.svg)
The UK’s financial regulators have finalised their plans for critical third parties (CTPs), as the country commits to aligning with international regimes including the EU’s Digital Operational Resilience Act (DORA).
The Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have unveiled a new regulatory approach to overseeing critical third-party providers (CTPs), whose services are essential to the UK financial sector.
The regulators’ approach emphasises transparency, accountability and a collaborative relationship with CTPs to preemptively identify and mitigate risks, and the CTP oversight framework sets out how the Bank of England, the PRA and the FCA will monitor and manage CTPs to reduce risks that could ripple across the UK’s financial sector.
“Firms are increasingly dependent on certain third parties for the delivery of functions and services that are essential to the stability of, or confidence in, the UK financial system,” the policy document says.
“In some cases third parties can become so critical that no single firm can adequately monitor or manage the systemic risks a third party poses.”
The new framework aims to mitigate systemic risks posed by service disruptions that could affect the stability or confidence in the country’s financial system.
The regulators warn that as financial institutions become more reliant on a limited number of third-party providers for core operations, even minor disruptions to these critical services could have significant ripple effects on the broader economy.
Avoiding significant disruption
The policy document, which outlines rules that will be effective from January 2025, says that the regulators will recommend third-party providers to HM Treasury for designation as CTPs if a disruption to their services could significantly affect the financial system.
This designation would bring such providers under direct oversight, with final decisions on designation made by HM Treasury.
The regulators have developed a risk assessment framework that focuses on both external and internal threats to a CTP’s operations.
Assessments using the framework will evaluate factors such as concentration risk, including how many institutions depend on a single provider, and materiality, looking at the critical nature of the services provided.
Designated CTPs will be required to conduct annual self-assessments and undergo scenario testing to demonstrate their resilience, and the framework also includes "deep dive" examinations and exercises to test the ability of these entities to respond to and recover from disruptions.
The new approach also emphasises clear communication and collaboration between the regulators and CTPs, including provisions for international cooperation to streamline oversight where third-party providers operate across borders.
“The new rules align closely with international standards and similar regimes, like the EU’s Digital Operational Resilience Act,” the FCA statement confirms.
This policy document says that this collaboration will enhance effective supervision and align with international standards for managing systemic risks from "systemic third-party dependencies" and "financial sector critical service providers".
UK regulators may, for example, request information from CTPs that has been submitted to other jurisdictions, such as reports for critical ICT providers designated under the EU's DORA, where the information meets UK oversight standards.
