The UK regulatory regime for critical third parties (CTPs) to the financial services (FS) sector is becoming clearer. In December 2023, the Bank of England (BoE), the Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) – referred to hereafter as ‘the regulators’ – published a consultation paper outlining their detailed regulatory requirements and expectations.
The consultation brings much needed clarity to crucial elements such as the designation process and criteria, and the rules that CTPs will need to comply with across multiple areas, including risk management, governance, mapping, and testing. This enables third parties to the FS sector to form an updated view on whether they are a likely candidate for designation as a CTP and prepare for potential implementation.
This consultation from UK FS regulators is the latest move to oversee resilience and accountability of CTPs. International regulators are also reviewing their CTP regimes – for example, in the EU, the Digital Operational Resilience Act (DORA) is introducing a similar oversight framework.
Other regulators are also widening their net to capture digital platforms and critical service providers. EU and UK are taking forward initiatives aimed at enhancing competition and consumer protection in digital markets.
CTPs now will need to assess and understand the cumulative impact of various regulatory expectations on their business model, pricing structures and operations.
Based on new powers conferred by the 2023 Financial Services and Markets Act (FSMA 2023), His Majesty’s Treasury (HMT) is responsible for designating a third party as critical, in consultation with the regulators. In practice, the regulators will play a proactive role, identifying and recommending to HMT potential candidates for designation. The consultation provides more clarity on the criteria that the regulators will use.
Figure 1: CTP designation criteria
The UK will take an evidence-based and technology-neutral approach to designating CTPs. This means that the scope of third parties potentially captured will not be limited to just Cloud Service Providers (CSPs). It could include other technology providers, such as Artificial Intelligence (AI) and market data providers. Non-ICT providers, such as cash distribution service providers, could also be potentially designated as a CTP. No CTP has been designated yet, although initial HMT estimates suggest that it currently anticipates a population of circa. 15-20 CTPs to be captured under this regime.1
The regulators will look holistically across the above criteria to decide whether to recommend HMT designates a third party as critical. For third parties, this means that steering clear of purely quantitative thresholds will not guarantee that they will not be designated as a CTP in the UK. By contrast, the EU’s DORA designation process contains a mix of qualitative and prescribed quantitative thresholds. This includes a number of granular thresholds, including having more than 10% of EU FS firms being serviced by the same third party, or more than 10% EU FS firms reporting difficulty in migrating their services away from the third party under scrutiny.
Who is “unlikely” to be captured?
FS regulated firms: the consultation highlights that regulators are “unlikely” to recommend FS firms and financial market infrastructure entities to be designated as a CTP if the services they provide to FS are subject to a level of regulation and oversight equivalent to the CTP regime. By not definitively ruling out regulated FS firms offering CTP services from the scope, there is still some room to capture them under this regime if there are concerns around the level of oversight over specific third-party services.
Other regulated sectors: The regulators are also unlikely to recommend third parties in other sectors (e.g., public telecommunications and energy providers) for designation as a CTP on the same grounds.
The regulators stressed their intention to create a regime that is purely service-based, focused on overseeing the material services that CTPs provide to FS firms, rather than supervising the entirety of the CTP as a legal entity.
The regime comprises two key elements. Once designated, CTPs will be subject to six overarching fundamental rules that apply to all services provided to FS clients. These are high-level rules that provide a general statement of a CTP’s fundamental obligations under the regime, and act as an expression of the regulators’ objective of managing financial stability risks posed by CTPs. Meanwhile more granular operational risk and resilience requirements will apply to a CTP’s material services.
Figure 2: Core elements of the UK’s CTP regime
1. Third parties will need to get a clearer view on how their services are – or will be – deployed by FS firms in practice
Third parties will need to work closely with existing FS clients to understand the extent to which their services are material to the resilience of the client. If the services a third party provides underpin and enable important business services (IBS) of its FS customer community, this is likely to increase the materiality of a CTP service.
In addition, third parties will need to maintain an ongoing two-way dialogue with FS clients to understand if the services provided become more material or evolve to support an IBS over time. As part of this, third parties should review and understand whether any existing contractual arrangements may, in future, extend the scope of current services to support IBS.
