What’s behind the consultation on critical service providers?

UK regulators have set out requirements for critical third parties.

The Prudential Regulation Authority, the Bank of England, and the FCA are consulting on their approach to the management of systemic risks posed by critical service providers to the UK financial services sector. Their joint consultation, which is open through 15 March 2024, builds on previous work and will lead to:

  • changes to the regulators’ respective rulebooks;
  • a joint supervisory statement for designated “critical third parties” (CTPs);
  • and a joint Bank/PRA supervisory statement and FCA guidance on the use of skilled person reviews of CTPs.

Further consultations on the use of disciplinary powers are expected to follow.

Policy background

The regulatory concern being addressed is the reliance placed by firms (including authorized firms, electronic money institutions, payment institutions, registered account information service providers) and financial market infrastructures on distributed systems such as cloud services. Although authorized firms and FMIs are required already to address the resilience of their own operations, the potential failure of CTPs risks undermining the stability of and confidence in the UK financial system.

The proposed rules are intended to ensure that regulators have adequate information about the sources of this risk and the ability to supervise the firms associated with it. They do not detract from the responsibilities of authorised firms and FMIs to address their resilience requirements.

Designation of CTPs

The new rules are focused on service providers designated as CTPs under s312L of the Financial Services and Markets Act 2000. The process for designation begins with the regulators, which make recommendations to HM Treasury. The focus is on those service providers which present a risk to the stability or of confidence in the UK financial system. This will be assessed with regard to the following factors:

  • The materiality of the services provided to the delivery of essential activities, services, or operations.
  • The number and type of firms to which the service provider provides services (for example, the concentration of risk).
  • Other drivers of potential systemic impact.

The materiality test can be based on individual service lines or a combination of them. The regulators will have regard to the reporting of service providers by firms and FMIs, in the outsourcing and third-party register, that identifies the third party as supporting the delivery of “Important Business Services” under their respective operational resilience policies.

The concentration test is based on the overall risk posed by the provision of the relevant services to firms and FMIs. It is not intended to reflect the popularity of a service but the extent to which failures or interruptions might affect the financial system or individual markets within it. The reliance of a systemic firm or FMI on the relevant service could itself be a factor, as the assessment includes the type of firm as well as the number of firms involved.

Cloud computing

Only a small number of service providers, mainly cloud computing service providers, are expected to be designated under the legislation. The regulators identify their sources of information as including regulatory reporting (including material outsourcing notifications and applications by FMIs for approvals or no-objection decisions) and public sources. There is not a comprehensive formula to be applied, and the regulators intend to use their judgment when data is not sufficient to indicate whether a designation should be made.

Where the relevant services are being provided by an authorized firm or FMI, the regulators note that it is unlikely to be identified as a CTP, provided that the services are subject to a level of regulation and oversight that delivers similar regulatory outcomes. Similar considerations will apply for utility-like services (for example, telecommunications or energy suppliers).

It is proposed that service providers recommended for designation as CTPs will have an opportunity to discuss the relevant services with HMT and the regulators. HMT’s decision to designate a CTP will be communicated to the CTP prior to publication. Following designation, periodic reviews will be conducted to confirm whether the CTP meets the criteria; on the basis of which, recommendations to revoke the designation or to modify it will be made to HMT.

Consequences of designation as a CTP

A firm designated as a CTP by HMT will be required to act in accordance with certain rules of the Bank, PRA, and FCA. These include six CTP Fundamental Rules, which will be found in the regulators’ rulebooks in common form:

  • CTP Fundamental Rule 1: A CTP must conduct its business with integrity.
  • CTP Fundamental Rule 2: A CTP must conduct its business with due skill, care and diligence.
  • CTP Fundamental Rule 3: A CTP must act in a prudent manner.
  • CTP Fundamental Rule 4: A CTP must have effective risk strategies and risk management systems.
  • CTP Fundamental Rule 5: A CTP must organize and control its affairs responsibly and effectively.
  • CTP Fundamental Rule 6: A CTP must deal with the regulators in an open and co-operative way and disclose to the regulators appropriately anything relating to the CTP of which they would reasonably expect notice.

Operational risk and resilience

CTPs will also be required to comply with detailed CTP Operational Risk and Resilience Requirements, addressing governance, risk management, dependency and supply chain management, technology and cyber resilience, change management, mapping, incident management, and the termination of material services.

These would formalise and standardize base requirements for CTPs; for example, by setting expectations for regular resilience testing and supply chain management. They would also draw CTPs closer to regulators and client firms in the testing and execution of business continuity arrangements.

Information gathering and sharing, skilled person reviews, and self-assessments

CTPs will be required to demonstrate their ability to comply with the rules of the regulators annually and on request. Self-assessments will be required within three months of designation and annually thereafter. Regular scenario testing, based on the requirements for firms and FMIs, will be expected, as will annual testing of the financial sector incident management playbook.

The regulators may use their powers under s166(3) of FSMA to require the appointment of a skilled person to provide them with a report, including with respect to resilience testing. CTPs will be responsible for the costs, and they must provide all reasonable assistance to the skilled person. Detailed requirements for skilled persons reports are set out in the consultation paper.

To support client firms and FMIs meeting their own regulatory obligations, it is proposed that summaries of self-assessments and the results of scenario and financial sector incident management playbook testing should be shared with them.

Notifications

CTPs experiencing certain incidents will be required to notify the regulators and firm and FMI clients throughout the life-cycle of the events, in addition to other reporting requirements. The threshold for a “relevant incident” will be one that has, or has the potential to:

  • “seriously disrupt the delivery of a material service; or
  • “seriously and adversely impact the availability, authenticity, integrity or confidentiality of assets relating or belonging to the firms which the CTP has access to as a result of it providing services to firms or the potential to result in a serious loss of such assets”.

A CTP experiencing a planned or unplanned event would be required to provide:

  • “an initial incident notification”;
  • “one or more immediate incident notifications”; and
  • “a final incident notification”.

Additional reporting can be requested by the regulators. The CTP should undertake it if it involves disputes, criminal proceedings, sanctions, financial stress, or other events that could impact the ability of the CTP to restore and continue operations. The form of incident reporting is being considered by the regulators as part of the Transforming Data Collection Programme.

Designated CTP Status

The status of a designated CTP is not intended as a “quality mark,” and it will not be permitted to unduly use it for marketing purposes. A CTP is not an authorised firm for FSMA purposes.

Nomination of a Legal Person

The CTP rules will not require CTPs to establish in the UK; however, they will be expected to appoint a representative for service who can receive documents and notices from the regulators. Normally, this would be a law firm or other corporate representative.

Tim Cant, Lorraine Johnston, Jake Green, Etay Katz and Bradley Rice are partners in the financial regulation practice at Ashurt.