The UK regulators have published a joint consultation setting out the requirements for service providers identified as critical third parties (CTPs) to the UK financial sector. The main thrust of the new regulation is to ensure the stability of the UK financial system as well as the management of risks connected to third party services being provided to financial services firms.
This CP follows on the publication of DP3/22, which sought views from stakeholders on the subject of third party risk. It is also running in parallel to similarly focused DORA rule-making in the EU, which is expected to enter into force in early 2025.
Where are CTPs?
HM Treasury will be responsible for identifying and designating the CTPs who will be subject to these new rules. At this time no third parties have yet been designated as CTPs.
The statutory test for identifying a CTP is drafted quite broadly and focuses on the consequences to the UK’s financial system resulting from problems experienced by the third party. The key question that the regulator intends to ask is:
- Would the failure of disruption to the third party pose a risk to the stability of or confidence in the UK financial system?
In making its assessment HMT will consider:
- the materiality of the services that the third party provides to firms;
- the number and type of firms these services are provided to (concentration);
- other relevant factors.
As a result the number of third parties designated as CTPs is expected to be “very small”. This is aligned with the “regulators’ early thinking” as well as overwhelming support from respondents for this approach when responding to DP3/22. But the CP makes clear that the regulators will use judgment in instances where data alone does not provide adequate support to reach a satisfactory conclusion.
A new policy for the capture of outsourcing data and information will be consulted on in 2024. Submissions by firms by way of this new route will “become the main source of data to support the identification of potential CTPs”. Until the new regime is in place however, the regulators will depend on data available from the ad-hoc data collection exercises undertaken in the past few years and will also take into account data available from a number of other sources, which include notifications from firms, tests, reviews and information from other bodies / authorities.
Those firms who will be designated as CTPs will be contacted privately and will be subject to the “most granular proposed requirements and expectations”, but only in connection with “material services to firms and FMIs”. In other words it will only be the services offered to financial services firms caught within the net. This is presumably an attempt by the regulator to compartmentalise these onerous regulations in order to protect firm operations that do not have any connection with the UK financial system.
New key rules and requirements for CTPs
The CP puts forward six fundamental rules applying to the CTPs. In short a CTP must:
- conduct its business with integrity;
- conduct its business with due skill, care and diligence;
- act in a prudent manner;
- have effective risk strategies and risk management systems;
- organise and control its affairs responsibly and effectively;
- deal with the regulators in an open and co-operative way, and disclose to the regulators appropriately anything relating to the CTP of which they would reasonably expect notice.
After some extensive feedback on the minimum resilience standards for FTPs included in DP3/22 the regulators are proposing a very differently organised set of operational risk and resilience requirements. A detailed delineation of these makes up the bulk of the CP. The requirements are organised into eight categories:
- governance;
- risk management;
- dependency and supply chain risk management;
- technology and cyber resilience;
- change management;
- mapping;
- incident Management;
- termination of services.
The new requirements are all outcomes focused, which means that “they specify objectives … but do not propose to prescribe how they should be met”. The regulatory expectation is for all risk to be addressed by relevant firms within this framework. However, requirements three to five will be addressed “explicitly and individually” because of “their importance and relevance to the oversight regime for CTPs”. It is these requirements in addition to the risk management framework that form the core of the new rules.
Other requirements
In addition to these requirements the CTPs will be required to comply with a number of information gathering and testing requirements, including the need to conduct written self-assessments and to carry out regular scenario testing and skilled person reviews.
Unlike DORA’s requirements for CTPs, which require any entity designated as such to establish an office in the EU, the UK requirements only stipulate the nomination of a ‘legal person’, which the regulators propose could be “a law firm or other suitable UK-based corporate body”.
Although not moving completely in lock-step with the EU, it is clear that the UK regulators are just as concerned about the potential of contagion and systemic risks stemming from the extensive outsourcing in the financial services sector and that the regulatory thrust, including this new ‘critical third party’ category, is broadly aligned with DORA and its requirements.
Responses to the CP are due by March 15, 2024.