HM Treasury recently published a Policy Statement setting out its proposal for regulating and mitigating risks from critical third parties ("CTPs") to the financial sector. This was shortly followed by the Bank of England ("BoE"), PRA and FCA joint Discussion Paper. 

Whilst not limited to technology suppliers, the regime will have a focus on hosting and platform providers, and in particular where there are areas of concentrated risks (which can't be managed by regulating firms and financial market infrastructures ("FMIs") on their own in isolation of a sector approach). 

In this insight we provide a summary of the proposals and discuss what they mean for potential CTPs, firms and FMIs. 

Basis for change 

Given the increasing reliance by financial services firms on third parties for the performance of key functions and services (in particular IT, cloud and managed services), the UK regulators have announced plans on how they intend to extend their regulatory remit and oversight. This would implement their proposed powers under the Financial Services and Markets Bill ("FSMB") recently put before parliament. 

The new law under the FSMB, once enacted (most likely in 2023), will repeal retained EU law and create a new regulatory framework that is aligned with the government's strategy for growth and competitiveness. 

Driver for change

This is not a new concern. In September 2021, the BoEs financial policy committee meeting minutes noted that "the increasing criticality of the services that critical third parties provide, alongside concentration in a small number of providers, pose a threat to financial stability in the absence of greater direct regulatory oversight".

Regulation in the EU is already well progressed – the Digital Operational Resilience Act (“DORA”) has been provisionally agreed, which will regulate critical third parties providing "Information Communication Technologies" related services to the financial sector. 

Designation of CTPs

Under the proposals, HM Treasury will be able to designate certain third parties as CTPs. Supervisory authorities will also be consulted and may proactively recommend designations.  

The assessment criteria will be based on the materiality of the services that third parties provide, the nature of the concentration of firms and FMIs to which they provide services, and the overall potential systemic impact that disruption to the services could have on the financial sector supervisory authorities' resilience objectives.

Proposed measures applicable to CTPs

The Discussion Paper sets out how the supervisory authorities plan to define their powers under the FSMB to improve the resilience of services provided by CTPs, and direct supervision and oversight for services into the financial services sector.

The main focus areas outlined in the Discussion Paper include:

1. minimum resilience standards for CTPs, including a requirement to develop and test "financial sector continuity playbooks" to improve their ability to respond to and recover from disruption affecting multiple firms and FMIs simultaneously; and
   
   
2. tools for testing the resilience of material services, such as scenario testing, participation in sector-wide exercises, cyber resilience testing and "skilled person reviews" of CTPs.

These would be backed up by obligation on CTPs to provide information to the supervisory authorities to assess the resilience of material services provided to firms and FMIs and to address relevant concerns and issues. 

Proposed enforcement powers

Proposed powers include:

• requiring firms/FMIs to enhance due diligence, monitoring or business continuity, and exit plans for material services from a specific CTP;
• the right to request information from CTPs and to investigate concerns;
• the right to conduct "skilled person reviews" of CTP activities;
• the right to interview a representative of the CTP; and
• the ability to issue directions on CTPs requiring specific action, such as to implement recommendations, remediate issues or implement conditions or restrictions on services.

Proposed recourses include powers to publish details of breaches, to impose limitations or conditions on a CTPs provision of services to firms and FMIs, restricting or prohibiting a CTP from providing future services to a firm or FMI, and prohibiting firms/FMIs from receiving certain CTPs services. The proportionate and targeted exercise of these powers should be used to help mitigate the systemic risks posed by CTPs.

Concentrated risk 

Irrespective of how the consultation and the FSMB develop, firms, FMIs and their critical suppliers should expect increasing scrutiny on the concentrated risks of over reliance on a relatively small number of key providers. This goes beyond the immediate supply relationship, and will cover the sub-sourcing supply chain – in relation to which there is (and has been for some time) increasing concern that a failure of one individual provider could take out controls, functions, and services within a firm/FMI, and also their underlying service providers. 

There are examples of outsourced monitoring services/platforms being hosted in the same third-party environment as the services and functions they are deployed to monitor. This is an example of a key risk that the supervisory authorities are looking to stamp out. 

Next steps

The consultation on the Discussion Paper closes on 23 December 2022, with comments or enquiries to be addressed to DP3_22@bankofengland.co.uk. Please do get in touch if you would like to collaborate on a response. 

Subject to Parliamentary debates on the FSMB, and responses under the consultation, the supervisory authorities will consult on the proposal to regulate CTPs in 2023.

Our concluding thoughts 

The concentration risk has been a prominent concern in the financial services sector for some time, and many regulated entities have failed to adequately address it. The risk of single-points-of-failure is therefore a key driver in the scope of the proposals, and firms/FMIs and potential CTPs should plan-ahead to understand their own risks and those arising through their interconnected supply chains. Given the investment in the use of cloud products/services over recent years, these issues should now feed into long term plans. 

CTPs have been keen to show willingness to engage with regulators and to demonstrate resilience. However, the pressures will intensify, and any arrangements will need to be formally adopted in anticipation of direct regulatory oversight. The proposed measures, and ultimate outcomes, could also have an impact on competition around service providers, which need to be factored into business plans and development roadmaps. 

With these proposals in mind, our key recommendations include:

• For service providers, reviewing their tech stack and the downstream elements of subcontracted services and considering as to whether they could be adjusted to accommodate regulatory requirements and customer pressure to diversify suppliers to dissipate risk.
  
  
• For firms and FMIs, (to the extent not currently undertaken) mapping supply chains and sub-contracting arrangements to get a detailed understanding of areas of concentrated risk and the impact that a failure of key components could have across the board.  

Given a lot of current arrangements (for customers and suppliers) are well embedded and may have taken considerable time to put in place, we advise mapping this out and considering contingencies as a priority.