UK lays out six-month process to choose critical third parties

Businesses that support the UK financial services sector may be designated as a “critical third party” under incoming rules. The government has now shared a paper explaining how it will go about choosing who will fall within this regime. The end-to-end process will take around six months.

• The process will likely begin with a recommendation from one of the financial regulators. This should align with criteria which is set by law.
• If HM Treasury thinks that there is merit in the recommendation, it will write to the potential critical third party. This kicks off a three-month period for representations. During this time the prospective critical third party can have discussions with HM Treasury and make written representations.
• Within three months after the period for formal representations ends, HM Treasury will make a final designation decision. At this point HM Treasury will tell the critical third party which of its services are material. This is important because more detailed rules apply to the “material” services provided by critical third parties.
• The official designation will be made via regulations. There may only be a short period between HM Treasury notifying the critical third party of its decision and the making of these regulations.
• HM Treasury expects that critical third parties will represent only a small number of the overall number of third parties to the financial services sector. The list of critical third parties will also change over time. The regulators will regularly assess this list and can recommend removing a critical third party’s designation.

In comparison to the corresponding regime under DORA, the UK approach looks more flexible than the EU’s. The timeframes are indicative rather than fixed deadlines. More time is allowed for potential critical third parties to make representations and for HM Treasury to consider its approach. The UK paper also implies more opportunity to open a dialogue about designation.

A potential headache for third parties under both regimes is the amount of time that they will have to prepare to comply. Tech firms, including cloud providers, and other service providers should carefully consider the criticality criteria under both regimes and start anticipating what designation would mean for them.

Further resources

• The UK regulators have recently closed their consultation on draft rules for critical third parties. Read our briefing: UK financial regulators draft rules for critical service providers
• The FCA is also consulting on its approach to supervising critical third parties. Read our note: FCA outlines its approach to enforcing critical third party regime