On 21 July 2022 the Bank of England (BoE), the PRA and the FCA (collectively, the regulators) published Discussion Paper 22/3 – Operational resilience: Critical third parties to the UK financial sector (DP22/3). DP22/3 sets out how the financial services regulators could use new powers proposed under the Financial Services and Markets Bill (FSM Bill) to assess and strengthen the resilience of material services provided by critical third parties (CTPs) to the UK financial services sector. Publication of DP22/3 marks an early step on the road to the introduction of a new designation regime for third party providers in respect of the material services they provide to the UK financial services sector.
It follows HM Treasury’s policy statement for mitigating risk from critical third parties to the financial services sector on 8 June 2022 (HMT Policy Paper) and is hot on the heels of the FSM Bill itself which was introduced to Parliament on 20 July 2022 and seeks to implement the outcome of the Government’s Future Regulatory Framework Review (FRF). Among other proposals, the FSM Bill includes a statutory framework for HMT to designate providers to the financial services sector as CTPs which will be subject to oversight in respect of the material services they provide to the sector by the regulators. (For more on the FSM Bill and the FRF, please see our blog post here.)
This blog post covers:
- The current gaps: direct supervision and managing concentrated risk
- Identifying CTPs: which service providers may be in scope?
- The regulators’ powers to oversee CTPs
- The timescale for implementation
- Some practical considerations
- Next steps
The current gaps: direct supervision and managing concentrated risk
The UK financial services sector is a complex, interconnected system in which firms and financial market infrastructure firms (FMIs) have become increasingly reliant on third parties to support their key functions and services. As the regulators acknowledge, such arrangements have facilitated digital transformation, catalysed innovation and provided greater scalability and resilience than if firms and FMIs had relied solely on their own technology infrastructure. However, where many firms rely on a small number of third parties[i] for material services, the failure or disruption of these CTPs could have a systemic impact across the financial sector, threatening the stability of the UK financial system or general confidence in the market (as well as indirectly other sectors and markets).
The inclusion of provisions in the FSM Bill to create a new CTP regime is in response to a range of policy recommendations, including those made by the Treasury Select Committee, the BoE’s Financial Policy Committee and the Kalifa Review of the UK FinTech sector.
The regulators’ current powers have enabled them to develop and implement an operational resilience framework, including to manage third party risk, for regulated financial services firms and FMIs. Under the existing framework, firms are required to ensure their contractual arrangements with third parties allow them to comply with their regulatory obligations; similar requirements are expected to apply to FMIs in due course[ii]. The HMT Policy Paper acknowledges these existing powers alone are not sufficient to address the risk which disruption at a third party simultaneously providing key services to multiple firms could cause to the UK financial services sector. (For more on operational resilience, please visit our Operational Resilience hub here)
Importantly, in line with the provisions in the FSM Bill, the regulators would not fully oversee, regulate or supervise CTP entities, or the services they provide to other sectors of the economy. Taking a services-led approach, the regulators will focus on the material services that CTPs provide to UK firms and FMIs.
Identifying CTPs: which service providers may be in scope?
DP22/3 cites cloud providers and other providers of ICT services (eg data analytics) as possible examples of CTPs; some non-ICT services such as claims management services to insurers or cash distribution may also meet the proposed statutory designation criteria. New potential CTPs may be identified going forward, such as third parties providing data, software or artificial intelligence (AI) or machine learning models given the increasing use of these in trading systems. However, the regulators expect only a small fraction of third party service providers to the financial services sector to be designated as CTPs.
Under the FSM Bill, HMT may designate certain third parties as CTPs only “if in its opinion a failure in, or disruption to, the provision of those services (either individually or, where more than one services is provided, taken together) could threaten the stability of, or confidence in, the UK financial system”. The designation is to be made in consultation with the regulators and other relevant persons as HMT considers appropriate. Two high level criteria are proposed:
- the materiality of the services provided, by any person, which aid the delivery of essential activities, services or operations (materiality); and
- the number and type of authorised persons, relevant service providers or FMIs to which the person provides services (concentration).
