FCA outlines its approach to enforcing critical third party regime

Tech firms that support financial services should note a new consultation from the Financial Conduct Authority. The FCA, along with the Bank of England and Prudential Regulation Authority, is developing rules for critical third parties to the financial sector. Now the FCA is specifically consulting on a statement of policy for how it will enforce this critical third party regime.

DEPP thought

The FCA plans to build on its usual processes for when compliance issues arise with critical third parties. This includes taking enforcement action against critical third parties where “appropriate and proportionate”.

The FCA is consulting on updates to its guidance on disciplinary procedures, known as DEPP, to reflect its enforcement powers under the incoming CTP regime.

Taking action

The draft changes to DEPP reiterate that the FCA may take enforcement action if a critical third party:

1. ignores a direction,
2. contravenes a rule, or
3. breaches any rules imposing duties on the critical third party in connection with the provision of services to regulated firms. 

When things go wrong, potential sanctions may include:

• stopping the critical third party from providing services to regulated firms,
• stopping regulated firms from receiving services from critical third parties, and
• applying conditions to arrangements between critical third parties and regulated firms.

These enforcement powers are comparable to similar powers granted to European authorities under the EU's DORA regime. The FCA's consultation serves as a reminder that the UK's critical third party regime is meant to have "teeth".

A month to respond

The FCA invites comments on its proposed approach for the use of its enforcement powers against critical third parties by 8 April 2024.

Explore our webpage for more resources on operational resilience.