Operational Resilience: Proposed Regulation on Critical Third Parties

Introduction

A Critical Third Party, CTP is a firm that provides materially critical services that aid in the delivery of essential activities to regulated firms. A recent joint consultation paper, CP26/23, by the Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA), and Bank of England (BoE) outlined proposed requirements and expectations for CTPs designated by HM Treasury (HMT) aimed at managing risks to the UK financial system. This article explores what this means for banks and insurers and what to look out for.

Legislative Changes

The Financial Services and Markets Act 2023 granted powers to HMT and regulators regarding CTPs. These include rulemaking, powers of direction, information-gathering, and disciplinary powers. CTPs are likely to be large firms with global operations thus policies proposed in the CP draw from other relevant legislation from major international markets such as FSB, BCSB,CPMI-IOSCO, DORA and US Bank Service Company Act.

Implementation

Under the proposed policies, CTPs would be subject to statutory obligations. Proposed requirements involve annual submission of information and regular testing. To allow adequate preparation time, CTPs must submit their first self-assessment within three months of designation and complete initial submissions and testing within twelve months thereafter.

The regulators propose introducing six fundamental rules for CTPs to comply with regarding all services provided to firms. These rules are composed of: integrity, diligence, prudence, effective risk management, responsible affairs organization, and cooperative engagement with regulators. The key theme is to ensure that CTPs are fit for purpose; and in an age of cyber security, this is fundamental.

Proposed CTP operational risk and resilience requirements

The regulators propose eight requirements for CTPs comprising: governance, risk management, dependency and supply chain risk management, technology and cyber resilience, change management, mapping, and incident management, and termination of services. CTPs must establish governance structures, manage risks effectively, identify and manage supply chain risks, ensure technology resilience, manage changes systematically, map resources and dependencies, handle incidents appropriately, and plan for service terminations. Compliance involves documentation, risk assessments, testing, incident response plans, and engagement with industry frameworks.

Regulators propose rigorous testing for CTPs in the financial sector to ensure operational resilience. CTPs must conduct scenario testing regularly, simulating severe disruptions, and test their financial sector incident management playbooks annually. Reports on test findings and proposed revisions are to be shared with regulators and stakeholders.

Responses and next steps

The consultation period ended on March 15th, 2024, and all stakeholders are awaiting results confirming the new policies. Regulators plan to consult in 2024 on a new policy for outsourcing and third-party data collection. They expect to rely mainly on firm/FMI data to identify potential CTPs. Various data sources, including regulatory returns, CBEST and FPC Cyber Stress Tests, skilled person reviews, and international regulators. The regulators believe the proposed measures will contribute to maintaining the UK’s attractiveness as a place to conduct financial business.

Summary

The joint consultation paper by the PRA, FCA, and Bank of England proposes regulations for CTPs to manage risks to the UK financial system. These regulations align with statutory objectives of promoting safety, stability, integrity, consumer protection, and innovation. The proposed framework aims to enhance resilience, address systemic risks from third-party dependencies, and foster competitiveness. Regulators anticipate net benefits while ensuring compliance with domestic and international regulatory standards, maintaining the UK’s appeal as a financial hub.

Insurance companies and 4most clients would be well placed to internally evaluate the potential CTPs that are currently a part of their operations and consider their resilience and likelihood to be compliant with potential future legislation. In an age where cyber security is paramount, insurers must ensure that they are using the most resilient firms to handle data architecture and other operational tasks. This proposed legislation will help ensure that UK firms are protected from potential adverse events.

References: CP26/23 – Operational resilience: Critical third parties to the UK financial sector | Bank of England