Embedding enhanced controls into new FS relationship onboarding and approval processes will be required to help determine whether any new services would be material to the resilience of the client. Additional controls, new management information and enhanced governance may also be required.
2. Heed lessons learned from FS firms’ experience with mapping under the UK operational resilience framework
The CTP regime shares some similarities with the operational resilience regime that UK FS firms are currently implementing. The process of mapping dependencies to understand key vulnerabilities, setting maximum levels of tolerance to disruption, testing against severe but plausible scenarios, and conducting annual self-assessments is a key element of both regimes.
Learning from their FS clients, mapping of policies, processes, people, technology, data, key sites/facilities and suppliers that support material services is a fundamental element that CTPs need to do right from the start. This will become the backbone for providing the data and understanding the impact of disruption internally (e.g., operational) and externally (e.g., to clients and markets as a whole).
A key challenge is balancing between mapping to a sufficient level of granularity – necessary to understand how material services function – and an approach that is high-level enough to understand how each element is interlinked to deliver the service. It became clear for many UK FS firms that an excess of detail in mapping IBSs did not automatically simplify the process of building resilience, as major points of failure did not easily percolate through the detail. At the same time, mapping at too high a level failed to detect the vulnerabilities that need to be remediated.
FS firms also had to pay special attention to mapping their dependencies on third party and intra-group suppliers, understanding how their legal entity structure and the dependencies this gives rise to affect their service delivery. In a similar fashion, CTPs will need to map their own supply chain and manage any risks that could affect their ability to deliver their material services to the FS sector. This will imply not only being able to identify key Nth party providers for the CTP itself but also those having access to confidential or sensitive data belonging to their regulated FS clients.
3. For many CTPs, the most significant uplift to meet the UK regime’s requirements will be cultural
While many CTPs already possess strong technology and cyber resilience capabilities, the new UK CTP regime will require a step change in their approach to resilience and engagement with regulators when working with FS firms. For some CTPs, the regime may be their first direct interaction with FS regulators. The following areas will require careful consideration.
First, CTPs will need to embed resilience in their everyday activities – with a particular focus on material services – in line with FS regulatory expectations. This may not be fully aligned with their existing view of resilience. For example, the regime has a sharp focus on managing dependency and supply chain, technology and cyber, and change management risks. CTPs will need to ensure that their risk management capabilities across these domains can deliver the outcomes expected by the regulators.
The requirement for CTPs to develop and test an FS-specific incident management playbook is another example. CTPs will need to differentiate their response to disruption depending on the client affected, with specific attention to the FS sector. While CTPs already have resilience and business continuity plans, the regime will require them to look at resilience through the lens of FS systemic stability. The playbook will need to set out how a CTP will coordinate crisis communications with the FS clients to which it provides material services. It will also set out how a CTP will ensure that FS clients and the regulators receive necessary information and support throughout an incident’s lifecycle, e.g., on the implementation of response and recovery measures.
Second, embedding appropriate governance arrangements to demonstrate resilience to the regulators will also be important. The top level of management responsible for material services will need to evidence that it has reviewed, challenged and signed off the mapping exercise, maximum tolerable levels of disruption, and annual self-assessments.
Finally, the regime will also bring a step change in the level of information-sharing between CTPs, their FS clients, and the regulators. In case of disruption to a material service, CTPs must make notifications to its FS clients and the regulators across the whole lifespan of an incident. The final notification must include a root cause analysis and identify lessons learned. This will force CTPs to review their crisis communication strategies, ensuring they have appropriate arrangements in place to notify FS clients and the regulators promptly.
4. CTPs with a cross-border footprint will need to determine an optimum European legal entity structure
CTPs with a cross-border footprint will need to consider both UK and EU approaches to location requirements to define an optimum structure.
Under the proposed UK regime, there is no requirement for a CTP to set up a UK branch or subsidiary. A CTP with a head office outside the UK would be required to nominate a legal person to receive documents and notices from the regulators. CTPs with no presence or employees in the UK can appoint a law firm or other suitable UK-based corporate body, partnership or limited liability partnership as its representative.
Meanwhile under the DORA, CTPs must establish a specific subsidiary in the EU. However, DORA does not necessarily prevent CTPs from providing ICT services and support from facilities located outside the EU.
