Financial services firms are increasingly reliant upon third-party companies to provide important services, ranging from cloud services and data analytics to machine learning and cash distribution. As these third parties become more ‘critical’ to the operations of firms across the financial sector, the UK’s financial regulators have become concerned about the risk to financial stability and resilience. In July, the Financial Services and Markets Bill (the “Bill”) was put before Parliament. The Bill sets out a framework for managing systemic risks posed by ‘critical third parties’ (CTPs). At the same time, the FCA and PRA issued a joint Discussion Paper detailing how the regulators intend to use the statutory powers. The paper makes clear that the regulatory remit will be limited to CTPs’ provision of material services to the financial sector. This development reflects the regulators’ increasing focus on operational resilience and the risks posed, particularly through cyber-attacks, to the sector in an increasingly inter-connected and technological world.
The proposed regulatory framework
By mid-2019, a quarter of major banks’ activities and almost a third of all UK payments activity were hosted on the Cloud.1 The Bank of England’s Q4 bulletin on the impact of Covid on machine learning and data science concluded that large banks had increased their use of outsourcing as a result of the pandemic.2 There is little sign of this trend slowing down.
With the outsourcing of functions and processes comes the transfer of risk, which is concentrated amongst a handful of third-party firms. The Treasury Select Committee’s 2019 report on IT failures in the financial sector stated: “If one of the large third-party providers were to fail, it could potentially affect not just consumer access, but the stability of the financial system itself.”3
Financial services firms are currently required to ensure their contractual arrangements with third parties allow them to comply with the operational resilience framework currently in place. This covers areas such as data security, business continuity and exit planning. However, “no single firm can manage risks originating from a concentration in the provision of critical services by one third party to multiple firms.”4 This practical reality, coupled with potential information and power asymmetries between certain third parties and firms, led HM Treasury to set out a proposed regulatory framework for the management of this risk. Sections of the Bill5 will allow for the designation of third-party providers as CTPs, the setting of minimum resilience standards and enforcement action where those standards are not met.
Designations
HM Treasury will be able to designate certain third parties as ‘critical’, in order to bring them under the regulatory umbrella. The Discussion Paper states: “the designation of a CTP by HMT would recognise the potential systemic impact that a disruption to its services could pose to the supervisory authorities’ objectives, including financial stability, market integrity, or consumer protection.”6 The designation is to be made in consultation with the regulators and with representations from the proposed CTP. The designation will take into consideration the materiality of the services provided by the third party, and the number, type and size of authorised firms to which the third party provides services, as well as the potential impact of the failure or disruption of the third party’s services.7
Minimum standards
The proposed Bill enables regulators to make rules for CTPs, setting out the minimum resilience standards and associated requirements. The current regulatory framework already relies upon a set of global standards for CTPs in the shape of Annex F of the CPMI-IOSCO Principles for firms. These cover risk identification and management, information security, reliability and resilience, technology planning, and communication with users. The expectations in Annex F are actively used in the supervision of critical service providers to firms, both in the UK and globally.
The PRA and FCA have stated that the minimum resilience standards will be “similar to those in Annex F, but applicable and tailored to CTPs to the financial sector as a whole.”8
It is expected that CTPs will have to demonstrate compliance with the new standards through resilience tests and exercises, and attestations to regulators. It is possible there will also be a ratings system to assess compliance with the minimum standards.9
Resilience testing
The Discussion Paper states: “The supervisory authorities consider that a one-size-fits-all approach to CTP resilience testing may not be effective, proportionate, or resource efficient.”10 Instead, a range of tests is proposed, with the most suitable being applied to each CTP in turn.
The regulators may require scenario testing to understand a CTP’s ability to continue providing services in the event of their failure or severe disruption. The regulators would be particularly interested in a CTP’s ability to prevent operational disruption from creating or amplifying systemic risks, whether the disruption originated within the CTP or without. The scenarios could be based on threat intelligence and previous disruptions and near misses. Where possible, the test will include simulations or live systems testing, unless this would create an undue risk of disruption to the CTP’s services.11
Also proposed are sector-wide exercises involving multiple firms and CTPs, based upon the sector-wide exercises currently employed in the financial sector, such as cyber stress tests and exercises carried out by the Cross-Market Business Continuity Group and industry groups. There is also the potential of carrying out these exercises internationally, in collaboration with foreign regulators.
Obligations and enforcement
The proposed Bill gives regulators significant powers over designated CTPs. CTPs will be required to disclose to regulators any information of which they would reasonably expect notice, including incidents and threats to stability. The regulators will be able to make directions to CTPs to do, or refrain from doing, an activity, and will have powers to request information and documents from CTPs. If a CTP finds itself in breach of the requirements, the name of that CTP may be published.
Currently, there is no provision for the imposition of financial penalties on CTPs. The Explanatory Notes for the Bill explain that the “ultimate sanction” is to prevent a CTP from “providing new or current services to the financial services sector or set conditions on the provision of those services.”12
Next steps
Responses to the Discussion Paper are due by December and the Regulators have said that they expect to consult stakeholders on the specific resilience rules for CTPs after the Bill has received Royal Assent.13 Although the earliest that the new regime could come into force is late 2023, CTPs should not delay in gearing up to understand the impact of being brought within the regulatory remit.
David Rundle is counsel in WilmerHale’s UK White Collar Defence and Investigations group. David’s practice focuses on defending FCA enforcement investigations against firms and Senior Managers.
This article was originally published on September 29, 2022 by Thomson Reuters Regulatory Intelligence.
1 Mark Carney, speech at the Lord Mayor’s Banquet for Bankers and Merchants of the City of London, Mansion House, London, 20 June 2019, https://www.bankofengland.co.uk/-/media/boe/files/speech/2019/enable-empower-ensure-a-new-finance-for-the-new-economy-speech-by-mark-carney.pdf?la=en&hash=DC151B5E6286F304F0109ABB19B4D1C31DC39CD5
2 Bank of England, Quarterly Bulletin 2020 – Q4, The impact of Covid on machine learning and data science in UK banking, 18 December 2020, https://www.bankofengland.co.uk/quarterly-bulletin/2020/2020-q4/the-impact-of-covid-on-machine-learning-and-data-science-in-uk-banking
3 House of Commons, Treasury Committee, IT failures in the Financial Services Sector, 28 October 2019, at p. 3, https://publications.parliament.uk/pa/cm201919/cmselect/cmtreasy/224/224.pdf
4 HM Treasury, Critical third parties to the finance sector: policy statement, 8 June 2022, at para. 1.10, https://www.gov.uk/government/publications/critical-third-parties-to-the-finance-sector-policy-statement/critical-third-parties-to-the-finance-sector-policy-statement
5 See Financial Services and Market Bill, Bill 146, 58/3, https://publications.parliament.uk/pa/bills/cbill/58-03/0146/220146.pdf
6 PRA / FCA Discussion Paper 3/22 – Operational resilience: Critical third parties to the UK financial sector, 21 July 2022, at para. 3.5, https://www.bankofengland.co.uk/prudential-regulation/publication/2022/july/operational-resilience-critical-third-parties-uk-financial-sector
7 See id. at para. 4.
8 Id. at para. 5.4.
9 See id. at para. 5.6.
10 Id. at para. 6.2.
11 See id. at para. 6.
12 Financial Services and Markets Bill, Explanatory Notes, Bill 146-EN, 58/3, at para. 180, https://publications.parliament.uk/pa/bills/cbill/58-03/0146/en/220146en.pdf
13 See PRA / FCA Discussion Paper 3/22, at para. 1.4.