HMT must provide notice to potential designees and allow reasonable time for representations to be made.
The regulators may also proactively recommend the designation of certain third parties to HMT.
The regulators’ approach
DP22/3 divides the regulators’ proposed approach to carrying out their capacities into three main components:
- a framework to identify potential CTPs who would then be recommended to HMT for formal designation;
- minimum resilience standards for services provided by CTPs to firms and FMIs to improve response and recovery where disruptions occur; and
- a framework for resilience testing, including scenario testing, cyber resilience testing and sector-wide exercises and skilled persons reviews of CTPs.
We focus on the designation criteria in this post as it is the gateway to the regime.
Materiality: In assessing the materiality of services that a third party provides to firms and FMIs, the regulators refer to their existing criteria for assessing the criticality or importance of firm and FMI functions and services: the economic functions listed in PRA Supervisory Statement 19/13 Resolution planning (SS19/13); ‘critical functions’ as defined in s.3(1) and (2) of the Banking Act 2009; or certain ‘important business services’ as defined in operational resilience framework for firms and FMIs.
Concentration: When assessing concentration, the regulators may need to consider not just the number, but type and significance of the firms and FMIs that rely on a given third party for material services. DP22/3 explains that failure of a third party, or disruption to its services, could have a systemic impact on the financial services regulators’ objectives if it affected either:
- one or more significant firms or FMIs; or
- a large number of firms or FMIs even if each one is not significant – whether a specific type of firm or spread across the financial services sector.
An effective assessment would also need to capture both: direct dependencies arising from contractual arrangements between firms and FMIs and third parties; as well as: indirect dependencies which could arise, for example, through supply chains and other forms of interconnectedness (eg where multiple firms or FMIs have (potentially unknown to them) an indirect dependency on a cloud service provider providing cloud infrastructure services to each of their separate software providers).
Potential impact: Consideration will also be given to the potential impact of the failure or disruption of a third party’s services on the regulators’ statutory objectives which address the stability of the UK financial system, continuity of key economic functions, the safety and soundness of firms, market integrity and consumer protection. They acknowledge this is likely to require an element of judgement, considering factors such as:
- aggregation risk – the full range of services the third party provides to firms and FMIs;
- the substitutability of the services provided – while lack of substitutability has been identified as a potential cause of systemic risk, the regulators do not require firms and FMIs to adopt multi-vendor strategies under the operational risk framework;
- survivability – ways to ensure the continuity or prompt recovery of services when disruption occurs; and
- other relevant considerations eg whether the third party (and other entities in its supply chain) have privileged access to firms’ and FMIs’ critical systems.
The regulators acknowledge that their understanding of impact is likely to be heavily based on firms’ and FMIs’ own assessments, for example, the results of business continuity and exit planning for material outsourcing and third party arrangements and of the assessment of ‘severe but plausible’ scenarios under the operational resilience framework.
Exemptions from designation: Where firms / FMIs (and entities in their groups) are already subject to oversight by the regulators, they would not be recommended for designation, provided that the oversight arrangements give the regulators the ability to impose equivalent requirements on the resilience of any services they provide to other firms and FMIs.
Regulators’ powers to oversee CTPs
The regulators will have an extensive range of new powers with regard to CTPs in their provision of services to firms and FMIs, including:
- rulemaking, for example, setting minimum resilience standards and requiring CTPs to proactively and promptly disclose to the regulators any information of which they would reasonably expect notice, including but not limited to, incidents or threats which could have a systemic impact on the regulators’ statutory objectives;
- the ability to make directions to specific CTPs to do, or refrain from doing, an activity;
- information gathering and conducting investigations, including the power to appoint experts or ‘skilled persons’ to conduct investigations on behalf of the regulator(s);
- censuring or publishing a statement to the effect that a CTP has contravened a requirement; and
- the ability to impose a prohibition, condition or limitation on a CTP where the regulator(s) considers that the CTP is in breach of a requirement.
