HM Treasury (the Treasury) has been concerned for some time that financial services firms and financial market infrastructure (FMI) firms are increasingly reliant upon certain third parties operating outside the financially regulated sector to provide key functions or services to support such firms. These functions or services are often outsourced and although they provide opportunities and benefits, they can also create risks for firms and consumers. Many of these third parties are not directly subject to similar regulation.

In particular, the digital revolution in finance has caused an increasing number of firms to become more reliant on cloud and other third-party providers for their IT and data storage requirements. In 2020, 65% of firms used the same 4 cloud service providers. In 2021, the Bank of England's Financial Policy Committee concluded that “the increasing reliance on a small number of cloud service providers and other critical third parties could increase financial stability risks without greater direct regulatory oversight of the resilience of the services they provide”.

The Treasury has been working with the Bank of England, Prudential Regulation Authority, Financial Conduct Authority (the financial regulators) and other stakeholders to develop a regime that protects firms against the failure of key service providers, including cloud service providers. In June, the Treasury published a policy statement detailing its proposal for reducing the risks of systemic disruption to the financial regulators’ objectives, including financial stability and market confidence, and this was followed by a discussion paper put out in July by the financial regulators.

In this article, Emma Radmore, Paul Armstrong and Harshil Patel of Womble Bond Dickinson look at the proposals for change.

Designating a "critical third party"

The proposals focus on the "designation" of critical third parties. The policy statement acknowledges that the financial regulators have been placing increasingly demanding requirements on regulated firms to develop and implement an operational resilience framework which includes strong systems and controls to assess, document and monitor outsourcing arrangements. It has become increasingly clear that operational resilience is no less important than financial resilience in the eyes of the financial regulators. But what these rules cannot address is the systemic risk outlined above, of the failure of one entity that provides services to multiple firms. The new proposals will plug this gap.

Although the policy statement predated publication of the Financial Services and Markets Bill (the Bill), the designation framework was introduced as one of the many measures in the Bill, which underwent its first reading just before the summer Parliamentary recess. It proposes that the Treasury may designate an entity as a "critical third party" if in the Treasury's opinion, a failure in, or disruption to, the provision of its services (either individually or where there is more than one service, taken together) could threaten the stability of, or confidence in, the UK financial system.

The Treasury, in consultation with other financial regulators and other bodies, will be able to designate certain third parties as being "critical" to firms. Equally, the financial regulators may after analysing the data and information from firms, be able to recommend to the Treasury, the designation of certain third parties as critical. The Treasury will also need to consider any representations by the potential critical third party who would be subject to the designation and the firms who utilise them. Only a very small percentage of providers are likely to be designated, but could come from any market sector if they meet the required tests – ICT framework providers appear the obvious targets, but the Discussion Paper notes that providers of, for instance, insurance claims management services or cash distribution could also be capable of meeting the designation criteria, as could those that provide AI or machine learning models.

In considering whether to designate an entity as a critical third party, the Treasury must have regard to:

  • The materiality of the services provided to the firms' delivery of essential activities, services or operations (wherever carried out) that are essential to the UK's economy or financial stability (the "materiality" assessment)
  • The number and type of authorised persons, relevant service providers or financial market institutions to which the entity provides services (the "concentration" assessment).

The Discussion Paper relates the materiality assessment to existing guidance on economic functions in the context of resolution planning, "critical functions" as defined in the Banking Act and "important business services" as already defined in operational resilience requirements for regulated firms and FMIs. It also suggests, giving examples, how the Treasury should take into account concentration, and interconnectedness, aggregation risks, substitutability and survivability. It looks at how the governance of the decision-making process could work, and suggests when exemptions might be appropriate. If, after considering the information from the above sources, the Treasury considers it appropriate to do so, it will designate the third party as being critical through secondary legislation.

What does it mean to be a critical third party?

The financial regulators will be able to exercise a range of powers in respect of any material services that a critical third party provides to the financially regulated sector. The financial regulators will be able to make rules relating to the provision of the material services and set resilience standards for the third party to comply with that are binding directly on the critical third party. The financial regulators will have powers, which will be set out in primary legislation to:

  • Request information directly from critical third parties on the resilience of their material services to firms, or their compliance with applicable requirements
  • Commission an independent skilled person to report on certain aspects of a critical third party’s services
  • Appoint an investigator to look into potential breaches of requirements under the legislation
  • Direct critical third parties to take or not take specific action
  • Interview a representative of a critical third party and require the production of documents
  • Enter a critical third party’s premises under warrant as part of an investigation
  • Utilise enforcement powers to publicise failings
  • As a last resort, prohibit a critical third party from providing future services, or continuing to provide services to firms.

