Key Points:

• The Bank of England (BoE), Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) have issued final rules for Critical third-party regulation (CTPs) to the UK financial sector.
• The regulations aim to strengthen operational resilience by bringing third-party services that could impact financial system stability under regulatory oversight.
• Critical third parties are those whose failure could threaten the UK’s financial system’s stability or public confidence.
• Entities meeting the criteria will be designated by HM Treasury (HMT) after a thorough assessment and consultation.

The Critical Third Parties Regulation

On 12 November 2024, the Bank of England (BoE), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) issued the long-awaited final rules for the Critical Third Parties (CTPs) regime within the UK financial sector. The introduction of this regulation marks a pivotal advancement in operational resilience by extending regulatory oversight to third-party providers whose services are critical to the stability of the UK financial system. The new framework ensures that third parties with the potential to cause significant disruption are subject to the same level of scrutiny as the financial firms they support.

For further details on the policy, you can access the overall policy statement (PS16/24), and supervisory statement (SS6/24).

Objective of Regulation

The primary objective of the CTP regime is to reduce systemic risks posed by third-party service providers. By ensuring they are better prepared to manage disruptions, the regulations aim to safeguard the overall resilience of the UK financial system. This initiative also seeks to maintain public confidence and financial stability by enhancing the operational resilience of critical third parties.

Who’s Impacted?

Critical third parties provide essential services to regulated financial firms, including cloud computing, IT systems, and data services. While these services generally function smoothly, any disruption can have wide-reaching consequences for the financial sector and the broader economy.

The designation of Critical Third Parties (CTPs) will be based on recommendations from the Bank of England, Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA), with HM Treasury responsible for formalising the designation (Source: Deloitte).

CTPs will be identified based on criteria such as the materiality of the services they provide, their market concentration, and the potential impact of service disruptions on financial stability and consumer confidence. Once designated, these entities will be subject to a robust supervisory framework aimed at bolstering their resilience through minimum standards and rigorous testing exercises.

How the Regime Works

The regime will apply to third-party providers that are identified as offering “systemic third-party services” (STPS). This terminology replaces the earlier concept of a “material service” to highlight the potential systemic risk these services pose. Regulators will assess whether a third party’s services, if disrupted, could impact the financial system’s stability or public confidence.

The regulators will make their recommendations to HM Treasury (HMT) on which entities meet the criteria to be designated as CTPs. This process will involve consultation with the third parties, giving them a period to provide additional data or challenge the designation. Once designated, CTPs will be expected to comply with several operational risk and resilience requirements designed to ensure their services can continue even during severe disruptions.

Key Compliance Requirements

Due to the introduction of numerous new regulations and more rigorous risks, most providers have put their own risk management resilience frameworks in place in recent years. The introduction of the new regime will require a significant uplift to ensure compliance with all of the regulators’ expectations.

In this new regulations, this will be the first time CTPs are under the financial services regulators’ oversight. Once designated, CTPs will need to meet several new requirements to ensure the continuity of their services. These include:

1. Governance – Appointing a qualified employee to serve as the main point of contact with regulators and ensuring clear roles for all staff involved in the delivery of systemic services.
2. Risk Management – Establishing comprehensive risk management processes, particularly focusing on dependency risks and the resilience of their technology infrastructure.
3. Incident Management and Reporting – Developing detailed plans for how to respond to operational incidents, including a phased approach to incident reporting to regulators and customer firms. CTPs will also need to set and manage maximum tolerable levels of disruption.
4. Testing and Mapping – CTPs must regularly test their services against potential disruptions and map all resources that support their services, ensuring continuity even in the face of severe challenges.
5. Supply Chain Risks – A critical aspect of the new rules is the focus on understanding and managing supply chain risks, particularly with “Key Nth Party Providers,” which could include outsourced services or suppliers integral to the CTP’s operation.

The UK’s approach aligns with global standards, drawing inspiration from frameworks like the EU’s Digital Operational Resilience Act (DORA, while the regime shares objectives with other jurisdictions, its primary goal is to ensure the stability and confidence of the UK’s financial system. The regulators will maintain engagement with international authorities to ensure consistency and to address any cross-border concerns.

To begin to comply with this latest regime, third parties should align their efforts with those already underway to address requirements in other jurisdictions such as DORA.

How This Impacts Financial Services Organisations and Their CTPs

For financial services firms, the regulations will enhance transparency and oversight of third-party providers, granting access to incident reports and self-assessments. However, firms remain ultimately responsible for their operational resilience, even when relying on CTPs.

For designated CTPs, these rules represent a significant shift in their operational risk frameworks. Providers will need to:

• Review and adapt their current risk management and compliance structures.
• Prepare for heightened regulatory scrutiny and oversight.

Both financial services organisations and CTPs will be required to comply with the PRA’s supervisory statements. Financial services firms must adhere to SS2/21, which outlines the rules for managing third-party risks, while CTPs must comply with SS6/24, specifying the obligations for service providers delivering critical services to the financial sector.

Looking Ahead

The year 2025 is set to bring significant changes for designated Critical Third Parties (CTPs). Early in the year, regulators are expected to recommend the initial candidates for CTP designation to HM Treasury (HMT). This will trigger a consultation process, lasting approximately six months, during which HMT will engage with the proposed CTPs (Source: HM Treasury). Upon designation, HMT will formally notify these entities and outline which of their services are considered systemic. The regulators will also conduct periodic reviews to reassess and confirm their designation decisions.

About the Author

Nick Francis, Chief Technology and Marketing Officer at Brooklyn Solutions

Nick Francis is a well-established and experienced CxO delivering Digital & Security-focused Transformation through the design, build, and deployment of cost-effective, highly automated industry-leading solutions.With experience working across the private and public sectors in industries such as Financial Services, Insurance, Legal, Utilities, Retail, Public Sector and Government.

Specialised in compliance, risk & control activities in highly regulated industries, standardisation of technologies, streamlining of internal processes and continuous improvement driving consistency and efficiency across an organisation whilst holding Customer, Colleague and Partner experience at a premium.