New UK consultation paper relating to critical third parties to the UK

The Financial Services and Markets Act 2023 established a new regime for the UK financial regulators (the Bank of England, the Prudential Regulatory Authority and the Financial Conduct Authority - “the Regulators”) to introduce new rules to govern critical third parties to the UK’s financial services sector. This is quite a change and is the start of the extension of the regulatory envelope to third party service providers.

Rules will fall in place alongside the various rules and regulations already applicable to financial services firms and their outsourcing and third party vendor management arrangements and their operational resilience. One of the many challenges for the financial services firms themselves under such rules (which have been built out considerably in recent years) has been how to achieve compliance in the context of their relationships and contracts with major technology and other suppliers to the sector. Meeting that challenge would no doubt be supported by complementary direct regulation of some key third party service providers.

On 7 December 2023, the Regulators issued their consultation paper “Operational resilience: Critical third parties to the UK financial sector” seeking industry views on its draft proposals. This follows the Discussion Paper ((DP) 3/22) which was issued by the Regulators in 2023.

This consultation paper seeks formal responses from the industry on draft proposals to extend the scope of regulatory oversight to services provided by designated critical third parties to financial sector authorised firms, relevant service providers and financial market infrastructure entities (“Firms/FMIs”). Hence, the focus in this consultation paper is on:

• the criteria for designating a critical third party;
• the establishment of “CTP Fundamental Rules” that apply to all services provided by critical third parties to Firms/FMIs;
• the establishment of “CTP operational risk and resilience requirements” which critical third parties must comply with in respect of material services to Firms/FMIs;
• the information gathering and testing requirements and expectations for critical third parties;
• the notification obligations on critical third parties regarding incidents;
• how critical third parties should refer to their status or that they are overseen by the Regulators; and
• requirement to nominate a legal person in the UK if the critical third party’s head office is not in the UK, and requirements regarding record keeping and certain relief for the critical third party in emergency situations.

The Regulators have signposted to consult separately in relation to enforcement powers over the critical third parties. They plan to also consult on the development of a new policy for outsourcing and third party data collection in 2024 ahead of the final policy statement that will follow the current consultation paper. The Regulators intend also to publish a document setting out how they will carry out their oversight roles in relation to critical third parties. These will be important components of the overall third party oversight regime.

Key points critical third parties need to be aware of:

• If the Regulators are considering designating a critical third party, the Regulators may approach that critical third party for additional information. Critical third parties are not required to comply with any such request from the Regulators but it may be beneficial to cooperate depending on the outcome the critical third party is seeking to achieve;
• Critical third parties can make representations about its proposed designation, i.e. proposed critical third parties may wish to challenge their proposed designation;
• If a Firm/FMI meets the criteria for designation as a critical third party in respect of services it provides to other Firms/FMIs, such Firms/FMIs are unlikely to be designated as a critical third party so long as the relevant services they provide to other Firms/FMIs are subject to regulation and oversight that results in equivalent outcomes to the critical third party oversight regime. Otherwise, such Firms/FMIs may well be designated as a critical third party;
• Third parties such as telecoms or energy providers are unlikely to be designated as a critical third party so long as the relevant services they provide to Firms/FMIs are subject to regulation and oversight that results in equivalent outcomes to the critical third party oversight regime;
• There are six proposed (high level) “Fundamental Rules” requiring critical third parties to:
  • conduct their business with integrity;
  • conduct business with due skills, care and diligence;
  • act in a prudent manner;
  • have effective risk strategies and risk management systems;
  • organise and control its affairs responsibly and effectively; and
  • engage with Regulators and disclose to Regulators anything which they would “reasonably expect notice” of;
• There are eight proposed operational risk and resilience requirements which critical third parties must adhere to in respect of material services they provide to Firms/FMIs. These are:
  • Governance;
  • Risk Management;
  • Dependency and supply chain risk management;
  • Technology and cyber resilience;
  • Change management;
  • Mapping;
  • Incident management; and
  • Termination.

These requirements very much have a flavour that’s similar to the operational resilience requirements on Firms/FMIs;

• Critical third parties will be under a requirement to demonstrate to Regulators that they can comply with these rules both annually (via self-assessment) and on request.
  • Critical third parties will be expected to highlight vulnerabilities, areas of improvement and proposed remediation;
  • Critical third parties will be required to carry out regular scenario testing, and test its financial sector incident management playbook annually (which will also need to be shared with that critical third party’s Firms/FMI customers); and
  • Critical third parties will need to provide a report to Regulators following each test of its financial sector incident management playbook showing key findings;
  • Regulators may require a critical third party “or any person connected with a critical third party” to appoint, or the Regulators may themselves appoint, a skilled person to report to Regulators. Note the Regulators propose contractual requirements that will need to be included when a critical third party contracts with a skilled person; and
  • Critical third parties will need to notify Regulators of various matters including incidents and claims in any jurisdiction that pose a significant threat to that critical third party’s reputation or ability to provide a material service.

It’s worth noting also the following overarching points:

• firms/FMIs should not view a critical third party as a more resilient, safer or more suitable option than a service provider that has not been designated as a critical third party (i.e. Firms/FMIs need to still comply with their obligations to assess the materiality and risks for their third party arrangements and not assume they can avoid this simply because a third party has been designated as critical);
• importantly, the proposed requirements are “agnostic as to the location” of the critical third party and therefore could apply to critical third parties even if they are not established in the UK. The Regulators do not require critical third parties to establish in the UK. Contrast this to EU’s DORA which permits in scope entities to use the services of a designated critical ICT third party established outside the EU only if that ICT third party has established a subsidiary in the EU within 12 months of being designated as critical;
• critical third parties will need to ensure they have a point of contact for the Regulators; and
• for those critical third parties whose head office is outside the UK, critical third parties will need to ensure they establish or appoint a legal person in the UK who can perform certain functions on behalf of that critical third party (eg receive official documents).

What now?

Although these draft proposals will not be a surprise to significant suppliers to the financial services sector, it will be interesting to see their responses (which are due by Friday, 15 March 2024). Our understanding is that suppliers have broadly welcomed the discussion paper from last year and we suspect will engage with these draft proposals positively, asking for further clarity to enable them to implement requirements which are new to them but also to help them understand whether their existing standards and processes might meet requirements. This clarity will be important as the task for critical third parties to be compliant will be significant.

Once the consultation period ends, suppliers should turn their attention to the subsequent (a) consultation paper to be published by the Regulators regarding their approach to the use of disciplinary powers and (b) approach document setting out how the Regulators will carry out their oversight roles in relation to critical third parties. There is no indication as yet when these subsequent papers will be published.