On 7 December 2023, the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) published a joint consultation paper titled ”CP26/23 - Operational resilience: Critical third parties to the UK financial sector.” The consultation includes draft PRA and Bank of England Rulebook instruments as well as a draft FCA Handbook instrument that describes proposed rule changes relating to critical third parties (CTPs). These include a set of high-level fundamental rules and operational requirements for CTPs, information and notification requirements, and rules for making referrals to regulatory oversight.
The consultation paper follows the July 2022 publication of a discussion paper of the same name (DP3/22), which we discuss in our alert ”Too Important to Fail - Part 2: The Coming Regulation of Providers of Critical Technology Services to UK Financial Institutions.” It is similar in effect to the EU Digital Operational Resilience Act (DORA), which came into force on 16 January 2023 and will apply starting 17 January 2025. For further information and materials on both the UK and EU regimes, please refer to “Financial Regulations for Critical Third-Party Technology Providers in the EU and UK.”
The consultation paper is open to response until 15 March 2024, and we think it likely that the new rules will come in third or fourth quarter 2024.
Who Is in Scope of the Proposed Regime?
Chapter 3C of the Financial Services and Markets Act 2023 (FSMA 2023) — which received royal assent on 29 June 2023 — grants His Majesty’s Treasury the power to designate a person who provides services to one or more authorised persons, relevant services providers, or financial market infrastructure (FMI) entities as a CTP where the services that third party provides could threaten the stability of, or confidence in, the UK financial system.
The consultation paper suggests that while the Treasury is ultimately responsible for designating firms as CTPs, the obligation in FSMA 2023 to consult with regulators before exercising these powers will likely result in the regulators proactively making recommendations to the Treasury after they assess the following three criteria:
- Materiality of the services that the third party provides to firms and FMIs
- Concentration of the services that the third party provides to firms and FMIs
- Other drivers of potential systemic impact
Given the growing focus on artificial intelligence (AI) in financial services — as we have discussed most recently in our alert “AI and Machine Learning in UK financial services: the public response to the FCA and PRA” — this regime is likely to become closely associated with any future AI regulation in the UK. This point is noted in the minutes of the Bank of England Financial Policy Committee’s most recent meeting (published 6 December 2023).
The consultation paper specifies that CTPs are expected to account for a very small percentage of third-party service providers and will be limited to third parties that are systemically important.
How Does the Regime Affect Non-UK CTPs?
The proposals recognise that many CTPs provide services across international borders and/or to clients in multiple jurisdictions. As a result of this, the requirements are agnostic about the location of CTPs and do not require an establishment (i.e., a branch or subsidiary) to be set up in the UK where one does not already exist.
However, for practical purposes, the proposals require a CTP whose head office is outside the UK to nominate a legal person with authority to receive documents and notices from the regulators (including statutory notices under FSMA 2023). This can include a law firm or other suitable UK-based corporate body, partnership, or limited liability partnership.
This is an important deviation from the equivalent EU law under DORA, which will require non-EU CTPs to establish a subsidiary in the EU.
What Are the Fundamental Rules and Operational Risk and Resilience Requirements Proposed?
The consultation paper proposes the introduction of six high-level fundamental rules that CTPs must comply with in the course of their services. These state that a CTP must:
- Conduct its business with integrity
- Conduct its business with due skill, care, and diligence
- Act in a prudent manner
- Have effective risk strategies and risk management systems
- Organise and control its affairs responsibility and effectively
- Deal with the regulators in an open and cooperative way and appropriately disclose to regulators anything relating to the CTP of which they would reasonably expect notice
The consultation paper also proposes more detailed operational risk and resilience requirements for CTPs in relation to:
- Governance
- Risk management
- Dependency and supply chain risk management
- Technology and cyber resilience
- Change management procedures
- Mapping of resources and interconnections between them
- Incident management
- Procedures to respond to a termination of material services
Many of the above requirements might already exist in the service contracts that CTPs and financial-services firms agree to, because of regulatory obligations that those firms have to follow. However, the new regime would give the regulator the power to enforce these rules directly against a CTP.
The consultation notes the risk that imposing regulatory oversight on CTPs may result in a misinterpretation by firms that a CTP has superior operational resilience compared with other third-party providers. To combat this, the proposals prohibit CTPs from indicating or implying that they have the approval or endorsement of the regulators.
What Information and Notification Requirements Will Be Placed on CTPs?
The proposals contain a general requirement for every CTP to demonstrate its ability to comply with the regulator’s rules both annually and upon request. In addition, the consultation paper suggests more specific information requirements for the following:
- Annual self-assessments highlighting identified vulnerabilities and areas for improvement and proposed remediation
- Scenario testing based on the operational resilience framework for firms and FMIs that will test the CTP’s ability to continue providing material services in the event of a severe but plausible disruption
- Testing incident management playbooks in the financial sector annually or on request
- Conducting skilled person reviews
Where there is a “relevant incident,” the consultation paper includes a requirement for CTPs to notify the regulator and their customers. Relevant incidents include events that (i) disrupt, or have the potential to seriously disrupt, the delivery of a material service; or (ii) seriously and adversely impact (or potentially impact) the availability, authenticity, integrity, or confidentiality of assets relating or belonging to the firms that the CTP has access to as a result of providing services. Notifications should include an initial incident notification, intermediate incident notifications, and a final incident notification once the incident has been resolved.
Further notification requirements apply in specific circumstances, such as if the CTP enters litigation or arbitration or is the subject of disciplinary measures or sanctions.
[View source.]