Shaping resilience: the UK’s new blueprint for critical third parties to the financial sector

Newly finalised rules on the regulation of critical third parties (CTPs) will soon add a new dimension to the UK’s operational resilience regime for financial services. Where their failure poses a systemic risk to the UK financial system, technology providers will be subject to oversight by financial services regulators and required to meet principles-based regulation.

Recap: What are the rules?

The FCA, PRA and Bank of England have finalised their rules for CTPs in PS16/24. CTPs will need to comply with a regulatory framework which includes:

• fundamental rules that broadly mirror the PRA/FCA equivalents; and
• operational risk and resilience requirements which cover governance, risk, incident and change management, and the termination of services.

CTPs will also need to self-assess their compliance on a regular basis and report any incidents to both the regulator and any affected firms that they service.

Scope

A party is considered for CTP status if a failure or disruption in their services could pose a systemic risk to the UK financial system. We covered the CTP designation process in more detail when HM Treasury set out its proposed approach to designation in March 2024 in our previous blog post.

Headline changes between draft rules and final rules

The regulators have maintained their overall policy approach from the draft rules they published last year (covered in our previous blog post). The most pertinent changes include recognising the shared responsibility model between CTPs and their client firms, and limiting certain fundamental rules to "systemic third party services".

Adjustments have also been made to incident management requirements, allowing flexibility in using existing documented procedures instead of bespoke regulatory playbooks. Incident reporting requirements have also been streamlined to ensure clarity and efficiency in addressing disruptions. Furthermore, the obligation to appoint a UK legal person has been simplified, with CTPs merely required to provide an address for service in the UK.

Enforcement

The regulatory framework will be backed by an enforcement regime that will enable the Bank of England/PRA/FCA to use their discretion in how they take action, including scenarios where a CTP breaches the new regulatory framework or ignores a direction from regulators.

The consequences of enforcement can be significant, including requirements that CTPs stop providing services to regulated firms or imposing conditions on any such arrangements between the CTP and a regulated firm.

However, the regulators have no power to impose financial penalties on CTPs.

Timeline

Set to take effect from January 2025, service providers to the UK financial sector should carefully consider the scope of the incoming regime and the criteria for designation as a CTP. Although major cloud services providers and software providers are expected to be first in line for consideration, the regulators have been careful to emphasise their technology-neutral approach.

Financial services firms that rely on prospective CTPs should also consider whether the regime, including the shared responsibility model, may impact the contractual arrangements they have in place with those providers.

Credit: Malik Barenco Abbas