On 7 December 2023, the Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) (together, the Regulators) published a joint consultation paper (Consultation) on operational resilience for critical third parties (CTPs) in the UK financial sector. In the Consultation, the Regulators propose new rule requirements and accompanying expectations for CTPs.
Identifying potential CTPs
The Regulators are responsible for recommending third parties to HM Treasury (HMT) for designation as CTPs. In the Consultation, the Regulators propose to identify potential CTPs by assessing third parties against the following three criteria:
- materiality of the services which the third party provides to firms and financial market infrastructures (FMIs);
- concentration of the services which the third party provides to firms and FMIs; and
- other drivers of potential systemic impact, such as the substitutability of services (in particular, material services) and access to firms or FMIs’ critical resources.
Under Section 312L of the Financial Services and Markets Act 2000 (FSMA), HMT may designate a third party as a CTP. HMT may only exercise its power to designate a third party as a CTP if, in its opinion, a failure in, or disruption to, the provision of the services that the third party provides to firms and FMIs (either individually or, where more than one service is provided, taken together) could threaten the stability of or confidence in, the UK financial system. HMT must have regard to: (i) the materiality of the services provided to the delivery, by any person, of essential activities, services or operations (wherever carried out); and (ii) the number and type of authorised persons, relevant service providers or FMI entities to which the person provides services. Among other conditions, under Section 312L of FSMA, HMT must consult each of the Regulators before designating a third party as a CTP. In practice, this will generally involve the Regulators proactively recommending to HMT that it should exercise its power to designate a third party as a CTP based on their analysis of relevant data and information. HMT has not yet designated any third parties as CTPs.
It is likely that CTPs will account for a very small number and percentage of those third parties providing services to firms and FMIs.
The Consultation’s proposals apply to services provided by a CTP wherever located to firms and FMIs regulated by any of the Regulators. The proposals are, therefore, agnostic as to the location of a CTP. There is also no requirement for a CTP to set up a UK establishment (i.e., a branch or subsidiary) where one does not already exist. However, a CTP whose head office is outside the UK must nominate a legal person with authority to receive documents and notices from the Regulators.
Requirements for all CTPs: Fundamental Rules
The Regulators have proposed six so-called Fundamental Rules that CTPs must comply with when providing services to firms and FMIs. These are high-level rules that collectively express the Regulators’ objective of minimising any risks posed by CTPs to the stability of, or confidence in, the UK financial system.
The proposed CTP Fundamental Rules are:
- CTP Fundamental Rule 1: A CTP must conduct its business with integrity.
- CTP Fundamental Rule 2: A CTP must conduct its business with due skill, care and diligence.
- CTP Fundamental Rule 3: A CTP must act in a prudent manner.
- CTP Fundamental Rule 4: A CTP must have effective risk strategies and risk management systems.
- CTP Fundamental Rule 5: A CTP must organise and control its affairs responsibly and effectively.
- CTP Fundamental Rule 6: A CTP must deal with the Regulators in an open and cooperative way and disclose to the Regulators appropriately anything relating to the CTP of which they would reasonably expect notice.
Enhanced requirements for CTPs’ material services: Operational Risk and Resilience Requirements
In addition to the Fundamental Rules, the Regulators have proposed eight Operational Risk and Resilience Requirements that would apply to a CTP’s “material services”. For these purposes, “material services” would be defined as “services provided by a CTP to one or more firms a failure in, or disruption to, the provision of which could threaten the stability of, or confidence in, the UK financial system”.
Although the proposed Operational Risk and Resilience Requirements are more granular than the proposed Fundamental Rules, they are still outcomes-focused. In other words, while they specify objectives that CTPs must meet in respect of their material services, they do not prescribe the manner in which a CTP must do so.
The proposed Operational Risk and Resilience Requirements cover:
- Requirement 1: Governance. A CTP must ensure that its governance promotes the resilience of its material services by, among other things: (i) appointing a central point of contact for the Regulators; and (ii) establishing, overseeing and implementing an approach that has clear roles and responsibilities at all levels to enable the CTP to prevent, respond and adapt to, and recover from any event that causes disruption.
- Requirement 2: Risk management. A CTP must implement a sound risk management framework to effectively manage risks to its ability to continue to deliver a material service including by identifying and monitoring relevant external and internal risks, and implementing effective risk management systems to manage such risks.
