Cloud the issue: Regulators explain how they might oversee service providers

The UK regulators have already introduced rules for regulated firms to build their operational resilience. Now they are turning their attention to unregulated service providers which support the financial sector. They worry about the concentration risk posed by many parts of the UK financial system relying on relatively few service providers.

Discussion paper launched

The Bank of England, Prudential Regulation Authority and Financial Conduct Authority have released a joint discussion paper on critical third parties to the financial sector. As expected, the proposed framework has three elements:

1. The Treasury will designate third parties as “critical”, depending on the materiality of and concentration in the provision of their services;
2. The Bank of England, PRA and FCA will set minimum resilience standards for designated critical third parties (CTPs) in respect of their material services, including a requirement to document a “financial sector continuity playbook”; and
3. The regulators will impose requirements on CTPs to test their operational resilience, including the potential for ad hoc “skilled person” reviews to assess specific concerns.

The high-level powers to create a CTP regime are set out under the Financial Services and Markets Bill. The discussion paper explains more about how the regulators envisage using their powers under the Bill.

Scope to focus on services provided to UK financial sector

Previous papers on this topic have highlighted cloud infrastructure service providers as the prime example of a CTP. However, the regulators now emphasise that their approach is “technology-neutral” and that other types of tech firm – such as those providing ICT services or data analytics – may be in scope. It is also possible that non-ICT services could be in scope (the paper offers cash distribution as an example).

In terms of territorial scope, the CTP regime would be limited to the provision of services by CTPs to UK firms and UK financial market infrastructure.

Possible exemption for authorised firms

The regulators says that authorised firms and their affiliates should fall outside the CTP regime. This is because their existing authorisation status should mean that the regulators already have sufficient oversight of, and enforcement powers over, the resilience of the services they provide to other financial institutions.

However, it is still possible for an authorised firm to be designated a CTP if the relevant are not in fact subject to regulatory supervision. The Financial Services and Markets Bill also makes changes to payments legislation to account for the possibility that e-money and payment institutions may be designated as CTPs.

More detail to come

Feedback on the proposals is invited by 23 December 2022 and the regulators plan to consult on proposed rules for the CTP regime in 2023 after the Financial Services and Markets Bill is enacted. The regulators also plan to consult on operational incident reporting requirements for firms and financial market infrastructure in 2023.

Comparison with Digital Operational Resilience Act (DORA)

The CTP regime is the UK’s equivalent of the oversight framework for critical ICT third party service providers in the EU’s digital operational resilience act. It is possible that DORA and the UK regime could start to apply around the same time (late 2024 / early 2025) which means that firms in the scope of both regimes could aim for a common approach to implementation.

DORA includes a similar process for designating third parties as “critical” and giving supervisory authorities additional powers to oversee CTPs, for example to request information and conduct inspections. DORA goes further than the UK in one important respect: it proposes requiring CTPs to set up a subsidiary within an EU Member State to facilitate supervision and enforcement.