Regulators publish new rules for third parties in the financial sector.
A major technology disruption caused worldwide outages in July 2024, affecting air travel, retailers, and banks. The disruption caused the banking sector to lose $1.15 billion.
Financial services regulators are now turning their attention to regulating third parties that work closely with firms that operate in the financial services industry in a bid to ensure stable operations within the industry. These third parties include providers of technology, communications, and data services.
The United Kingdom has taken action in this sphere by enacting the Financial Services and Market Act 2023 which gives regulators the power to regulate these third parties.
The Act places third parties under the oversight of financial regulators by allowing the U.K. Treasury to designate a person as a “critical third party” (CTP) if they provide services to regulated financial services firms and if the disruption or failure of such services might “threaten the stability of, or confidence in, the U.K. financial system.” Under the Act, the Treasury is required to consider the materiality of a third party’s services, the concentration of provision of its services, and whether its services can be provided by other firms in deciding whether it should be designated as a CTP.
The Act grants the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) expansive powers to regulate CTPs by making rules, issuing directives to CTPs, investigating CTPs’ activities, and taking disciplinary action against CTPs that flout the regulations. Although the Act grants these regulators extensive powers to oversee CTPs, their supervision is limited in scope—regulators may only take action related to a CTP’s provision of services to financial services providers.
The Bank of England, the PRA, and the FCA have now set out a framework for exercising their regulatory authority by publishing new regulations. These rules, published in November 2024, aim to improve the stability and confidence in the U.K.’s financial system by mitigating risks that might arise due to disruptions to the operations of a third party that provides services to financial service providers.
The latest regulations reiterate that the U.K.’s regulatory regime applies to CTPs that provide services to any U.K. financial services firms, regardless of where a CTP operates. As a result, CTPs must provide regulators with a U.K. address for the service of documents even if they do not have a U.K. branch or subsidiary.
Furthermore, regulators now require that CTPs appoint a central point of contact with sufficient knowledge of financial regulation to ensure that a CTP remains in compliance with applicable regulations—a requirement that is also intended to improve CTP governance.
This drive to enhance governance arrangements has led regulators to mandate “appropriate review and approval” of all information provided by CTPs to regulators. Although the regulators acknowledge that the varied structure of CTPs and the different types of information may make the definition of “appropriate review” variable, they suggest that documents provided to regulators should be “reviewed by the top layer of decision-makers” to ensure accurate disclosure.
The regulations also require CTPs to identify risks, implement risk management processes, and regularly update their risk management protocols.
The regulations identify two specific areas of concern—supply chain risks and technology-related risks.
To mitigate supply chain risks, CTPs are required to carry out due diligence on providers with which they are entering into contracts and must provide information about such providers to regulators, especially in instances of operational incidents—incidents that cause serious disruptions to a CTP’s services or those that compromise the “availability, authenticity, integrity or confidentiality of assets” belonging to firms to which a CTP provides services.
To mitigate technology-related risks, the regulations mandate that CTPs implement measures to defend against cyber-attacks and technological outages. CTPs must also devise a plan to respond to any failures to reduce the impact of any technology-related incidents.
The requirement for CTPs to respond rapidly, however, is not limited to technology-related incidents. Instead, regulators have required that CTPs maintain an incident management playbook to minimize the impact of any incident that may affect the stability of or confidence in the U.K.’s financial system.
To enable regulators to discharge their duty of oversight over CTPs, the new rules also require that CTPs keep “orderly records” of their provision of services to firms. In addition, CTPs are required to conduct self-assessments of their ability to comply with regulatory requirements while also running scenario-testing and incident management exercises. The results of these assessments, alongside any other relevant information, must be provided to regulators upon request.
Industry observers have described the latest regulations as having struck a “pragmatic balance between strengthening operational resilience and ensuring proper implementation.” Subject to transitional arrangements, the new regulations came into effect on January 1, 2025.