The FSM Bill does not provide for the imposition of financial penalties on CTPs. This is because the policy underlying the designation regime is the protection of the financial system from systemic impacts arising through dependency of the financial system on the services being provided by CTPs rather than the regulation of the CTPs themselves. As the Explanatory Notes to the FSM Bill set out, the ‘ultimate sanction’ will be to preventing a CTP from providing new or current services to the financial services sector, or imposing conditions on provision of those services; the regulators must not use this power in a way which would harm the UK’s financial stability or any of their objectives.
The timescale for implementation
Feedback to DP22/3 is requested by 23 December 2022. Progress is then dependent on the FSM Bill passing through Parliament. While second reading is expected in September, other priorities such as the cost of living crisis may squeeze Parliamentary time.
However, the regulators say that they expect to consult on proposed rules and guidance for CTPs in 2023 after Royal Asset. Once the regulators have finalised their rules, HMT will begin designating CTPs.
DP22/3 confirms that the regulators plan to consult on a centralised framework for collecting information on firms’ outsourcing and third party arrangements in Q2 or Q3 of 2023; this information is expected to inform decisions on designation. While it is difficult to say with any certainty, a reasonable estimate for the earliest date that the new regime could come into force (possibly with transitional provisions to facilitate implementation) would be late in 2023.
DP22/3 suggests that CTPs are expected to comprise a very small percentage of the total number of third parties providing services to firms and FMIs and that those CTPs will already be familiar with the provisions of the existing operational resilience framework. However, the impact of the new regime likely to be significant on those CTPs within scope, as well as on the firms and FMIs receiving their services and entities within the CTPs supply chain.
A services-led approach could disadvantage other sectors
The Government has taken a policy decision to focus on a specific sector. It is unclear whether this is the intended policy endgame or if it is, in effect, use of the financial services sector as a ‘Sandbox’ to trial the regulation of CTPs. As DP22/3 notes, CTPs will be providing services to other sectors of the economy. It is conceivable that difficult questions would be asked if, in the wake of an incident which significantly affected another sector, it transpired that the financial services regulators were aware of a weakness at a CTP but were unable to share this information with other sectoral regulators, possibly due to lack of a legislative ‘gateway’. That said, even with advance warning, other sectoral regulators may lack powers to intervene equivalent to those accorded to the FCA, the PRA and the BoE.
No ultimate arbiter
The provisions in the FSM Bill will see powers and responsibilities allocated to each of the three of the financial services regulators, with no single regulator designated as final arbiter either in respect of the entire CTP population or in respect of individual CTPs (the model approach taken in the EU under DORA). The regulators will be required to consult one another before issuing rules, gather information or taking enforcement action. However, while the UK authorities do have a track record of cooperation, particularly on enforcement activities, the robustness of these arrangements in the face of a live disruption to a CTP is untested.
Jurisdictional variations remain
Some potential CTPs provide services to firms and FMIs in multiple jurisdictions and the potential systemic risks posed by their failure or severe disruption would not be confined to the UK. DP22/3 sets out ways to strengthen global regulatory and supervisory coordination, but acknowledges that the regulators are limited to addressing the provision of services by CTPs to UK firms and FMIs. While other jurisdictions may have or may introduce regimes which target similar outcomes, for example the EU’s Digital Operational Resilience Act (DORA), there will be variations in the substance and scope from the UK’s proposed approach which may create complications for both CTPs and for those firms and FMIs that operate cross-border. (For more on DORA, see our blog post here.)
In DP22/3, the regulators comment that their proposed approach would be agnostic about the location of CTPs. They explain that this will help reduce the potential compliance costs for multi-jurisdictional CTPs, firm and FMIs (compared to requiring CTPs to localise entities, infrastructure, personnel or services in the UK). However, it is important to note that DP22/3 does not present a review of other possible constraints which might limit location options, for example, data protection legislation.
