Ensuring Stability: UK's New Framework for Critical Third Party Providers

Joint publication confirming UK regime for designated critical third party providers to the financial services sector in the UK 

On 12 November 2024, a joint supervisory statement by the Prudential Regulation Authority (PRA), Bank of England (BoE) and Financial Conduct Authority (FCA) was issued, creating a new regulatory framework to manage risks to the stability of the UK financial system which could arise due to failure or disruption to the services that a critical third party (CTP) provides to firms in the financial sector, Operational resilience: Critical third parties to the UK financial sector (Statutory statement 6/24).

On international interoperability the statutory statement provides that the “UK oversight regime for CTPs is designed to be interoperable with similar non-UK regimes, such as the Digital Operational Resilience Act (DORA) in the European Union…but only to the extent that such interoperability does not conflict with or undermine the Overall Objective”. 

Who should read this?

The regime only applies when a prospective CTP has been assessed by HM Treasury (HMT) as providing services for which failure in, or disruption to, the provision of these services could threaten the stability of, or confidence in, the UK financial system. 

The new rules primarily affect CTPs and potential CTPs. The policy does not apply to any one type of service, the new regime is intended to be technology-neutral and focuses on regulatory outcomes.

Requirements are focused on CTPs providing services to firms and financial market infrastructure operators (FMIs) and do not directly impose regulatory obligations on financial services firms.

HMT expects that CTPs will represent only a small number of overall third parties to the financial sector.

Exclusions

The regulators will not recommend for designation as a CTP the following financial firms: 

• intra-group service providers; and
• firms in respect of services provided to other firms where those services are already subject to regulation and supervision by one or more regulators (eg custody, clearing etc.); and

However the new rules may also be of interest to financial service firms and financial market infrastructure firms as there are likely to be operational resilience issues to consider in relation to their arrangements with such CTPs. Separately, the FCA has published its own guidance on the lessons for financial services firm to learn from the Crowdstrike outage and the operational issues to identify and address from an operational resilience perspective.

Designation Criteria

HMT expects to designate a CTP based on recommendations from the financial regulators, however it is also possible for HMT to designate a CTP without recommendations. 

The statutory statement provides the following definitions:

1. A critical third party (CTP) means an entity designated by HM Treasury in regulations made under s312L(1) FSMA. HM Treasury may designate an entity as a CTP only if it is satisfied that a failure in, or disruption to, services it provides to firms could threaten the stability of, or confidence in, the UK financial system.
2. Firms comprise:

(i) persons authorised by the PRA and/or the FCA (both on a dual-regulated and FCA-solo regulated basis, including UK authorised branches of non-UK firms);

(ii) financial market infrastructure entities (FMI), as defined in s312L(8) of FSMA, including: 

• recognised clearing houses, including central clearing counterparties; 
• recognised central securities depositories;
• UK recognised investment exchanges;
• recognised payment systems; and 
• specified service providers to a recognised payment system. 

(iii) relevant service providers, as defined in s312L(8) of FSMA, including:

• authorised payment institutions, small payment institutions or registered account information services providers, as defined by regulation 2(1) of the Payment Services Regulations 2017; and
• electronic money institutions, as defined in regulation 2(1) of the Electronic Money Regulations 2011.

Fundamental Rules

The framework includes CTP Fundamental Rules that a CTP is required to comply with in respect to all services it provides to financial services firms, they provide a general statement of a CTP’s fundamental obligations under the oversight regime and applies to all services provided by the CTP to firms and FMIs, not only material services.

The rules consist of six CTP Fundamental Rules, with respect to the services provided. Rules 1-5 are substantive obligations with regard a CTP’s provision of ‘systemic third-party services’, whereas rule 6 will apply in relation to all other services that a CTP may provide to a firm.

Proposed critical third-party Fundamental Rules

CTP Fundamental Rule 1: A CTP must conduct its business with integrity.

CTP Fundamental Rule 2: A CTP must conduct its business with due skill, care and diligence.

