The UK’s Critical Third Parties regime is finalised
At a glance
- The final framework, published in November, marks a significant expansion of the financial services (FS) regulatory perimeter. While many critical third parties (CTPs) already have mature resilience capabilities, applying a principles-based FS regulatory framework requires a different mindset and a robust approach.
- The latest publications set out the CTP oversight framework but the list of designated CTPs subject to it will only be published in 2025. The regulators will play a proactive role in identifying and recommending potential candidates to HM Treasury. They will adopt a technology-neutral approach. This means that the regime won’t be limited to Cloud Service Providers only.
- CTPs must comply with a wide range of provisions, including overarching fundamental rules, specific operational risk and resilience obligations, general evidence requirements, and incident reporting and testing duties.
- The CTP regime complements, rather than reduces, the accountability of regulated FS firms from meeting existing regulatory requirements on operational resilience, outsourcing and third-party risk management. FS firms must still evidence good risk management and due diligence for material third-party arrangements. However, the regime is likely to increase access to CTP information, such as incident reporting and self-assessments, supporting their due diligence and ongoing monitoring of third party resilience.
Introduction
On 12 November 2024, the Bank of England (BoE), the Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) – hereafter referred to as ‘the regulators’ – published the final CTP framework.1
The regime largely reflects the proposals outlined in December 2023, with targeted clarifications. These include a clearer oversight cycle for designated CTPs, an even greater onus on overseeing systemic services offered by the CTP (by narrowing the scope of the fundamental rules), greater emphasis on collaborative resilience testing with the FS industry, amongst other changes promoting proportionality.
The UK regime is the latest move to oversee the resilience of CTPs. International policymakers are shaping their own regimes. For example, the EU’s Digital Operational Resilience Act (DORA) introduces a similar oversight framework.
CTP designation – who will be caught by the new regime?
His Majesty’s Treasury (HMT) has powers to designate a third party as critical, in consultation with the regulators. The regime will focus on providers whose service disruptions could threaten UK financial stability. In practice, the regulators will identify and recommend candidates, using criteria that may evolve over time.
Figure 1: CTP designation criteria
The UK will take an evidence-based and technology-neutral approach. Potential CTPs are not limited to Cloud Service Providers (CSPs), but could include other technology providers, such as Artificial Intelligence (AI) and market data providers, and non-ICT providers, such as cash distribution service providers.
The regulators will consider the criteria holistically when recommending a CTP designation. The UK designation criteria do not include quantitative thresholds. In contrast, the EU’s DORA criteria contain a mix of qualitative and quantitative thresholds, such as a third party servicing more than 10% of EU FS firms.
Who won’t be captured?
FS regulated firms: the regulators “do not usually” recommend designating entities as a CTP if they are already subject to oversight by the BoE, PRA and/or the FCA concerning the operational resilience of those services. E.g., custody and clearing services that are subject to UK FS regulation and supervision by one or more regulators. Firms or intra-group service providers exclusively serving group entities are excluded from designation.
Other regulated sectors: The regulators are “unlikely” to recommend third parties in other sectors for CTP designation if existing regulations provide comparable oversight and resilience outcomes for those services in the UK. E.g., sectors under the UK National Infrastructure Resilience Framework.
When considering CTP designation, the regulators will assess individual systemic services and their oversight, rather than automatically excluding an entire entity.
UK regulatory approach
While HMT designates CTPs at the entity level, the regime focuses on the critical services (defined broadly2) that these entities provide to FS firms. It comprises three key elements.
First, CTPs are subject to six overarching, high-level fundamental rules. These provide a general statement of a CTP’s fundamental obligations under the regime. The regulators clarified that most of these rules only apply to systemic third party services.
Figure 2: CTP fundamental requirements
Second, more granular operational risk and resilience requirements will apply to a CTP’s systemic third party services.
Figure 3: CTP operational risk and resilience requirements
Third, systemic third party services must meet a set of other key requirements.
Figure 4: Other key requirements
Joint approach to CTP oversight
The regulators outlined their collaborative approach to CTP oversight, with three noteworthy elements.
First, shared responsibility between the regulators, facilitated by a Consultation and Coordination Forum. However, regulators retain the authority to act individually if necessary or appropriate.