- Requirement 3: Dependency and supply chain risk management. A CTP must identify and manage risks to its supply chain, perform appropriate due diligence throughout any sub-contracting arrangements that could affect its ability to deliver material services from the outset and be transparent with the Regulators, firms and FMIs about which parts of its supply chain are essential to material service delivery.
- Requirement 4: Technology and cyber resilience. A CTP must ensure the resilience of any technology that delivers, maintains or supports a material service, including by having technology and cyber risk management and operational resilience measures, and regular testing such measures. Processes and measures should be updated to reflect lessons learned from testing and to assist in the risk management and decision-making processes.
- Requirement 5: Change management. A CTP must have a systematic approach to dealing with changes to a material service (including changes to the processes or technologies used to deliver, maintain, or support that service) by, for example, implementing appropriate policies, procedures and controls throughout the change management lifecycle.
- Requirement 6: Mapping. A CTP must identify and document the resources used to deliver, support and maintain each material service it provides, and any internal and external interconnections and interdependencies.
- Requirement 7: Incident management. A CTP must appropriately manage incidents that adversely affect, or may reasonably be expected to adversely affect, the delivery of a material service by, among other things, setting a maximum tolerable level of disruption, implement appropriate measures to respond and recover from incidents in a way that minimises impact, and operating a financial sector incident management playbook.
- Requirement 8: Termination services. A CTP must implement appropriate measures to respond to the termination of any of its material services, including arrangements to support the effective, orderly and timely termination of services and provisions for ensuring access, recovery and return of any relevant assets to the firms or FMIs to which it provides the material service.
Information-gathering and testing, self-assessment, and information-sharing expectations for CTPs
The Consultation also sets out proposed information-gathering and testing requirements and expectations for CTPs, including:
- the submission of an annual self-assessment to the Regulators;
- regularly undertaking scenario testing of their ability to continue providing material services in severe but plausible scenarios;
- annually testing their financial sector incident management playbook jointly with an appropriately representative sample of the firms and FMIs to which they provide services;
- requirements relating to skilled person reviews of CTPs; and
- requirements on CTPs to share certain information with the firms and FMIs to which they provide services.
Notification requirements
The Consultation proposes that CTPs must notify certain incidents to the Regulators, and to the firms and FMIs to which they provide the impacted services. The Regulators propose a phased approach to incident notifications by CTPs, consisting of:
- an initial incident notification;
- one or more intermediate incident notifications; and
- a final incident notification.
The Regulators have set out the information that CTPs would need to include in each these phases.
Misleading use of designation status
The Consultation sets out proposed requirements that a CTP, and persons acting on their behalf, must abide by when referring to its designated status, or to the fact that it is overseen by the Regulators.
Nomination of a legal person for non-UK CTPs
To ensure the efficient operation of this regime, the Consultation seeks to ensure that each CTP maintains a central point of contact for the Regulators and, for a CTP whose head office is not in the UK, a legal person to perform certain functions on its behalf (e.g., receiving statutory notices issued by the Regulators).
Emergency relief
The Consultation also includes proposals that are intended to provide regulatory relief to a CTP in emergency circumstances.
Interaction with other operational resilience regulations
The Consultation notes that the proposals have been designed to be as interoperable as reasonably practicable with similar existing and future regimes, such as the EU’s Digital Operational Resilience Act and the US Bank Service Company Act.
To promote regulatory and supervisory interoperability with these regimes, the Regulators propose to:
- ask CTPs for information provided to the regulators responsible for these regimes and to take such information into account in their oversight;
- accept incident notifications or reports submitted by CTPs to firms, FMIs, and/or the authorities responsible for these regimes, subject to certain minimum information requirements; and
- explore ways to strengthen co-operation in the supervision of CTPs with the regulators responsible for these regimes through existing or, if necessary, new cooperation arrangements.
Next steps
The Consultation closes on 15 March 2024.
The PRA and BoE intend to publish a further consultation containing a draft policy statement on their approach to the use of disciplinary powers over CTPs. To maintain a joint approach, the FCA also intends to consult on its policy statement on the use of disciplinary powers over CTPs around the same time. The Regulators expect to publish a “CTP approach document” setting out how they will carry out their oversight roles in relation to CTPs in due course.
The Consultation is available here.