Overall, this opens up some strategic questions for CTPs including how best to serve their EU and UK customers, while meeting emerging regulatory requirements. Designated CTPs in both jurisdictions need to consider their European footprint and how best to streamline their legal entity structure to reduce their cost base and optimise the distribution of their people and infrastructure across Europe and globally. Legal entity options include:
CTPs should use the lead time before the UK regime is finalised to analyse their footprint and understand the implications of regulations and the resulting strategic business model and legal entity options. CTPs should monitor client needs and preferences and use them to inform their decision-making process. Option 1 may be particularly attractive to CTPs with an EU and UK footprint, especially those without an existing UK presence. This may help to streamline facilities, skills, technology and processes necessary to serve FS clients.
Where third parties choose to service both EU and UK clients out of the same infrastructure, they will need to understand how best to drive synergies in compliance, should they be designated as a CTP under both regimes.
The CTP regime is one element of a broader set of emerging regulations applicable to third parties servicing financial services firms. For CSPs, in particular, there are a number of new regulatory initiatives emerging with the intent to enhance competition in cloud markets and address barriers to switching and multi-cloud.
In the EU, the Data Act has recently put in place a framework for new regulatory requirements in this area. Indeed, the Data Act notes that facilitating a multi-cloud approach for FS customers can also contribute to increasing their digital operational resilience, as recognised in the DORA. In the UK, the Competition and Markets Authority (CMA) is currently investigating whether technical barriers, fees to transfer data, volume discounts and software licensing practices are hindering competition in cloud services, further to concerns expressed by Ofcom. A provisional decision by the CMA is expected in H2 2024.
As the regulatory landscape continues to evolve, CTPs need to consider the cumulative impact on their business and keep it under review as they start their strategic planning relevant to implementation. To facilitate this, CTPs should enhance horizon scanning capabilities to spot and assess the impact of the full suite of regulatory change affecting their business. Their assessments should consider the impact across their whole business, including strategy, governance, operations, finance and risk and compliance functions. CTPs should not only assess the impact in their current state business model, but also any planned future expansions.
Once further details emerge in 2024 some of the CTP regime’s key unanswered questions – especially the two below – may fall away.
1. Approach to CTP oversight
The UK regulators will set out more details on how they will oversee CTPs in practice, although timelines for this are unknown. For example, it is currently unclear whether a specific regulator will take the lead in overseeing certain types of CTPs, and if so, which one. In the EU, one of the three European Supervisory Authorities (EBA, EIOPA or ESMA) will take the lead in supervising each CTP based on the type of FS firms it services. This effectively provides a clear point of contact to the CTP.
2. Use of disciplinary powers
The regulators will also publish a consultation on their proposed use of disciplinary powers over CTPs in case of non-compliance. The timeline for this is also unknown. The regulators’ approach to using these powers – especially fines – will set the tone for CTPs’ compliance efforts.
The consultation represents a significant milestone in the development of the UK CTP regime. However, it is unclear when the regulators will finalise their regime. This means that specific timelines for when designated CTPs will need to complete their first self-assessment and mapping exercises are unclear.
What we do know is that the CTP regime’s service-based approach is more limited in scope compared to the organisation-wide operational resilience regime that UK FS firms are implementing. That said, in practice, CTPs will need to carry out similar activities to comply with the regime and build resilience, e.g., mapping, setting maximum tolerable levels of disruption, and conducting testing.
Figure 3: CTP compliance journey
This puts pressure on CTPs to prepare for pre-designation conversations and comply with the new rules within a tight schedule.
Third parties that consider themselves a likely candidate for designation as a CTP should consider undertaking “no regret” actions now, including agreeing an approach to the mapping exercise, e.g., allocating responsibilities and agreeing on the degree of granularity at least at a top management level. Potential CTPs can also use the time to start reviewing and upgrading resilience controls, especially for their most material services. CTPs should also assess the regime’s impact on their infrastructure, legal entity and governance options.
Overall, being subject to FS regulatory oversight will bring a step change in how CTPs think about, and demonstrate, their operational resilience.
_____________________________________________________________
1 https://bills.parliament.uk/publications/49053/documents/2621