The financial regulators will be obliged to coordinate with each other during their exercise of these powers. 

The Joint Discussion Paper

As soon as the Bill had been published, the financial regulators published the joint Discussion Paper, setting out in detail how any powers granted to them by legislation might be exercised, and seeking views from the industry. The paper stresses that the new measures will complement, but will absolutely not replace, the existing requirements on regulated firms and financial market infrastructure providers to manage their risks from contracts with these third parties. The proposal is not that the financial regulators fully oversee, regulate or supervise critical third parties, or the services they provide to other parts of the economy, but that they take a proportionate approach to their role, always bearing in mind the regulatory objectives of the respective regulators.

One of the proposals includes using the powers the Bill would provide to set out minimum resilience standards that critical third parties must abide by in respect of the material services they provide to firms. The primary purpose of these resilience standards would be to mitigate the systemic risks to the financial regulators' objectives that could result from the failure of the critical third party or a disruption to the services it provides to firms. It is proposed that critical third parties could demonstrate that they meet the potential minimum resilience standards through:

  • The provision of attestations and other relevant information to the financial regulators, e.g. the results of self-assessments
  • Participation in resilience tests and sector-wide exercises.

The standards would be based on how the third party has addressed:

  • Identification of services and mapping of requirements for delivery
  • Risk management by identifying risks across its supply chain and putting in place appropriate controls
  • Resilience testing
  • Engagement with regulatory authorities
  • Developing a "financial sector continuity playbook" which it regularly updates and submits to the authorities
  • A post-incident communication plan
  • Learning and sharing lessons from disruption it or the sector suffers.

The tests could include scenario and cyber-resilience testing. Some of these tests and exercises could be carried out in collaboration with overseas financial supervisory authorities, or UK authorities outside the financial services sector. Members of UK Finance are particularly keen to ensure that there is international alignment with international regulatory requirements, such as the EU's Digital Operational Resilience Act (DORA).

Advantages of the new framework

The financial regulators have identified three advantages stemming from the critical third party regime proposals

  1. Consistency with existing operational resilience framework: Critical third parties are already required to support firms by their own scenario testing of their business continuity and exit plans for material outsourcing and third party requirements placed on firms. The critical third party regime has been developed to build upon that existing operational resilience framework.
  1. Focus on services: The critical third party regime has been designed to focus on the material services provided, rather than the location of the provider or the jurisdiction in which the critical third party is based. This is aimed at reducing the potential compliance costs for firms and critical third parties, compared to an approach that included a requirement for critical third parties to localise entities, infrastructure, personnel or services in the UK.
  1. Improved market discipline: By requiring critical third parties to meet minimum resilience standards and test their compliance with those standards on a regular basis, firms' ability to oversee and seek assurance from critical third parties becomes easier, and this should result in an overall enhancement of market standards.

Next steps

The Financial Services and Markets Bill is scheduled for its second reading on 7 September 2022. The Discussion Paper will remain open for responses until 23 December 2022.

Following Royal Assent, the financial regulators anticipate publishing a further Consultation Paper on their proposed rules, building on feedback to their Discussion Paper and based on their proposed new statutory powers. However, it is already clear that the financial regulators have put significant thought and work into how they will both recommend and supervise critical third parties. There is enough in the papers already published for entities that provide significant services to the financial sector to assess whether they are likely to be considered for designation under this regime, and carry out a gap analysis of their existing systems and controls to assess the likely impact of being designated.

In parallel, firms who use services of this nature (likely to be all, in one shape or form) may also find the existence of the proposed requirements helpful in the meantime when seeking operational resilience related commitments in contracts with large service providers. Having said that, it's also not hard to envisage that (over time) the new regime may lead to some narrowing of the range of contractual protections firms might be able to seek if, as we expect, critical third parties start to adopt standardised positions in response and insist on those also being used to underpin firms' own operational resilience requirements.

This article was written for Compliance Monitor (Compliance Monitor).

This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.