Earlier this year, the Prudential Regulation Authority, the Financial Conduct Authority and the Bank of England published a joint discussion paper on the operational resilience of critical third parties.
This joint action is an unusual move, but signals a potentially significant shift in gears for the regulatory environment for the UK financial services industry.
In July 2018, regulators began implementing operational resilience in financial markets, publishing a working paper setting out their approach to “Building Operational Resilience in the UK Financial Sector”.
Less than two years later, and before the end of the consultation period, the perfect stress test scenario had been realized: the Covid-19 pandemic. On March 31, 2021, the final rules came into effect, but Covid-19 had heightened regulators’ attention to operational resilience and system vulnerabilities, including providing additional guidance on outsourcing and third-party providers. (TPP).
Strengthen the anti
The working paper published this summer, “Operational resilience: critical third parties for the UK financial sector”, suggests that regulators step up the fight against operational resilience. They acknowledged that a large number of financial services firms rely heavily on a relatively small number of TPPs that fall outside their regulatory mandate, such as cloud computing or IT service providers.
One thing is clear, regulators are all moving in the same direction, towards operational resilience becoming the responsibility of everyone in the system.
Many businesses rely on these TPPs for an essential part of their operations, and so a failure of any one of these organizations could have a systemic effect. Regulators are therefore seeking to deploy a “pincer movement” by encouraging hosts to scrutinize these providers, while now being empowered to scrutinize “critical” third parties (CTP) themselves.
What could the new rules look like?
The first step is to decide which organizations qualify as CTPs. This power will be given to Her Majesty’s Treasury (HMT), according to the Financial Services and Markets Bill, which is currently in committee in parliament. HMT will then hand over authority to regulators to set the rules they will hold CTPs accountable to and the enforcement actions they must take.
There may also be additional requests from regulated host companies, for example to provide additional due diligence, monitoring or exit plans. This way, regulators can ensure there are lots of eyes on the same CTPs, helping to maintain standards.
Much remains to be decided and defined, including which organizations will be classified as CTPs and what steps regulators will have to take to sanction them.
The working document currently proposes three categories of factors to determine a CTP:
1) Materiality (e.g. to the UK economy or financial system)
2) Concentration (e.g. number of companies dependent on the TPP)
3) Potential impact (eg substitutability, etc.)
One thing is clear, regulators are all moving in the same direction, towards operational resilience that becomes a kind of “financial services community” and the responsibility of everyone in the system.
What can businesses do now to prepare?
The discussion paper is currently open until December 23, but businesses can still take steps to prepare for any new rules.
Where companies rely on TPPs that are key unregulated industry players, they should start exercising due diligence and monitoring now to mitigate the risk of these TPPs becoming CTPs and being unable to withstand regulatory review.
In addition, a CTP could be sanctioned for failures in another service or sector not provided by the host company but which nevertheless has a domino effect on its activity. Therefore, it is worth companies thinking about who else is using this provider and how. Thinking about exit and contingency plans (eg, alternative providers and time needed to transition) for future CTPs would be prudent.
Ben Arram is a management consultant at Bovill