Financial services firms are familiar with the UK financial services regulators' Principles-based regulation. And with the most optimal way to manage their supervisory relationships to mitigate interventions and enforcement risk.
Tech companies not so much. But that's about to change.
Following last year's discussion paper, The BoE, PRA and FCA have nailed their colours to the mast with a joint consultation on proposed rules for Critical Third Parties (CTPs) - firms that provide critical services to UK financial services firms and Financial Market Infrastructure firms (FMIs). It estimates 20 firms will be designated as CTPs and that initial and ongoing compliance costs will be substantial (albeit justified).
Responses are requested by 15 March 2024 and we can't imagine the regulators will delay too much longer than that before making final rules.
So it's time for potential CTPs to get ready. If your firm may be designated, now's the time to consider reaching out to external UK financial regulatory advisers (we're happy to hear from you!) who can give you the benefit of their insights and help you to get on the front foot, not just in relation to these potential new UK rules but also working out how you can interoperate them with other similar regimes such as the EU's DORA and the US's Bank Service Company Act (with which the proposals try to dovetail).
Here are some of the highlights. (For our clients: click here for our detailed insights.)
Who could be affected?
The new rules would apply to a firm only if HMT designates it a CTP. It will assess firms against the criteria of materiality and concentration of the services provided to financial services firms (including several services in aggregate, and including across the sector as a whole), and other drivers of potential systemic impact. Concentration risk will be considered, as will whether a provider's services can be readily substituted.
Obvious targets, then: major cloud storage and computing providers and major software providers.
But a firm is less likely to be designated as a CTP if it's already subject to sufficient oversight by the BoE/PRA/FCA, or if it's already subject to equivalent oversight under another regulatory regime. So: public telcos and energy suppliers are less likely to be designated.
What's coming?
- Principles-based regulation. CTPs would be subject to six CTP Fundamental Rules covering much the same ground as the most relevant existing FCA Principles for Business and PRA Fundamental Rules. These include integrity, skill/care/diligence, prudence, risk management, organisation/control, and co-operation with regulators.
- Eight Operational Risk and Resilience Requirements. These will cover governance, risk management (including dependencies and supply chains), tech and cyber-resilience, change management, mapping, incident management and termination of services.
- Information gathering and testing. CTPs would need to self-assess their compliance within three months of designation and every year thereafter. They would need to carry out regular scenario testing. Regulators could also make ad hoc information requests and require appointment of Skilled Persons (at the CTP's cost).
- Notifications. CTPs would be required to notify the regulators and their relevant firm and FMI customers of certain incidents, with a phased approach to notifications to keep all stakeholders updated as the incident develops.
- UK point of contact. While CTPs would not need to establish themselves in the UK, they would need to nominate a UK legal person with authority to liaise with the UK regulators.
- Record-keeping. CTPs would need to keep records sufficient to enable the UK regulators to supervise them.
- It's not a kite-mark. CTPs must not imply that their designation as such means that they have the approval or endorsement of the UK regulators.
This regime has teeth
CTPs will need to proactively mitigate the risk of assertive, rapid and preventative supervisory interventions, as well as the longer-tail risk of enforcement action – drawing on the experience of the financial services sector here. There are three particularly sweeping powers which apply to the CTP’s entire business (not just with financial services firms):
- To advance its objectives, a regulator would be able to direct a CTP to do (or refrain from doing) anything with immediate effect.
- For breach of the rules, a regulator could:
- Place conditions or limitations on the provision of any services by the CTP.
- Publicly censure the CTP.
- A regulator could also – for breach of the rules – restrict a CTP’s business with financial services firms and restrict financial services firms doing business with it.
What's next?
Responses to this consultation are requested by 15 March 2024. And once the rules are made, expect HMT to designate some CTPs in reasonably short order.
The BoE, PRA and FCA will in due course consult on statements of policy in relation to their use of disciplinary powers over CTPs. And the regulators also intend to publish a document setting out their approach to overseeing CTPs. Watch this space!