill 146, 58/3, https://publications.parliament.uk/pa/bills/cbill/58-03/0146/220146.pdf
6. PRA/FCA Working Paper 3/22 –
Operational resilience: critical third parties for the UK financial sector, 21 July 2022, para. 3.5, https://www.bankofengland.co.uk/prudential-regulation/publication/2022/july/operational-resilience-critical-third-parties-uk-financial-sector
7. See identifier. in para. 4.
8. ID. in para. 5.4.
9. See identifier. in para. 5.6.
ten. ID. in para. 6.2.
11. See identifier. in para. 6.
12. Financial Services and Markets Bill, Explanatory Notes, Bill 146-EN, 58/3, para. 180, https://publications.parliament.uk/pa/bills/cbill/58-03/0146/en/220146en.pdf
13. See PRA/FCA Discussion Paper 3/22, para. 1.4.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.