Understanding developing regulation around Critical Third Parties
All companies in Financial Services are subject to Financial Conduct Authority (FCA) regulations and Prudential Regulation Authority (PRA) regulations, on assessment of third-party risk.
This sector is increasingly relying on third parties outside the finance sector for key functions or services (e.g., cloud-based computing services) through outsourcing and other arrangements. These arrangements can come with many benefits but can also create risks. The potential for such disruption was highlighted in 2019 when the Treasury Select Committee published a report on Information Technology (IT) failures in the financial services sector. International bodies, including the International Monetary Fund (IMF) and the Financial Stability Board (FSB) have also noted these potential systemic risks.
Since then, firms have become increasingly reliant on cloud and other third-party providers. By the 31st of March 2022, institutions in the financial services sector are expected to have identified and assessed their critical third parties, “in a manner appropriate to: their size and internal organisation; the nature, scope and complexity of their activities; and the criticality or importance of the outsourced functions, in line with the principle of proportionality.”
The Bank of England’s Financial Policy Committee concluded in 2021 that “the increasing reliance on a small number of cloud service providers and other critical third parties could increase HM Treasury has confirmed that it will implement a regime whereby third-party firms designated as critical” will be subject to direct regulatory oversight by the financial regulators (FCA, PRA, Bank of England etc).
The Treasury published a policy statement on 8 June 2022, setting out its framework for mitigating the risks caused by financial services firms outsourcing important functions to third-party service providers. The financial regulators will have a suite of statutory powers, including the power to direct critical third parties from taking or refraining from taking specific actions; and enforcement powers including a power to publicise failings, and (as a last resort) to prohibit a critical third party from providing future services, or continuing to provide services to firms. The financial regulators’ powers in relation to CTPs will be set out in primary legislation.
The government intends to legislate for this regime when parliamentary time allows. The financial regulators’ joint Discussion Paper will be published shortly after such legislation is introduced. The financial regulators anticipate publishing a further Consultation Paper on their proposed rules, building on feedback to their Discussion Paper and based on their proposed, new statutory powers. Following the finalisation of the regulators’ rules, HM Treasury will then expect to begin designating the first critical third parties under this new regime.