Home Resilience UK regulators set out plan for oversight of ‘critical third parties’

UK regulators set out plan for oversight of ‘critical third parties’

London’s Canary Wharf: the regulators’ proposals highlight potential risks to financial stability if the ‘critical third party’ services increasingly used across the financial services industry ‘are disrupted or fail’ | Credit: Ian Hall

UK banking regulators have published proposals to directly regulate ‘critical third parties’ supplying services such as cloud computing to the financial sector – an increasingly significant part of the global financial services landscape.

The Bank of England (the Bank), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) launched a consultation on 7 December on proposals to ‘oversee and strengthen’ the resilience of services provided by critical third parties (CTPs) to UK regulated financial services companies and financial market infrastructure entities (FMIs).

‘CTPs supply an array of services to firms and FMIs, providing benefits, including greater operational resilience and innovation. However, if they are disrupted or fail, there are potential risks to UK financial stability,’ the authorities state in a joint announcement. ‘Managing these risks fully is beyond the ability of any individual firm or FMI and requires an appropriate but proportionate level of direct regulatory oversight.’

‘These proposals will therefore complement but not blur, eliminate or dilute the responsibilities of individual firms and FMIs relating to operational resilience and third-party risk management,’ the authorities explain.

The ‘Operational Resilience: Critical Third Parties to the UK Financial Sector’ proposals follow a discussion paper (with an identical title) published in July 2022; and the UK parliament’s adoption of the Financial Services and Markets Act (FSMA) 2023, which gave regulators powers to make rules for, and oversee, CTPs designated by HM Treasury (HMT).


Proposals for CTPs

Proposals in the paper include how the regulators may identify potential CTPs and recommend them for designation to HMT, as well as a set of ‘fundamental’ rules to apply to all services CTPs provide to UK firms and FMIs and act as a ‘general statement of their obligations’ under the proposed regime.

The proposals also include requirements for CTPs to notify regulators (as well as firms and FMIs they provide services to) of specific disruptions that may adversely impact their services; a set of more granular operational risk and resilience requirements to apply to what are described as CTPs’ ‘material services’ to firms and FMIs, ‘such as requirements on technology and cyber resilience, as well as on supply-chain risk, change and incident management’; and requirements for CTPs to provide ‘certain information and assurance to the regulators, including submitting an annual self-assessment, and conducting regular testing of their ability to provide material services in severe but plausible disruption (‘scenario testing’).

The BoE, PRA and FCA state that CTPs will not be authorised or overseen ‘in their entirety’ by the regulators, but that the ‘third-party services they provide will be overseen against these proposals, once finalised’.

They also point out that the proposals ‘draw on’ global standards and toolkits, such as the 58-page ‘Enhancing third-party risk management and oversight: a toolkit for financial institutions and financial authorities’ document just published by the Financial Stability Board (FSB). ‘They are also designed to be interoperable with similar rules for CTPs in other jurisdictions,’ the UK authorities state.

The deadline for consultation feedback is 15 March 2024, with the regulators aiming to publish ‘final requirements and expectations for CTPs’ during the second half of next year.


FMIs ‘increasingly dependent’ on external tech

In the authorities’ announcement, PRA chief executive and deputy governor of prudential regulation Sam Woods describes third-party service providers as “often play[ing] a vital role in the delivery of important services by banks and insurers” but their use brings “potential risks”.

“We are consulting on proposals to implement new powers given to us by Parliament to manage these risks for those providers who could present risks to financial stability, in an effective and proportionate way,” he said, in reference to the FSMA 2023.

BoE deputy governor for financial stability Sarah Breeden, meanwhile, described FMIs as “becoming increasingly dependent” on third-party tech providers for “services that could impact UK financial stability if they were to fail or be disrupted”.

FCA chief executive Nikhil Rathi said “well-managed” outsourcing can generate “efficiencies, accelerate innovation and boost operational resilience”. But he warned that a “concentration” of third parties serving multiple clients in financial services carried that risk of “a major impact if they are disrupted or fail”.

“We believe these proposals will improve the resilience of the critical third-party services that financial firms and their customers depend on, support market integrity and enhance UK competitiveness and growth,” Rathi said.

RELATED ARTICLE UK fintech’s centre forward: a fireside chat with Ezechi Britton – a write-up of a fireside chat at the Global Government Fintech Lab 2023 (on 18 May) with the chief executive of the (UK) Centre for Finance, Innovation and Technology (CFIT)

‘Financial Regulation Innovation Lab’ launches

In a separate UK fintech regulation-related development this week, a publicly-funded ‘Financial Regulation Innovation Lab’ (FRIL) initiative has launched in Scotland.

Funded through ‘Innovation Accelerator’ funding for the ‘Glasgow City Region’, the initiative has been unveiled by Fintech Scotland. Fintech Scotland is a non-profit body jointly established by financial services companies, Scottish Enterprise (national economic development agency and non-departmental public body of the Scottish government) and universities.

FRIL, in partnership with the University of Strathclyde and University of Glasgow, will deliver a ‘wide-ranging, ambitious research agenda, led by and actionable for the financial sector, to help advance understanding and adoption of new and emerging technologies’, Fintech Scotland’s announcement states. It will ‘engage participants in industry-led innovation challenge calls, integrate academic research with an industry-relevant agenda, design and implement a skills and education programme, and facilitate knowledge exchange through workshops, roundtables, conferences and trade missions’.  

Research will cover aspects of financial regulation, including: ‘explainable artificial intelligence (AI) applications for ESG (environmental, social and governance) risk management’: ‘using automation and AI to combat money laundering’; and ‘synthetic data for financial regulation innovation’.

The initiative ‘aligns with’ the Centre for Finance, Innovation and Technology (CFIT), the announcement also notes. CFIT is a tangible result of the UK’s Fintech Strategic Review (the HMT-commissioned study that became known as the Kalifa Review).

Led by Innovate UK on behalf of UK Research and Innovation, the pilot Innovation Accelerator programme is investing £100m (about $126m) in 26 R&D projects in Scotland’s largest city, as well as two English regions (Greater Manchester and the West Midlands). 

Fintech Scotland: promoting FRIL’s creation on X (formerly Twitter) this week