Service provider market distortion
At this stage, it is unclear whether the proposed regime could inadvertently generate a two-tier service provider market, divided into: regulated CTPs (whose operations will be subject to direct regulatory scrutiny and minimum standards, with the potential to be deemed lower risk counterparties to firms and FMIs); and those third party providers that will not be regulated in the same way. This could give rise to potential unintended consequences if firms and FMIs decide to only use designated CTPs for material services. It could, for example, increase concentration further, distort competition in the market and deter other third parties from entering the market. Pricing models may also be impacted by a two-tier distinction. The regulators acknowledge this risk in DP22/3 and are keen to hear from stakeholders on how it could be mitigated.
While DP22/3 does not address the issue specifically, we expect that the regulators would take a dim view if a third party service providers used potential CTP designation for promotion purposes. The FCA Handbook contains specific rules regarding statements about authorisation and regulatory status which restrict regulated entities from doing so.
Firms and FMIs: existing compliance burden remains
The proposed regime is expected to be complementary to existing regulatory requirements on firms and FMIs, and on those individuals performing Senior Management Functions within firms and FMIs. In other words, the new CTP regime does not dilute the responsibilities that firms and FMIs have for managing potential risks to their own operational resilience arising from third parties under the existing framework – regardless of whether those third parties are CTPs or not.
It is not yet clear to what extent, firms and FMIs may find they need to strengthen their existing management or monitoring of CTPs as the regulators develop greater understanding of CTPs through their supervisory engagement. Certainly DP22/3 seems to presume this will be the case as it envisages that regulators may ask firms and FMIs (through their business-as-usual interactions) to enhance their due diligence, monitoring or business continuity and exit plans for material services they receive from a specific CTP, if they have concerns about its resilience.
Contract negotiations and services
For CSPs, there are clearly compliance, governance and cost burdens arising from direct supervision and close oversight by the regulators which may also commercially impact on the flexibility that CTPs currently have over their service offerings to firms and FMIs.
It is fair to observe that regulatory status will be relevant during contractual negotiations. It may strengthen the position of firms and FMIs in relation to assurances from CTPs relating to operational resilience (that may traditionally be resisted) to take account of the measures envisaged under the FSM Bill. This would be in addition to the usual flow down provisions already imposed by firms and FMIs to comply with the current operational resilience framework.
Conversely, given the likely dependency on the conduct of firms and FMIs to fulfil certain of their regulatory obligations, CTPs themselves may also seek to impose certain requirements on firms and FMIs (eg in respect of cooperation, coordination, and information requirements). CTPs will also need to flow down their new regulatory requirements on entities in their supply chains where appropriate. Indeed, DP22/3 proposes requirements for CTPs to develop, maintain and test financial services sector continuity playbooks addressing the currently missing direct requirement to develop and test plans to manage the systemic risk to financial stability posed by these third parties. The playbooks are intended to promote greater coordination among multiple CTPs, firms and FMIs that use their services and the financial services regulators when responding to disruption.
DP22/3 makes passing reference to CTPs demonstrating that they comply with the potential minimum resilience standards through by providing ‘attestations and other relevant information’. CTPs should note that, in the context of financial services regulation, an attestation is a formal statement which is typically signed by the most appropriate senior individual in the firm. Under the Senior Managers and Certification Regime (SMCR) which applies for firms and FMIs, an attestation places a serious obligation on the signatory; failure to comply or act in line with an attestation may result in enforcement action against the signatory. While there is no equivalent to the SMCR proposed for CTPs at this time, it is important that CTPs are aware of the significance which the regulators attach to attestations – and that in certain circumstances, the provision of false or misleading information may attract criminal sanctions.
At this early stage, third party service providers to the UK financial services sector (particularly ICT service providers), should review their existing and future arrangements with firms and FMIs and with entities in their supply chains to determine whether they have potential to be designated as CTPs. If designation looks likely, the DP provides a helpful outline of the regulators’ areas of focus which may be useful for an initial scoping exercise for a future implementation project(s) and for informing ongoing and future engagement with client financial services firms and FMIs in the UK.
Providers may also wish to provide feedback to the regulators by responding to DP22/3. The deadline for responses is 23 December 2022.