CTP Fundamental Rule 3: A CTP must act in a prudent manner.

CTP Fundamental Rule 4: A CTP must have effective risk strategies and risk management systems.

CTP Fundamental Rule 5: A CTP must organise and control its affairs responsibly and effectively.

CTP Fundamental Rule 6: A CTP must deal with the regulators in an open and co-operative way, and disclose to the regulators appropriately anything relating to the CTP of which they would reasonably expect notice.

Operational Risk and Resilience Requirements

The framework recognises that CTPs may perform different functions and have different makeups. The framework has been designed to be outcomes focused and recognises there are several ways requirements may be met.

The statutory statement provides that the operational risk and resilience requirements only apply in the relation to the provision of a CTP’s systemic third-party services to firms. A CTP is expected to continuously improve the resilience of their systematic third party services as learns from incidents, exercises and testing. 

Requirement 1: Governance: a CTP must ensure that its governance arrangements promote the resilience of any systemic third party service it provides.

Requirement 2: Risk management: a CTP must manage effectively risks to its ability to deliver a systemic third party service.

Requirement 3: Dependency and supply chain risk management: a CTP must (as part of its obligation under Requirement 2) identify and manage any risks to its supply chain that could affect its ability to deliver a systemic third party service. A CTP must take reasonable steps to ensure that its Key Nth party providers and persons connected with a CTP that are part of its supply chain.

Requirement 4: Technology and cyber resilience: a CTP must (as part of its obligation under Requirement 2) take reasonable steps to ensure the resilience of any technology that delivers, maintains or supports a systemic third party service.

Requirement 5: Change management: a CTP must ensure that it has a systematic and effective approach to dealing with changes to a systemic third party service, including changes to the processes or technologies used to deliver, maintain or support a systemic third party service.

Requirement 6: Mapping: to include resources, assets, supporting services and technology, any internal, external interconnections and interdependencies between resources. 

Requirement 7: Incident management: a CTP must effectively manage CTP operational incidents.

A CTP is also required to carry out regular scenario testing and incident management playbook exercises to ensure it can continue providing a systemic third-party service(s) an appropriate maximum tolerable level of disruption in the event of a severe but plausible disruption to its operations. If a CTP does not already have an appropriate scenario-testing programme at the point of designation, it should implement a programme and carry out its first scenario tests no later than 12 months following designation by HM Treasury

Requirement 8: Termination of services: a CTP must have in place appropriate measures to respond to a termination of any of its systemic third party services (for any reason).

Oversight

A CTP is required to demonstrate its ability to comply with the rules and provide what is referred as ‘general evidence requirement’ including regular self assessments, scenario testing and incident management playbook exercises and providing regulatory information on request. Self-assessments are required within three months of designation and annually after.

The regulators have the ability to order skilled persons reviews of CTPs and carry out investigations (s312P of FSMA) (‘information-gathering and investigatory powers’); and take enforcement action against a CTP (s312Q and s312R of FSMA) (‘disciplinary powers’).

Enforcement

FSMA 2023 gives the Bank of England (BoE), Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA), collectively, the financial regulators, the power to enforce the rules, gather information and conduct investigations on CTPs.

CTPs outside of the UK

The CTP regime does not mandate establishing a UK entity and instead applies to firms regardless of where they are provided from. The CTP can appoint a central point of contact for the regulators and provide the regulators with a UK address for service for documents including statutory notices. 

For CTPs with a head office outside of the UK, regulators have proposed that a CTP with no presence or employees in the UK should appoint a law firm or other suitable UK-based corporate body, partnership, or limited liability partnership as its representative.

Timeframes

Once a recommendation is made the Treasury will write to the CTP to open a period of formal representations and will advise the CTP of the expected timeframe.

HMT estimates that every recommendation will take about 6 months to process .

Next steps

The final rules for CTPs will take effect from 1 January 2025. 

Once designated a CTP obligations will start for a CTP from a date specified by HMT to in the designation order, certain requirements will be subject to applicable transition periods.