Regulatory creep: keeping an eye on third party providers

Just when regulated firms are (hopefully) reaching the end of their preparations for complying with the Financial Conduct Authority (FCA's) operational resilience requirements which take full effect from the end of March 2025 (see our previous article for Compliance Monitor here), both they and their service providers face newly finalised rules imposing regulatory supervision on key service providers, and the prospect of greater reporting of incidents and third party arrangements.

In this article, written for Compliance Monitor, Emma Radmore and Sheilah Mackie look at what's now in place and what may yet be to come.

Operational resilience

As a very brief reminder of what firms (broadly, all dual-authorised firms and large solo-authorised firms, payment services providers and investment exchanges) have had to do to prepare for the FCA's operational resilience requirements, they have needed to:

• Identify their "important business services" and have a system that keeps these under regular review
• Set impact tolerances for each important business service, clearly articulated and regularly reviewed
• Identify and map everything they need to deliver each important business service – including where third parties are critical to its delivery
• Have scenario testing plans that test the firm's ability to respond to a range of severe but plausible scenarios – and include "lessons learned" policies
• Ensure their mapping and scenario testing identifies vulnerabilities that might breach impact tolerance in severe but plausible scenarios with appropriate remediation planning and action
• Have appropriate response plans as well as recovery plans in place
• Record their self-assessments in a way that allows their governing body to understand the firm's position and any concerns about its resilience.

The FCA has stressed that, of course, operational resilience is not a "once and done" exercise, so firms must embed it in their culture and use horizon scanning tools to understand new and emerging risks and the proximity of their impact.

So this is something firms have had some years to prepare for, but for many preparations are now at a critical stage. Third parties will be fundamental to firms' ability to deliver some services they have identified as important, so the operational resilience requirements bring compliance with the existing regulatory requirements around outsourcing into the spotlight – but that's not all.

Critical third parties (CTPs)

A new regime which should both strengthen and complement the existing outsourcing rules is now in place. Let's just remind ourselves how the new CTP regime came about. For many years, financially regulated businesses have been subject to rules putting the onus on them to do all they can to ensure that the third parties to which they outsource key functions meet high standards and operate in a safe and resilient manner as well as agreeing to various contractual protections for the regulated business. But, whatever the rules say and whatever responsibilities for the actions of third parties remain with the regulated firm, one regulated firm alone cannot fully manage the risks of provider failure. The balance of power is not often in favour of the regulated firms. And when that third party provider is providing similar services to many regulated firms, the consequences of its failure could be catastrophic. The solution was for there to be some level of direct oversight of these providers.

So, the ability for the financial regulators to designate and oversee the activities of unregulated businesses that provide services to the regulated sector was introduced in the Financial Services and Markets Act 2023. But such was the appetite to get the regime in place that the Bank of England (BoE), Prudential Regulation Authority (PRA) and FCA first consulted back in summer 2022 on the fundamentals of:

• The framework for identifying potential CTPs
• Minimum resilience standards to apply to services the CTPs provide to regulated firms and financial market infrastructures (FMIs)
• A framework for testing the resilience of material relevant services.

The idea was that these measures would complement, but absolutely not replace, existing regulatory requirements on firms and FMIs to manage their risks from contracts with these third parties.

The proposals led to much discussion, not least about who the providers that would be designated would be likely to be, and how many of them there would be. Unsurprisingly, the most likely candidates were not happy about the new regulatory intrusions on their business even though it might have been expected that, given the level of involvement these candidates already have with regulated firms, their existing processes and systems would be up to scratch.

In late 2023 came the detailed consultation on the designation process and regulatory expectations, and in November 2024 the regulators finalised the package of measures setting out:

• The approach that HM Treasury will take to designating entities as being critical to the UK financial sector, following advice from the regulators, and the process for discussions with the relevant CTPs and timelines leading up to and following the designation
• The approach the regulators will take to overseeing designated CTPs
• The operational resilience requirements the regulators expect CTPs to meet
• Enforcement powers over CTPs, which will include the right for regulators to commission skilled persons reviews.

The designations will require the CTPs to provide assistance, information and notifications to the financial regulators, undertake various stress-testing exercises and report to the regulators major incidents such as cyber attacks and power outages.

The FCA has introduced a new CTP Sourcebook and related enforcement rules, together with information on how it plans to exercise its powers – and there are similar rules now in the PRA Rulebook and for FMIs. The Sourcebook includes rules and guidance which apply in principle to all services CTPs provide, regardless of where they are provided from, but many are cut back to apply only to "systemic services" where a failure or disruption could threaten the stability of or confidence in the UK financial system. The Sourcebook includes:

• Six Fundamental Rules;
• Six "requirements" covering governance, risk management, dependence and supply chain management, technology and cyber resilience, change management, mapping, incident management and termination of a systemic service
• A requirement that a CTP can evidence its ability to comply, including scenario testing and undertaking an appropriate incident management playbook exercise
• A requirement to provide annual self-assessments of compliance to the regulators
• An obligation on CTPs to share appropriate information with firms to which they provide services
• Rules on what CTPs must do in the event of an operational incident
• Rules on what must be notified to the regulators
• Supporting rules and guidance on various administrative matters including use of skilled persons reports, record-keeping requirements and a ban on CTPs implying that their designation implies any regulatory endorsement or approval of them.

The rules took effect from 1 January 2025, but of course the obligations of any single CTP under them will apply only once the relevant designation order comes into force, and the designation orders will also contain details of a transitional period.

