Following the publication of the Financial Services and Markets Bill (“FSM Bill”) on 20 July 2022, the Prudential Regulatory Authority (“PRA”), the Financial Conduct Authority (“FCA”) and the Bank of England (“BoE”) (together, the “Supervisory Authorities”) on 21 July 2022 published their Discussion Paper P3/22 (the “DP”) that sets out how they may in the future use their collective powers designated under the FSM Bill to require those entities designated as ‘critical third parties’ (“CTPs”) to provide services to entities in the financial sector in a more resilient manner.
This follows the suite of guidance introduced by the Supervisory Authorities in 2021 (including Supervisory Statement SS1/21: ‘Operational resilience: Impact tolerances for important business services’ and Statement of Policy/SoP: ‘Operational resilience’) that placed increased onus on firms and financial market infrastructure firms (“FMIs”) to implement measures to minimise the risk of operational disruption (including by requiring their third party IT service providers to meet specific requirements designed to enhance operational resilience and lower the risk of operational disruption). It is a further step along the path of recognising the importance of providers themselves, as opposed to simply requiring the regulated entities to take appropriate actions, especially with the likely advent of the EU Digital Operational Resilience Act (known as “DORA”) in the coming months.
Coverage of the Discussion Paper
The newly published DP opens with the acknowledgement that “ …no single firm or FMI can adequately monitor or manage the systemic risks that certain third parties pose”. Additional measures are accordingly seen as being required, specifically targeted at the CTPs themselves, although it is noted that these measures will be intended to complement rather than supersede the measures that firms and FMIs are already themselves required to take; there is, then, no suggestion that the regulated entities can simply rely on the outcome of this DP as being sufficient for its own operational resilience requirements – the DP makes it clear that: “Firms and FMIs would, however, remain accountable for managing risks to their individual operational resilience stemming from their arrangements with third parties” (Ch. 1.14) and will remain so under a potential future CTP regime.
The DP itself recognises that it is motivated by the growing dependency on CTPs such as cloud service providers by firms and FMIs, where firms have often struggled to negotiate terms that meet its own regulatory requirements owing to an “imbalance in negotiating power” (Ch. 2.14) (which one can take as being a reference to some of the very largest cloud services providers, who are typically reluctant to move significantly away from their standard contract terms), and perhaps this has been a particular motivation for the move to direct regulation.
The DP covers three main areas:
- a framework for supervisory bodies to identify and recommend CTPs for designation as critical based on their potential systemic impact that would likely occur of the services were disrupted;
- minimum resilience standards for those designated CTPs, aligned to the operational resilience frameworks for firms and FMIs, and including the requirements for CTPS to develop and test ‘financial sector continuity playbooks’ to improve the ability to recover from disruption that might affect numerous firms; and
- a series of tools to test the resilience of the material services that CTPs provide to firms, and FMIs.
Designation of CTPs by HM Treasury
The FSM Bill introduces the power of HM Treasury (“HMT”) to designate certain third parties as CTPs taking into account criteria laid out in the FSM Bill.
Such designation would be carried out in consultation with the Supervisory Authorities. The relevant consideration is that HMT believed that a failure in or disruption to the services provided by the third party in question would have the potential to threaten the stability of, or confidence in, the financial system of the UK. HMT would, the DP explains, bear in mind two high-level criteria when making a CTP designation:
- the materiality of the third party’s services to firms and FMIs (and if applicable other persons on their behalf) delivering of services or operations that are essential to the activities, services or operations essential to the economy of or financial stability in the UK; and
- concentration: the number and type of firms and FMIs to which the third party provides services. This involves assessing whether the effect would be on either: (a) one or more significant firms or FMIS; or (b) a large number of firms or FMIs even if they are not significant. Significantly, it also involves assessing the direct (i.e. via their own contractual relationship) and indirect (i.e. via a situation with the third party provider is a core supplier or subcontractor to other service providers) dependencies of firms and FMIs on the third parties.
The DP acknowledges the fact that only a very small percentage of the total number of third parties providing services to firms and FMIs may be caught by such an analysis. The third parties likely to be identified are those whose failure/disruption could have an impact on the supervisory authorities’ objectives, including UK financial stability, market integrity and consumer protection.
