What is the New UK Critical Third-Party Regime?
The global CrowdStrike incident1 early this year highlighted the vulnerabilities to, and extensive disruption that can be caused by, technology companies and other third-party service providers. In the wake of that incident, and recognising the high and growing reliance of the financial sector on third parties, the UK's financial regulatory authorities - the Bank of England, Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) (collectively the "regulators") - have jointly announced the new critical third party ("CTPs") oversight regime (see Policy Statement (PS16/24), including Supervisory Statement (SS6/24). This new framework, effective from 01 January 2025, aims to bolster the operational resilience of the UK's financial system by ensuring that critical third parties ("CTPs") adhere to a robust regulatory framework when providing services to regulated firms and financial market infrastructure ("FMIs"). Introduced in the Financial Services and Markets Act 2023 ("FSMA 2023") the CTP Oversight Regime significantly extends the regulators' powers to previously unregulated firms, while broadly aligning to international standards set by the Financial Stability Board ("FSB").
Who is in scope?
Critical Third Parties (CTPs)
CTPs will be service providers specifically designated as such by the HM Treasury, based on the potential impact that service failures or disruptions may have on the stability of, and confidence in, the UK's financial system. No CTP designations have been made yet. The regulators' "CTP approach document" sets out how CTPs might be recommended for designation: key will be the significance and reach of the services provided to the financial ecosystem. This approach shares some similarities with the criteria used under the EU's Digital Operational Resilience Act ("DORA") for classifying ICT third-party service providers as critical (and therefore subject to direct regulation under DORA). However, the designation criteria under DORA include more quantitative thresholds.
The CTP approach document does not exclude the possibility that firms such as clearing houses and payment systems would be designated as CTP but assures them that firms regulated in the UK and regulators that "deliver comparable outcomes" are "unlikely" to be recommended for CTP designation.
We expect that there will be multiple CTPs that will be caught under both regimes, such as large cloud/digital infrastructure service providers. Importantly, while DORA focuses on ICT third-party providers, the UK regime is non-ICT specific and could also capture service providers that do not primarily provide ICT services.
Whilst specific supplier entities will be designated, draft supervisory statement SS6/24 emphasises that requirements will effectively need to be applied at supplier group level to the extent necessary to give effect to the purposes of the supervisory statement.
The geographic location or place of incorporation of a CTP is irrelevant to the power to designate or the scope of application of obligations: designated CTPs with no presence in the UK will have to provide an address for service of documents to the UK regulators.
Although the CTP Oversight Regime comes into force on 01 January 2025, obligations on an individual CTP will only apply on the date specified in the designation order made by HMT. New CTPs will be given a timetable to implement different requirements. So, for instance, an initial self-assessment will be due within 3 months of the date of designation.
The CTP Oversight Regime binds CTPs but is designed to complement existing obligations of regulated firms and FMIs regarding outsourcing and third-party risk management. Importantly, these rules do not diminish the accountability of regulated firms and FMIs, their boards, or senior management. Instead, they seek to address the imbalance in negotiating power between regulated firms/ FMIs and a small number of critical providers which has arisen over recent years by making the CTPs directly accountable to the regulators.
The CTP Oversight Regime covers CTPs providing services provided to PRA regulated firms such as banks and insurance companies, FCA regulated firms such as MiFID investment firms as well as FMI, such as central securities depositaries, clearing houses and payment systems regulated by the Bank of England. Each of the regulators propose to implement parallel rules for CTPs - appended in draft form attached to the policy statement - and the Bank of England also has special rules, mirroring existing PRA and FCA emergency rules, intended to provide relief to a CTP in an emergency circumstance when it would be impossible for the CTP to comply with the proposed rules.
Key components of the oversight regime for CTPs
The new regime imposes a range of requirements on CTPs, including:
Fundamental Rules, Operational Risk and Resilience Requirements: CTPs will need to adhere to six fundamental rules, which broadly mirror the fundamental rules that apply to PRA and FCA regulated firms, and those on which the Bank of England are consulting for FMI (as to which, see our latest Markets View). Similarly to DORA, the CTP Oversight Regime also introduces operational risk and resilience requirements in respect of governance, supply chain risk management, technology and cyber resilience, change management, incident management, and service termination. The regime also introduces requirements relating to the mapping of resources, technology and interdependencies necessary for the delivery of the services.
Self-Assessment, scenario-testing, incident managing: CTPs will be required to consistently assess their adherence to the regulatory framework and perform scenario testing to guarantee that service provision remains within acceptable disruption thresholds. While DORA mandates testing and incident management as principal requirements, the obligation to conduct self-assessments and share these with regulators is a requirement unique to the UK regime.
Incident reporting and notification: CTPs will have to report operational incidents. Although similar to the requirements under DORA, under the UK rules, CTPs must be prepared to address both ICT and non-ICT-related disruptions.
Enforcement and Implications
The CTP Oversight Regime includes guidance on the regulators' approach to enforcement, emphasising proportionality and confidentiality to ensure the regime is robust without stifling innovation or imposing undue burdens. It will be interesting to see how much flexibility is afforded to CTPs under the principle of proportionality, given that the whole purpose of the regime is to address risk of systemic importance for the UK financial system.
Importantly, the statutory enforcement powers include powers to publicise failings and prohibit the provision of services.
How should entities prepare?
Given the uncertainty as to which supplier entities will be designated as CTPs and when they will be designated as such, planning is likely to remain high level for now. Prospective CTPs may start or continue to engage with the regulators/HMT in respect of the designation process. Regulated firms and FMIs will also want to track which of their suppliers may come to be designated. They may even wish to share their own views as to which suppliers ought to be designated as CTPs (on the basis of risk exposure to those supplier entities and/or challenges in securing governance or contractual controls over them).
Prospective CTPs are likely to want to integrate analysis and planning for DORA implementation with analysis and planning for possible designation. We suggest that prospective CTPs may consider focusing (at an appropriate time in each case) on:
Gap Analysis: Conducting a thorough review of their current operational and risk management frameworks used with financial services sector customers against the requirements of the UK's CTP regime.
Engage with Financial Institutions: Given the potential for financial institutions to advocate CTP designation, proactively engaging with their customers, perhaps to offer a stronger emphasis on information sharing and broader governance, risk management and incident reporting procedures and collaboration between financial institutions and CTPs.
Vulnerability Management: Identifying and addressing any weaknesses within operational and supply chain processes. This may include ensuring that contracts with the prospective CTP's own suppliers are sufficiently robust.
Governance: Identifying a team of individuals that will be responsible for acting as, and supporting, the point(s) of contact with the regulators, considering that the point(s) of contact will need appropriate training of relevant financial regulation to support the CTP.
1 A global IT outage cause by a rogue software update that impacted up to 8.5 million computers using Microsoft systems.
.jpg?crop=300,495&format=webply&auto=webp)
