Continuing our series of posts on the commitments made by the FCA in its Business Plan for 2024/5 (the Business Plan) we turn our focus to the impact of operational disruptions. Operational disruptions are a risk to the stability of and confidence in the UK’s financial system and could arise from failures or disruptions to the services provided to the financial system by ‘critical’ third party providers (CTPs).

Many financial services firms are reliant on third party service providers for operational elements of their business offering. While this has many benefits it also carries risks associated with potential for systemic disruptions to the stability of the financial services sector. 

To mitigate these risks, recent amendments to FSMA introduced a statutory framework supported with new powers whereby HM Treasury can designate certain third-party providers as ‘critical’. This legislation enables direct oversight of CTPs and empowers the financial regulators (the FCA, PRA and Bank of England, collectively the Regulators), to make supervisory rules relating to and to take enforcement action against CTPs with a view to increasing resilience in the services provided and thereby mitigate the risk of systemic disruption to the financial services sector. 

The Regulators have engaged with industry stakeholders,  first launching a discussion paper and then in December 2023 publishing a consultation paper setting out the proposed rules for managing the risks posed to the stability of the financial system by the industry’s reliance on CTP’s. This consultation period closed last month.  We anticipate a response and the results from this consultation paper to be published later this year. The FCA confirmed in the Business Plan that they also intend to publish a consultation paper clarifying their expectations on how firms are to report operational incidents. As this is a clear area of focus for the Regulators, and in preparation for any further publications this year, below we set out what you need to know about CTPs and what the current proposals are.

What are CTPs? 

CTPs are third parties that provide ‘critical’ services to the financial sector and will be designated as such by HM Treasury. ‘Critical’ services will be those provided to regulated individuals, firms or financial market infrastructure firms (FMIs), which if disrupted or subject to some sort of failure, could threaten the stability of, or confidence in, the financial system. Significantly, the status as a CTP is not intended to denote any superior levels of resilience, safety or suitability. As such, it is clear that a designation of ‘critical’ goes to a third party’s ability to impact the financial sector in the event of a failure or disruption to the service that it provides and not to its quality.

Currently, no third parties have been designated as a CTP. However, cloud service providers are an obvious contender for designation given the vital services that they provide to the sector, and they have been closely scrutinised by the regulators for a number of years. They provide material services to many firms and in the event of a disruption to these services there could be a ‘single-point-of-failure’ that could impact multiple firms and, in turn, financial stability. 

Recognising that CTPs can provide services from anywhere around the world, the proposed regime is jurisdiction agnostic. There will be no requirement for a CTP to be based in, or to have a ‘head office’ in, the UK. There will be a requirement, however, for a CTP with no UK head office, to appoint a legal person (this could be a law firm or other suitable representative) with authority to receive documents and notices from the Regulators. This is an area where the Regulators are working closely with other regulators around the world and we are likely to see high levels of international coordination and cooperation as other jurisdictions develop similar regimes, and as globally significant financial supervisors (like the Basel Committee on Banking Supervision, Financial Stability Board and the International Organisation of Securities Commissions), continue to develop relevant and consistent globally recognised standards. 

 It is anticipated that there will only be a small number of designated CTPs. Certainly, not all third parties that provide services to financial services firms and FMIs will be considered as systemically important. When assessing whether a service provider should be designated as a CTP, HM Treasury will consider the risk posed to the UK’s financial stability by a failure or disruption in the provision of that third party’s services. That will involve HM Treasury having regard to both the materiality and the concentration of those services. That is, the materiality of the service being provided to the firms utilising the service, and then the concentration of firms that are using that particular service provider. There may be other factors that HM Treasury consider apply to certain contexts or in relation to specific material services which they determine are relevant to service resilience or systemic risk.

Why is the CTP regime needed? 

The Business Plan makes it clear that the risk from operational disruptions includes consumers being prevented from being able to access essential financial services, disruption to the markets and a general threat to confidence in the financial services sector. Firms face a high, and growing, level of cyber threats and operational resilience risks, against an increasingly complex geopolitical backdrop and the Regulators observe increasing levels of systemic risk building up in the financial system due to increasing dependency on critical third parties.

The Business Plan states that the FCA will (1) continue to deal with firms that cannot meet its standards on operational resilience, and from 31 March 2025 will require all relevant firms to maintain their important business services without intolerable harm to consumers and markets, (2) publish a consultation paper clarifying its expectations on how firms should report operational incidents, with the intention of ensuring that both it and firms are responding effectively to minimise harm to consumers and markets, and (3) implement new rules to address the systemic risk that critical third parties present to the financial sector.

Looking again at cloud providers, in a study conducted by the Bank of England in 2020, it was found that over 65% of UK firms used the same four cloud providers. If one of these providers were to fail or have a significant event this could have a systemic effect across the entire financial sector. It would not be possible for any single firm to contain or control the magnitude of disruption that could occur from such an operational incident. It has therefore become essential for regulatory oversight to ensure that there is a suitable infrastructure for CTPs, within which the risks that they pose to financial stability can be managed effectively and in a way that is aligned to the statutory objectives of the Regulators. 

What is proposed?

The CTP regime is intended to be focused on the services provided by the CTPs and not the CTPs themselves. As such, it will be quite different to how financial services firms are regulated. It is also intended to develop the understanding that CTPs have of their role in supporting the financial services industry, how they are interconnected in the sector by their customer relationships, and how their behaviours and actions can impact the financial system. 

