On 6 June, the UK Government confirmed it will legislate to extend the regulatory perimeter to give UK regulators new direct oversight powers over designated third-parties providers critical to the financial services (FS) sector.
HM Treasury (HMT)'s policy statement was short and high-level. Still, it made clear that the objective of the UK's future regime will be to set and enforce minimum resilience standards for any material services that critical third parties (CTPs) provide to the UK financial sector. More details will emerge over the coming months once the Government introduces primary legislation in Parliament and FS regulators publish a planned Discussion Paper on how they may exercise their new powers.
Direct regulatory oversight of CTPs was inevitable, given the FS sector's increasing reliance on a small number of CTPs, especially for Cloud services. For example, as of 2020, over 65% of UK firms used the same four cloud providers for cloud infrastructure services.[1]
The EU is also finalising an oversight framework for CTPs as part of its Digital Operational Resilience Act (DORA). Both the UK and EU regimes recognise that individual firms alone cannot effectively manage the potential systemic risks arising from concentration in the market or information and power asymmetries between some CTPs and FS firms. Both regimes are therefore designed to complement - but not dilute - FS firms' operational resilience and third-party risk management regulatory responsibilities.
However, some differences between the UK’s and EU's overall approach to CTP oversight are emerging. In particular, while the DORA emphasises detailed ICT third-party risk management requirements, the UK regime will focus on operational resilience more broadly, aligning the expectations for CTPs with those of FS firms under the UK’s new operational resilience supervisory framework.
The UK also plans to define minimum industry resilience standards for CTPs more clearly. This will differ from the DORA, which currently does not mandate supervisors to put in place common technical standards for resilience for CTPs. In addition, UK regulators are also set to gain the power to require CTPs to participate in a range of targeted forms of resilience testing to assess whether they comply with these resilience standards.
However, while the DORA will require CTPs to have a legal subsidiary in the EU to offer services to FS firms, there has been no mention of any location requirements from UK authorities up to now.
The CTPs that this regime will capture are not exclusive providers to FS firms. The policy proposal is silent on how the overall cross-sectoral systemic risk and threat to supply chain resilience posed by reliance on large unregulated third-party providers will be addressed.
In addition, many of the large CTPs also service international markets. However, we are yet to see any significant global supervisory coordination mechanisms to manage the global systemic resilience risks posed by such providers.
The planned joint Discussion Paper from the UK FS regulators may help address some of these questions, as according to HMT, it will, amongst other things, explore specific ways to coordinate with overseas FS regulators and non-FS authorities and regulators in the UK. It may also clarify whether supervisory oversight of CTPs will be on a periodic or continual basis.
The practical implications of the UK's regime will become clearer once the FS regulators publish a detailed Discussion Paper (timing not confirmed). But, overall, we expect most FS firms will broadly welcome the introduction of a direct oversight framework, as it will give them added assurance about the resilience of their existing or potential arrangements with CTPs.
For CTPs, it will provide a level of clarity in terms of the minimum resilience standards expected of them. In the UK, CTPs have largely been open to dialogue with the FS regulators. However, being subject to supervisory oversight will require a mindset shift and much greater rigour in documenting, embedding and demonstrating robust governance, risk management and controls.
At an international level, CTPs will have to tackle divergent oversight regimes in the medium term. While the EU and UK approaches to CTP oversight are running in parallel, there appears to be minimal formal coordination in developing the detailed requirements.
___________________________________________________