HMT has confirmed that it will legislate to allow UK financial regulators to directly oversee and oversee (previously unregulated) ‘critical’ third parties (‘CTPs’) who provide services to the financial industry.
Financial services companies have become increasingly dependent on the cloud and other third-party providers in recent years, coming to rely on a small number of service providers for hardware services. There are fears that the failure or disruption of one of these critical service providers could have a systemic impact on the entire financial sector and threaten the stability of the UK financial system. This, combined with the recent increased risk of cyber incidents due to geopolitical issues, has led HMT to issue a policy statement outlining its proposed new regime for CTPs.
The risk posed by CTPs to financial stability and regulators’ objectives has been on the regulatory agenda for some time, and some form of direct regulatory reliance on CTPs was expected. However, the proposals contained in HMT’s policy statement would not only directly expand the regulatory scope, which in itself is controversial, but are broader in scope than many would have anticipated.
What are the new proposals?
HMT (after consultation with the Bank of England, the PRA and the FCA) may decide that a third party providing services to regulated companies is “critical”. This may be in response to a recommendation from one of the regulators or representations from financial services firms. In making its decision, HMT will take into account criteria such as the number and type of services provided and the materiality of these services.
UK regulators will be able to exercise a wide range of powers over those deemed “critical”, including:
When will this new regime come into effect?
When that will happen is not yet clear, but it won’t be soon given the various steps needed to put the new regime into action: primary and secondary legislation “when parliamentary time permits”, working papers BoE/PRA and FCA Consultation Papers and Policy Statements.
We know that regulators plan to release a joint discussion paper later this year and so we can likely expect the consultation paper to be released in the first half of 2023, with the regime becoming operational at some point in 2024. Once the FCA and PRA rules are finalized, HMT will begin designating the first CTPs under the new regime.
Regulators have for some time expressed concerns about the resilience of CTPs and concentration risk; something they see as unfinished business when it comes to developing the UK’s operational resilience regime. Therefore, the subject is not new and of course the EU has already taken steps to address this issue with its new Digital Operational Resilience Framework (DORA), a provisional agreement having been reached on this subject by the Council and the EU Parliament last month. The industry, too, has recognized the potential risks and has largely come out in favor of some form of direct oversight of certain key services.
There were, however, various options open to the HMT and regulators as to what form any monitoring of CTPs would take. The proposals put forward in HMT’s policy statement represent a significant and surprisingly forceful intervention. The new regime introduces a very wide range of powers for regulators over unregulated entities, and constitutes a significant shift in the regulatory scope in terms of outsourcing.
We don’t yet know the details of the new regime, including what the designation criteria will be or how the oversight structure or enforcement mechanisms will work in practice. In the meantime, providers of unregulated services to financial entities may wish to begin to determine whether they can be caught, for example by referring to the designation criteria in DORA, which we can see reflected to a greater or lesser extent in the British system. It would be prudent for service providers to engage with the proposals as much as possible and, as soon as possible, to ensure that their comments are taken into account when developing new rules. DORA’s first draft drew widespread criticism for appearing to present unworkable proposals. Based on experience, the new regime proposed by HMT in this policy statement will benefit greatly from rigorous industry review and debate to ensure a reasonable outcome.