Second, a framework for assessing the risk profile of a CTP and its systemic third party services. The framework considers risks from the external environment (e.g., cybersecurity landscape, geopolitical environment) and internal factors (e.g., business model, group structure, transformation projects). The regulators will consider mitigating factors, such as a CTP's governance, management, controls, and operational resilience.
Third, CTP oversight activities follow a recurring 12-month cycle, centred around an Annual Review where regulators and CTPs discuss risks and oversight priorities. Regulators issue letters outlining specific actions for each CTP, such as testing or remediation. CTPs must respond, with regulators monitoring progress, reviewing self-assessments, and conducting targeted examinations as needed.
Four key takeaways
1. Third parties should establish a clear view of how FS firms deploy their services
Third parties should work closely with FS clients to understand the extent to which their services are systemic to the client’s resilience. Understanding whether a service underpins and enables important business services (IBS) within their FS client base is crucial, even if not automatically leading to qualification as a CTP systemic third party service.
This requires ongoing dialogue with FS clients to track changes in the nature of services or support for IBS. Third parties should review contracts, assessing whether amendments might expand the scope of services to support IBS. Embedding enhanced controls into FS client onboarding and approval processes are essential for assessing whether new services are material to the resilience of the FS firm. New management information and enhanced governance may also be required.
2. Heed lessons learned from FS firms’ experience with UK operational resilience framework
The CTP regime shares similarities with the operational resilience regime that UK regulated FS firms are implementing. Mapping dependencies to understand vulnerabilities, setting maximum levels of tolerance to disruption, testing against severe but plausible scenarios, and developing annual self-assessments are common features.
Mapping the resources, assets, interconnections, and interdependencies that support systemic third party services is a crucial foundational activity. This mapping provides the data to understand the impact of disruptions both internally (e.g., operational) and externally (e.g., to clients and markets as a whole).
A key challenge is balancing sufficient granularity – understanding how systemic services function – with a high-level perspective revealing the interconnectivity of elements delivering the service. FS firms found that excessive detail in mapping IBSs did not necessarily simplify resilience-building, potentially obscuring major failure points amidst the complexity. Conversely, overly high-level mapping risked overlooking vulnerabilities.
Like FS firms, CTPs face the challenge of mapping complex supply chains. This includes understanding how third party and intra-group suppliers and legal entity structures affect service delivery, identifying concentrations and single points of failure.
3. For many CTPs, the most significant uplift to meet the regime’s requirements will be cultural
Many designated CTPs may already possess strong technology and cyber resilience capabilities. But the regime requires a step change in their approach to resilience and regulatory engagement. For some, this may be their first direct interaction with FS regulators, requiring careful consideration in several areas.
First, CTPs must embed and evidence resilience in their everyday activities aligned with FS regulatory expectations. This may require embedding the resilience framework in a more formal and robust manner, and ensuring it delivers the outcomes expected by the regulator. For example, the regime emphasises managing risks related to dependency and supply chains, technology and cyber, and change management.
Developing and testing incident management playbooks, while no longer required to be FS-specific, must still prioritise protecting systemic financial stability within the FS sector. These playbooks should detail how the CTP will coordinate crisis communications with affected FS firms and regulators, including response and recovery measures.
Second, embedding robust governance is crucial to demonstrating resilience to the regulators. Senior management must provide evidence of reviewing, challenging, and approving key elements such as mapping, maximum tolerable levels of disruption, and self-assessments. The rules also mandate financial regulatory training for designated regulatory contacts to ensure effective execution of their duties.
Finally, the regime brings a step change in information-sharing between CTPs, FS clients and the regulators.
In the event of serious disruption to a systemic third party service, CTPs must keep affected FS clients and the regulators informed throughout the incident’s lifecycle. This forces CTPs to review crisis communication strategies and processes. For instance, incident management duties mandate coordination with regulators and industry through Collective Incident Response Frameworks (e.g., the Authorities Response Framework and the Sector Response Framework).
While incident reporting focuses on events directly affecting systemic third-party services or CTP operations, CTP self-assessments must still incorporate aggregate data on incidents and near misses. Regulators will examine this data for areas of improvement, lessons learned, and emerging trends.