A key point is recognition is that the impact must be likely to be systemic, not just impactful, for a particular FMI or firm.
It also notes that Supervisory Authorities could also consider the potential impact of the failure or disruption of services provided by third parties undergoing assessment, taking into account possible factors such as substitutability of their services or survivability. And, although the Supervisory Authorities may make recommendations following an assessment, it would be HMT that would ultimately make the designation decision in each case.
Furthermore, the DP identifies three developing areas where the designation is likely to become increasingly important: the widespread use of AI, quantum computing and hyper scale cloud.
Introduction of minimum resilience standards
The FSM Bill also proposes that the Supervisory Authorities should have the ability to establish minimum resilience standards applying to CTPs that would relate to material services provided by CTPs to firms and FMIs. Such standards would build on the existing operational resilience framework for firms and FMIs and would focus on the ability of CTPs to prevent, adapt to, respond to, recover from and learn from operational disruption.
Under this regime, the CTPs would have to ensure that any material services they provide to firms and FMIs meet the minimum resilience standards at all times.
It is suggested that CTPs could potentially demonstrate compliance with the new standards through a system of resilience testing and regular (e.g. annual) statements of compliance to the Supervisory Authorities.
Table C of Chapter 5.8 of the DP goes on to set out some suggested minimum resilience standards for CTPs, which may be summarised as follows:
- Identification – CTP to identify its material services (i.e. those which, if disrupted, could have a systemic impact on the Supervisory Authorities’ objectives).
- Mapping – CTP to identify the resources (i.e. the people, process, tech, facilities and information) required for the delivery of material services.
- Risk management – CTP to identify risks to material services across its supply chain and implement appropriate controls.
- Testing – Regular testing of the resilience of the CTP’s material services (through its own testing and sector-wide exercises).
- Engagement with the supervisory authorities – Prompt and proactive disclosure of information relating to incidents or threats with a potential systemic impact.
- Financial sector continuity playbook – Development of specific measures to address potential systemic risks, documented in a ‘Financial sector continuity playbook’.
- Post-incident communication – Development of a tailored communication plan to engage with firms, FMIs, Supervisory Authorities and other stakeholders in the event of a failure or sever disruption to its services.
- Learning and evolving – CTP to learn from disruption that it or relevant third parties experience and from resilience testing that it participates in. The results of the tests should be shared with firms and FMIs, and also the Supervisory Authorities.
Each of these proposed minimum standards are discussed in detail in the DP, which goes on to note the relevance of DORA (previously reported on by DLA here).
Resilience testing requirements for CTPs
In the DP it is also proposed that CTPs could be required to carry out – and be subjected to – specific resilience testing so as to establish compliance with the required minimum standards, and Chapter 6 outlines the potential approach to such testing that could be implemented using a range of tools.
It is acknowledged that a one-size-fits-all approach may not be suitable given the variety of CTPs and their different business models. Instead, CTPs could be required to rely on a range of resilience testing tools and exercises and the most suitable methods of testing would be applied, taking in account factors such as the type and number of services provided. The non-exhaustive list of resilience testing tools outlined in the DP includes the following:
- scenario testing;
- sector-wide exercises involving multiple firms and FMIs, led in certain cases by Supervisory Authorities;
- cyber-resilience testing; and
- information-gathering and skilled persons’ reviews.
Conclusion and calls for responses
The proposals made in the DP clearly reflect an emerging thought process at this stage and will certainly illicit strong views from those service providers that may be deemed to be ‘critical’ and who will not historically have been subject to direct oversight from the Supervisory Authorities.
There are a number of broader market considerations that flow from the DP that will also no doubt trigger some consideration over the next few months, such as: who (ultimately) bears the costs as between suppliers and firms of the compliance requirements? Will the services provided become less bespoke for fear that any amendments to the “standard scope” takes them outside the parameters that would satisfy these requirements? What does it mean for internal service companies that provide services to underpin a firm or FMI’s delivery? Similarly, what impact will there be on blockchain and other market utilities?
The DP sets out detailed questions relating to each of its chapters and calls for responses to those questions and other views on the DP to be received by Friday 23 December 2022.