The burning question then is, who will the CTPs be? We don't expect there to be many of them, and it's likely most of them will be from the ICT sector, but they may not all be. Major providers of outsourced claims handling and related services to the insurance industry may also be scrutinised.

As for how the duties placed on CTPs will interact with the existing outsourcing regime for firms, SS6/24 states:

"the CTP duties complement the requirements and expectations for firms on operational resilience, outsourcing and third party risk management. The CTP oversight regime sits alongside these requirements and expectations but does not eliminate, reduce nor replace the accountability of firms, their boards and senior management …".

So, clear in theory, but trying to mesh two regimes and approaches when negotiating outsourcing arrangements with CTPs is very likely to lead to new challenges for regulated firms.

Operational incident and material third party arrangement reporting

And now, the FCA has proposed yet a further level of reporting which necessarily brings with it yet more analysis of commercial arrangements. It has published a consultation paper on proposals to require regulated firms and payment service providers to report operational incidents and their "material third party arrangements".

Operational incident reporting

Currently, firms notify the FCA of operational incidents using Principle 11 notifications. But the FCA rules do not define what an “operational incident” is, when firms should report, what information they should include in a report or how to submit the report.

The FCA now proposes to define an operational incident (as a single event or series of linked events that disrupt a firm’s operations such that there is disruption to delivery of a service to a client or external user, or that there is an impact on the availability, authenticity, integrity or confidentiality of information or data relating to such a person) and to require firms to submit standardised reports on incidents that breach certain thresholds relating to consumer harm, market integrity and safety and soundness.

Material third-party arrangements

Separately, the FCA plans to introduce rules to require reporting of material third party arrangements that will ensure it is made aware of both outsourcing and also non-outsourcing arrangements in a better organised way than the current position, under which it receives only limited and inconsistent data on outsourced arrangements leading to gaps in its knowledge of potential risks that third parties pose to individual firms and the financial services sector.

These requirements will apply to the firms that have the biggest consumer and market impact – broadly dual-authorised firms, enhanced scope SMCR firms, payment and e-money firms and CASS large firms, so a similar scope to the operational resilience requirements.

The FCA proposes to implement the new requirements through changes to its SYSC and SUP sourcebooks, as well as further changes to the glossary including a new definition of “third party arrangement”.

The PRA has issued similar proposals with consequential changes to its rules, and the BoE a related paper setting out similar requirements for FMIs.

Consultation closes on 13 March 2025.

How does DORA fit into all this?

So that's where we are on the UK front. But what about DORA (the EU's Digital Operational Resilience Act) which took effect on 17 January? Of course, as an EU measure, it is not binding on non-EU entities with non-EU operations.

DORA has elements of all the UK initiatives above. It applies to regulated financial businesses within scope and has as its focus ICT risks. The EU's driving concern was that when ICT risks are not managed properly, they can lead to disruption to financial services offered cross-border and this can lead to an impact on other companies, sectors and the whole economy.

So, it covers:

• ICT risk management by setting principles and requirements for a risk management framework
• Mandatory clauses in contracts with providers and a requirement to monitor those providers
• Basic and advances digital operational resilience testing
• Reporting and management of ICT-related incidents
• Information sharing on cyber threats
• An oversight framework for critical ICT third-party providers.

Any business or entity operating in the UK that falls within the scope of DORA, whether as a regulated firm or a service provider, will be a long way down the line to UK compliance but there are differences. Not least that DORA applies only to ICT risk management while the UK regime applies in principle to any critical or important business service. And in some ways DORA is more prescriptive, for instance in setting the mandatory content for relevant contracts, whereas the UK has not set specific wordings. However, the FCA has where appropriate aligned its proposed approach on matters such as reporting with DORA requirements.

What does this mean for unregulated firms?

All of this leads us to a place of greater regulatory creep. Unregulated firms, whether ICT providers or not, that provide services to UK regulated firms should in principle be well used to their customers negotiating on contractual terms addressing service standards, step-in rights, audit rights, reporting and record-keeping and cooperating with regulators – all of which are at least in part driven by the current outsourcing rules.

Some providers already feel they are being regulated through the back door. But the operational resilience requirements on the customer firms place yet more burdens on the regulated firms in terms of how they choose and monitor their suppliers, even if those suppliers are not so large as to potentially cause wider systemic risk. Where they are that large and may become designated CTPs, it's clear from the new rules that pretty much all the regulators lack in terms of powers, the right to set requirements and to take enforcement action is the right to licence the entities in the first place. So any entity that has felt itself at risk of designation should have been planning for some time and working out what change it would need to make in order to meet regulatory expectations.

And now, if the proposals that firms tell their regulator about material non-outsourcing arrangements are confirmed, together with the stringent operational resilience requirements, it seems likely that the regulated firms (if they don't do so already) will be seeking "outsourcing-friendly" terms in agreements which have previously maybe not concerned them quite so much. Customers and providers already hotly negotiate certain clauses in agreements, where the customer seeks as much regulatory comfort as possible and the supplier aims to protect itself from unnecessary third party control over its activities. Now, while in many ways it is welcome that the UK has not introduced mandatory clauses like the EU has, the flexibility may lead to ever-livelier and drawn out negotiations as the contract parties seek to get the balance right.

It's not uncommon for larger firms to seek to incorporate the same, or very similar, terms in non-regulated but material third party arrangements as a matter of policy. But for smaller firms, or those who take a different approach, now is also the time to start thinking about whether you have sufficient resources and experience in your team that handles commercial contracting to enable you to meet these challenges.