Regulators to strengthen resilience of critical third parties



Financial services regulators have set out measures to strengthen the resilience of services provided by critical third parties (CTPs) to the UK financial sector.

The measures were outlined in a discussion paper jointly published yesterday (22 July) by the Bank of England, Prudential Regulation Authority and Financial Conduct Authority.

They say CTPs provide vital services to regulated financial services firms and financial market infrastructure firms (FMIs) that could affect financial stability and cause harm to consumers if they fail or are disrupted.

The discussion paper outlines how the supervisory authorities could use their proposed powers.

This include a framework for identifying potential CTPs, and set out minimum resilience standards that would apply to the services that designated CTPs provide to firms and FMIs.

A framework for testing the resilience of material services that CTPs provide to firms and FMIs is also proposed.

It would use a range of tools including but not limited to scenario testing, participation in sector-wide exercises, cyber resilience testing, and skilled persons reviews of CTPs.

FCA chief executive Nikhil Rathi says: “In an increasingly digital world, financial businesses are more dependent on a small number of third-party providers. That can bring significant benefits, but also comes with resilience risk.

“We want an open discussion about how we should use new powers Parliament is giving us to oversee the services these third parties provide to the financial sector and reduce the risk of major disruption, which could cause harm to consumers and markets.”

The regulators say these measures would complement not replace firms and FMIs’ existing responsibilities to manage risks from contracts with third parties.

They explain that the supervisory authorities would only oversee the systemic risks arising from the services CTPs provide to firms and FMIs.

Deputy Governor of Prudential Regulation and chief executive of the PRA Sam Woods says: “It is vital that the firms we regulate can rely on services provided to them by third parties, particularly where those third parties have become critical parts of the system.”

The measures to mitigate risk are being put in place following warnings last year by the Bank of England’s Financial Policy Committee (FPC) about the potential for disruption at third-party service relied upon by firms and FMIs.

The FPC was established in 2013 as part of the new system of regulation brought in to improve financial stability after the financial crisis in 2008.

Deputy governor for financial stability Jon Cunliffe adds: “Financial market infrastructure firms are becoming increasingly dependent on third-party technology providers for services that could impact the financial stability of the UK if they were to fail or experience disruption.

“The potential measures examined in this DP provide an initial, but important step for the Bank of England to manage these systemic risks (in coordination with the FCA). The DP also includes suggestions to improve coordination between the Bank/PRA and FCA, international financial regulators, and UK non-financial regulators, which is key given the cross-border and cross-sectoral nature of many CTPs and the services they provide.”

The regulators say comments are open on the discussion paper until 23 December 2022. And that there will be a consultation on proposed requirements and expectations for CTPs in 2023, subject to the outcome of parliamentary debates on the Financial Services and Market Bill and the responses to this discussion paper.