Regulatory Influencer: UK Regulators Refine Operational Resilience for Critical Third Parties

November 26, 2024
<
Back
The Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have unveiled the finalised framework for operational resilience of critical third parties (CTPs) within the UK financial sector. Published in Policy Statement PS16/24, the framework establishes clear guidelines for the management and oversight of third-party services crucial to the financial system. The initiative follows extensive consultation and addresses risks tied to the growing reliance on third-party service providers.

The Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have unveiled the finalised framework for operational resilience of critical third parties (CTPs) within the UK financial sector. 

Published in Policy Statement PS16/24, the framework establishes clear guidelines for the management and oversight of third-party services crucial to the financial system. The initiative follows extensive consultation and addresses risks tied to the growing reliance on third-party service providers. 

These updated rules aim to safeguard financial stability and consumer confidence, recognising the systemic risks posed by disruptions to critical services.

The Bigger Picture

The introduction of the CTP oversight regime reflects the increasing importance of third-party providers in the financial services ecosystem. Financial institutions rely on a concentrated group of CTPs for both traditional and emerging technology services, creating systemic risks if disruptions occur. 

The Bank of England’s new Enforcement Statement of Policy and Procedure (SoPP), developed in consultation with the PRA, seeks to address this with enhanced procedures for CTPs, ensuring proportionality in enforcement.

Comparatively, the UK’s approach to operational resilience aligns with key aspects of the Digital Operational Resilience Act (DORA) in the EU.

For instance, both regimes recognise the systemic risks posed by ICT-related incidents and third-party dependencies, but DORA’s scope is broader in covering a wider range of ICT services. 

UK regulators have designed the CTP regime to be interoperable with international standards, reflecting the global nature of financial services. However, some distinctions remain. 

Although DORA imposes stringent requirements on ICT service providers directly, the UK’s framework focuses more on criticality assessments and places a shared emphasis on the accountability of financial firms and third-party providers.

Furthermore, the UK rules do not fully align with DORA’s definitions, such as "relevant incidents," to avoid overlapping jurisdictional reporting requirements that could increase compliance complexity. This ensures the UK regime is practical while addressing the unique risks within its market.

The new rules build on previous operational resilience requirements by adding clarity to definitions and simplifying compliance where possible. For example, CTPs can now use existing incident management frameworks rather than bespoke playbooks if they meet the required standards. 

This pragmatic approach helps balance the need for stringent safeguards with the realities of implementation, avoiding excessive disruption or cost for third-party providers.

Why Should You Care?

For financial firms and third-party providers alike, these changes represent both challenges and opportunities:

  • For financial firms, the rules provide clearer mechanisms for managing risks associated with third-party dependencies. Enhanced transparency requirements and robust incident reporting protocols will improve risk management and ensure greater accountability across the value chain, including efforts to:
     
    • Identify critical dependencies through robust dependency mapping and categorisation by criticality.
       
    • Review and align internal incident escalation processes with new reporting requirements for CTPs, and establish clear communication channels for real-time updates.
       
    • Audit current contracts with CTPs to ensure incident reporting and service level agreements (SLAs) reflect the updated framework.
       
  • For third-party providers, the designation as a CTP brings direct regulatory obligations. Although this increases compliance requirements, it also positions these providers as integral components of the financial system, fostering trust and stability.  However, CTPs must now invest in developing supply chain risk management frameworks and adhere to defined incident reporting timelines. This means additional efforts to:
     
    • Leverage existing frameworks for incident management to minimise compliance costs while meeting regulatory expectations.
       
    • Invest in enhanced governance measures and supply chain risk management to demonstrate compliance and foster resilience.
       
    • Collaborate closely with financial firms to ensure operational continuity through comprehensive testing, simulating real-life disruption scenarios.
       
  • For intra-group providers, being designated as CTPs introduces new regulatory obligations, requiring them to balance compliance with their role in supporting group operations. Key steps include:
     
    • Aligning existing group-wide incident management processes with CTP-specific reporting requirements to streamline compliance.
       
    • Strengthening governance frameworks to ensure accountability and effectively manage critical service dependencies.
       
    • Mapping dependencies across the group to identify key service links and conducting resilience testing for operational continuity.

By benchmarking elements of the CTP framework against international approaches such as DORA, the UK can foster confidence that its financial sector is robust, competitive and internationally aligned, while retaining the flexibility to adapt to domestic priorities.

What’s Next?

The new rules for CTPs will take effect on 1 January 2025, following designation decisions by HM Treasury. Designated CTPs will have 12 months to achieve compliance or face enforcement procedures, with an expectation of continuous improvement thereafter.

Key upcoming milestones include:

  • CTP designation: HM Treasury will identify and formally designate CTPs based on their systemic importance to the financial sector.
     
  • Implementation guidance: Additional guidance will clarify the scope of requirements, particularly around governance frameworks and incident management protocols.
     
  • International cooperation: Regulators will continue collaborating with counterparts in the EU and beyond to address overlaps and foster alignment with DORA and other global operational resilience standards.

Although the road to full compliance may be complex, the collaborative engagement between regulators, financial institutions and CTPs is crucial in achieving these goals. Firms should prioritise early preparation to ensure they meet the new standards and mitigate any potential disruptions to their operations.

Andrew Leming

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

To read more articles like this, along with gaining access to the tools that will help you navigate compliance risk with confidence, request a demo of our RegTech platform today.

Related articles

March 14, 2025

Regulatory Influencer: European Union's Approach to ICT Incident Reporting

In recent weeks, the European Commission has published two significant regulations under the Digital Operational Resilience Act (DORA) which will contribute towards firms’ compliance efforts, standardising reporting of major ICT-related incidents and cyber threats. The first, Commission Delegated Regulation (EU) 2025/301, sets out technical standards for the content and timing of mandatory incident reports and voluntary cyber threat notifications. It sets out classification criteria, reporting deadlines and required details, such as impact assessments, remediation efforts and communication with authorities. Meanwhile, Commission Implementing Regulation (EU) 2025/302 provides standardised templates, forms and procedures for reporting. This regulation mandates uniform reporting formats, secure submission channels and requirements for complete and updated information. Both regulations, published in the Official Journal of the EU, took effect on March 11, 2025, 20 days after entering the statute book.
Read article
March 14, 2025

Week In Crypto: US Stablecoin Battle Heats Up As House, Senate Reintroduce Bills

Although US lawmakers appear to be aligned on the need for federal stablecoin legislation, they are no closer to an agreement on which bill should prevail and what provisions it should include.
Read article

Opt in to hear about webinars, events, industry and product news

Gambling Compliance

Learn more

Payments Compliance

Learn more
Still can’t find what you’re looking for? Get in touch to speak to a member of our team, and we’ll do our best to answer.
Contact us
No items found.
Acquiring
Bank Accounts
Business Lending
Card Networking System
Clearing and Settlement Infrastructures
Consumer Lending
Cross-Border Payments
Crypto-Assets
E-Money
Issuing
Mobile Payments
Payment Processors
Remittances
Third-Party Providers
United Kingdom

Please choose your preferred
service to log in to.

GamblingCompliance
PaymentsCompliance
Don’t have an account?