Operational resilience is a priority for financial services regulators in the UK. It occupies a prominent place both in the Prudential Regulation Authority (ARP) and the Financial Conduct Authority (CIF) business plans.
Over the past year, the UK financial services industry has been busy implementing its regulators’ new operational resilience framework; identify and map important business services and define associated impact tolerances. But a potential vulnerability in all this good work was identified some time ago and the UK government has set itself the goal of fixing it.
Companies providing services to the financial sector may not be used to dealing with financial services regulators, but could soon come under scrutiny by the FCA and PRA and risk potential enforcement action. go as far as a ban on providing services. Such review will apply to any service provider which the UK Treasury (HMT) considers may pose a threat to stability or confidence in the UK financial system, regardless of where that service provider itself is located. even is based. These proposals follow recent announcements across the EU of a political agreement on the Digital Operational Resilience Act (DORA)which will require critical information and communication technologies from third countries (TIC) service providers linked to financial entities in the EU to establish a subsidiary in the EU and be subject to supervision.
Financial services companies are already required to identify and understand their reliance on essential service providers. They must have appropriate and effective risk management systems and strategies in place to deal with external service providers. These metrics are only part of the picture, however, and there has been growing awareness and concern about the growing reliance of many people on a small number of cloud service providers and other critical third parties. No company alone can manage the risks arising from a concentration of the provision of essential services by a third party to several companies. In the words of the UK’s Financial Policy Committee, “in the absence of a cross-industry regulatory framework and cross-border cooperation where appropriate, there are limits to the extent to which financial regulators alone can effectively mitigate these risks.”. Enter the HMT, working with the Bank of England, including the PRA, and the FCA “to understand what ‘direct regulatory oversight’ of critical third-party services could entail”. The outcome is set out in a policy statement released by HMT on June 8, 2022.
Who will be overtaken by this new regime?
HMT wants to be granted the power to designate certain third-party companies as “critical”. As mentioned above, this criticality assessment is determined by reference to the risks that a failure or disruption of a service provider poses to the UK financial system, regardless of location. the service provider.
The appointment will be made in consultation with financial regulators and “other bodies”. Regulators could proactively recommend that a third party be designated as a reviewer, but the final say will rest with HMT. This power will be granted in primary legislation, which will presumably prescribe the criteria to be considered in regulating HMT’s use of the power.
There is no indication of what HMT might consider ‘critical’. However, the focus is clearly on certain cloud providers. Beyond that, the HMTs simply state that any assessment will be based on their analysis of data and company information.
In relation to this information, a joint consultation paper on incident reporting, outsourcing and third party reporting is expected to be published by the Bank of England, PRA and FCA anytime by the end of the third trimester. Drivers of this policy include enabling regulators to collect certain information about regulated financial services firms’ outsourcing and third-party arrangements in order to manage the risks they may pose to regulators’ objectives, including resilience, concentration and competition risks. The PRA is also considering an online portal that financial services firms would need to populate with certain information about their outsourcing and third-party arrangements, or a subset thereof, such as those deemed material to help identify common critical third parties.
Implications for “critical third parties”
Once appointed, the FCA and PRA will be able to exercise “a range of powers in respect of all material services that the third party provides to the financial sector”. Regulators will be able to establish rules relating to the provision of these services, request information from the service provider and take “formal action (including enforcement) if necessary”.
The main act proposed by this policy statement will grant regulators the power to establish rules to set minimum standards of resilience that a critical third party will be directly required to meet with respect to all material services it provides to the UK financial sector. It will also allow financial regulators to require critical third parties to participate in a series of targeted forms of stress testing, to assess whether these standards are being met.
Critical third parties will join the ranks of supervised companies. These entities will need to establish relationships with the FCA and PRA oversight teams. Regulators will review how they conduct their business. They will ask for information. They will also be able to request an independent qualified person to report “on certain aspects of critical third-party services” or appoint investigators to investigate possible breaches of the requirements. Critical service providers should anticipate regular dialogues with financial services regulators and it is likely that board engagement will be expected.
The policy statement provides “a series of statutory powers” for regulators, including the power to order critical third parties to take or refrain from taking specific actions, and enforcement powers, including the power to make breaches public and (as a last resort) to prohibit an essential third party from providing future services or continuing to provide business services.
Service providers beware!
It will be a new world for a number of critical service providers. What is clear from this policy statement is that their “hardware services” will be subject to regulation. Open questions include:
- How will HMT exercise its power? What will be the criticality thresholds? While the policy statement accepts that HMT will have to “consider” representations made by potential critical third parties, what will the process entail and what rights to challenge might a company have?
- Once designated as “critical”, how will “material services” be determined? Will this correspond to the identification of “hardware outsourcing” by financial services companies? If so, what transparency about this will be available to third parties? If not, who will determine the materiality and how? Will it be limited to ICT services in accordance with EU DORA?
- What will be the “resilience standards”? Will they be appropriate and proportionate or will they be general standards? How will they relate to the requirements already indirectly applicable to service providers of financial services companies under the contractual requirements of such outsourcing? Will they reflect the operational resilience requirements placed on regulated financial services firms that require tolerances and mapping of impacts, processes, systems and controls, as well as governance and communication strategies? How will the testing requirements compare to the penetration testing that will be required by EU DORA? There will inevitably be compliance costs. The guidance document says this new regime for service providers will not replace the individual responsibilities of regulated financial services firms, but will critical service providers risk being guilty by association? Service providers will ensure that any application risk is isolated from the performance metrics under their control.
- Given the extraterritorial scope of the proposals, how do regulators plan to ensure adequate oversight of third country service providers? Will the “resilience standards” include presence or location requirements similar to the requirement to establish a subsidiary in the EU DORA? Will an assessment of adequate regulatory cooperation and equivalence be required with respect to the service provider’s home state?
The government intends to legislate for this regime “when parliamentary time permits”. Regulators will then issue a joint discussion paper outlining how they might exercise the powers given to them. The recent grid of regulatory initiatives simply suggests that it will be later this year. This will be followed, once the primary act is adopted, by a consultation on the rules they propose. Once regulators finalize their rules, HMT will begin designating the first critical third parties under this new regime. Given the regulatory emphasis on operational resilience, as soon as parliamentary time permits the primary act to be accomplished, regulators are likely to act quickly. Service providers are encouraged to monitor this space and participate in the discussion paper and subsequent consultation.
 New operational resilience requirements and guidance for UK financial services firms
 Political agreement on DORA
 SS 2/21 par. 4.4
 Summary FPC July 2021
 Policy Statement on Critical Third Parties for the
 PRA Policy Statement on Outsourcing and Third Party Risk Management