It is proposed that there will be a number of ‘Fundamental Rules’ which include high-level obligations applicable to all services that a CTP provides to financial services firms, supplemented with ‘Operational Risk and Resilience Requirements’ which are more granular and apply to the material service(s) provided by the CTP.

Fundamental Rules

The proposal contains six Fundamental Rules that designated CTPs would have to follow. This will bring them firmly within scope of financial services regulation where they previously were not and subject to regulatory oversight in respect of all the services that they provide, not only the ones that are deemed material, to financial services firms and FMIs. The proposed Fundamental Rules are high level rules targeted at the regulatory objective of managing the risks to the stability of and confidence in the UK financial system that are posed by CTPs, and they are as follows: 

  • A CTP must conduct its business with integrity.
  • A CTP must conduct its business with due skill, care and diligence. 
  • A CTP must act in a prudent manner. 
  • A CTP must have effective risk strategies and risk management systems. 
  • A CTP must organise and control its affairs responsibly and effectively. 
  • A CTP must deal with the regulators in an open and co-operative way, and disclose to the regulators appropriately anything relating to the CTP of which they would reasonably expect notice. 

It is no surprise that Fundamental Rules these draw heavily on the existing FCA Principles for Businesses (the principles that apply to FCA authorised financial services firms).

Operational Risk and Resilience Requirements

There are also proposed Operational Risk and Resilience Requirements with which CTPs would have to comply in respect of the material services that they provide to financial services firms and FMIs. 

These proposed standards are, in summary, as follows:

  • A CTP must ensure that its governance promotes the resilience of its material services by: 
    • appointing a person with appropriate authority, knowledge, skills and experience to act as a point of contact with the Regulators;
    • establishing clear roles and responsibilities for the delivery of the material services; and
    • establishing, overseeing and implementing an approach to disruption prevention, response and recovery.
  • A CTP must manage risks to its ability to deliver the material services by:
    • identifying and monitoring relevant risks;
    • ensuring effective risk management processes; and
    • regularly updating risk management processes to reflect lessons learned and emerging risks.
  • A CTP must effectively manage risks associated with dependency within its supply chain that could affect its ability to deliver material services, by ensuring that each party in the supply chain:
    • understands the regulatory burden placed upon the CTP;
    • acts to enable the CTP meeting its regulatory requirements; and
    • provides the Regulators with access to relevant information to enable them to exercise their regulatory oversight functions.
  • A CTP must ensure the resilience of any technology that underpins the delivery of the material services by:
    • implementing technology, cyber risk management and operational resilience measures; 
    • ensuring regular testing of these measures;
    • ensuring effective communication to assist risk management and decision making; and
    • reflecting lessons learned.
  • A CTP must ensure it has a systematic approach to managing changes to a material service by:
    • ensuring the resilience of any change to a material service;
    • implementing any change in a way that minimises the risk of undue disruption; and
    • risk assessing, testing, verifying and approving changes to material services before implementing them. 
  •  A CTP must implement mapping to enable it to identify vulnerabilities to the supply of material services by:
    • identifying resources that are needed to deliver, support and maintain the material services; and
    • identifying interconnections and interdependencies between essential resources.
  • A CTP must implement crisis management planning for incidents that affect or may reasonably be expected to affect the delivery of material services by:
    • implementing incident response measures;
    • setting tolerance levels for disruptions to material services; and
    • engaging with coordinated regulatory response initiatives. 
  • A CTP must implement measures to respond to a termination of any material services including:
    • putting in place arrangements to support orderly termination; and
    • providing for the return of any relevant assets.

Information Gathering and Testing Requirements

Also proposed are a number of Information Gathering and Testing Requirements. These include:

  • thorough and transparent self-assessments designed to identify vulnerabilities and areas for improvement or remediation;
  • scenario testing to assess ability to continue providing a material service in the event of severe but plausible disruption and risk assess different adverse circumstances; and
  • testing of financial sector incident management ‘playbooks’ (these are records of measures to address potential systemic risks to material services that could arise from a CTP failure or disruption).

It is proposed that records relating to information gathering and testing are retained by the CTP and are available for inspection by the Regulators. It is also proposed that the Regulators may appoint, or require a CTP to appoint, skilled persons to provide reports to the Regulators.

For regulated firms and FMIs the CTP regime is intended to enhance and improve their existing obligations relative to operational resilience, outsourcing and the management of other third-party risks. For CTPs this represents an entirely new regime and there will be initial one-off and an ongoing costs burdens resulting from implementation of the new regime. These cost burdens are likely to be outweighed by the enhanced operational resilience of the UK’s financial services sector, benefits to its consumers as a result of that enhanced resilience, and benefits to the UK economy as a whole.

What next? 

The Regulators are proactively working on developing and finalising the rules and regulations that have been proposed. The Regulators will be publishing the results of their consultations and the final rules will then follow. It is likely we will then soon see the first designation of a CTP and the regime will start to play a key role in maintaining an agile, innovative and resilient financial services sector.  

Earlier in this blog series we wrote about the FCA’s Business Plan in general terms and about the continued focus of the FCA on Appointed Representatives. You can read those blogs here and here. You can subscribe to our regular financial services regulation update here.

Blog written with assistance from our latest team Burges Salmon trainee solicitor, Beth Jewell.