4. CTPs with a cross-border footprint should determine an optimum European legal entity structure, considering EU/UK approaches to location requirements
While the UK regime does not mandate establishing a UK branch or subsidiary, non-UK headquartered CTPs must appoint a central point of contact and designate a UK address for official correspondence. Conversely, EU DORA requires CTPs to establish an EU subsidiary but does not preclude providing ICT services and support from facilities outside the EU.
This poses strategic questions, particularly how best to serve EU and UK customers while meeting new regulatory requirements. Designated CTPs in both jurisdictions should evaluate their European footprint and identify optimal legal entity structures to streamline operations, reduce costs, and optimise the distribution of personnel and infrastructure across Europe and globally. Options include:
- Centralised EU Service: Serve EU and UK clients from the EU entity.
- Separate EU/UK Entities: Serve UK clients from a UK entity and EU clients from the EU entity.
- Hybrid Approach: Serve UK clients from an entity based outside Europe and EU clients from the EU entity.
CTPs should analyse their footprint and assess their business model and legal entity options. Client needs and preferences should inform their decision. Option 1 may prove attractive to CTPs with an EU and UK footprint, especially those without an existing UK presence, streamlining the capabilities necessary to serve FS clients.
When servicing EU and UK clients from the same infrastructure, CTPs in both jurisdictions should leverage synergies in compliance. Centralising implementation programmes, encompassing business continuity, ICT disaster recovery, cybersecurity, and third-party risk management, can streamline processes, reduce duplication, and consolidate expertise. Additionally, coordinating regulatory engagement through a central office can help ensure consistent messaging to UK and EU regulators and facilitate efficient feedback implementation across the business.
Click here to view our analysis comparing the EU’s and UK’s CTP regimes
Enforcement
In case of non-compliance, the regulators have powers to take a range of enforcement action. These include preventing CTPs from serving regulated FS firms, stopping regulated FS firms from receiving CTP services, and imposing conditions on their agreements.
What happens next?
2025 will be a year of significant change for designated CTPs. In early 2025, the regulators are expected to recommend the first candidates for CTP designation to HMT. This initiates a consultation period, lasting ~6 months,3 between HMT and the potential CTP. If designated, HMT will notify CTPs regarding which services are considered systemic. The regulators will periodically review its designation decisions.
Figure 5: Indicative CTP compliance journey
The first year of oversight will differ from subsequent annual cycles. Regulators will prioritise gaining a comprehensive understanding of each CTP and an initial view of its risk profile.
To facilitate this, CTPs must submit an interim self-assessment within 3 months of designation. Recognising that full compliance is a journey, the regulators indicated that initial assessments may be less detailed than future annual submissions and might not demonstrate full compliance.
12 months post-designation, CTPs must evidence their compliance with an additional set of requirements. CTPs must complete their initial mapping and first round of scenario testing, and develop and operationalise their incident management playbook, including an initial playbook exercise.
Recognising that the regime may necessitate changes to CTP contracts with suppliers and FS clients, the regulators have introduced some flexibility. CTPs can update contracts entered into before their designation at the first scheduled renewal or review post-designation.
Concluding thoughts
Third parties anticipating CTP designation should start preparations. This includes engaging with FS clients to understand how their services are used in practice. Internally, third parties should define an approach to mapping, e.g. allocate responsibilities and agree the degree of granularity at a top management level. Upgrading resilience controls, particularly for systemic services, and conducting a thorough cost analysis — examining compliance expenses and developing a cost management strategy — are also crucial.
Overall, being subject to FS regulatory oversight will need a step change to how CTPs think about, and demonstrate, their operational resilience.
___________________________________
References
1 Key Documents:
SS6/24 – Critical third parties to the UK financial sector | Bank of England
Approach to the oversight of critical third parties | Bank of England
SS7/24 – Reports by skilled persons: Critical third parties | Bank of England
2 Including, but not limited to a facility, as noted in s312L(8) of FSMA; activities, functions, processes and tasks, as noted in the FSB TPR toolkit; and Information and Communications Technology (ICT) Services
3 HM Treasury Approach to Designating Critical Third Parties 2024.pdf
