On the 7th December 2023, a joint Consultation Paper was issued by the Prudential Regulatory Authority (PRA), the Financial Conduct Authority (FCA) and the Bank of England (BoE) outlining their proposed regulatory requirements, and their accompanying expectations, for Critical Third Parties (CTPs). The purpose of these requirements is to manage potential risks to the stability of, or confidence in, the UK financial system that may arise due to disruption to the services that a CTP provides to Financial Services (FS) firms and/or Financial Market Infrastructures (FMIs).
Identification of Critical Third Parties
Unlike the current Operational Resilience regulations, the regulators propose to identify potential CTPs for recommendation to HM Treasury (HMT) by assessing third parties against the following three criteria:
Materiality of the services which the third party provides to firms and FMIs;
Concentration of the services which the third party provides to firms and FMIs; and
Other drivers of potential systemic impact such the substitutability of the material services, and access to firms or FMIs critical resources.
Whilst the regulators have proposed a set of six Fundamental Rules that CTPs would be required to comply with regarding the services that they provide to firms and FMIs, they have also established a set of Operational Risk and Resilience Requirements to provide clear and consistent obligations for CTPs regarding the provision of their material services. Material services have been defined as ‘services provided by a CTP to one or more firms a failure in, or disruption to, the provision of which could threaten the stability of, or confidence in, the UK financial system’.
Summary of Key Requirements
The Operational Risk and Resilience Requirements that apply to CTPs who provide material services to firms and FMIs are outlined below:
1. Governance: the CTP must define governance arrangements to promote the resilience of its material services by:
a. appointing a central point of contact for regulators; and
b. establishing and implementing an overarching approach and operating model that has clear roles and responsibilities at all levels to enable the CTP to prevent, respond and adapt to, and recover from any event that causes disruption.
2. Risk Management: the CTP must have a sound risk management framework (including strategies, policies and procedures) to effectively manage both operational and financial risks that may affect its ability to continue to deliver a material service. The CTP should monitor risks on an ongoing basis through horizon scanning and testing. It should also ensure that its processes are updated to reflect issues arising and lessons learned from a disruption to a material service, engagement with regulators, new and emerging risks and any associated testing.
3. Dependency and Supply Chain Risk Management: the CTP must identify and manage risks to its supply chain, perform appropriate due diligence throughout any sub-contracting arrangements that are key to its delivery of material services from the outset and be transparent with the regulators, firms and FMIs about which parts of its supply chain are essential to material service delivery.
4. Technology and Cyber Resilience: the CTP must ensure, for any technology that delivers, maintains, or supports a material service, that measures around technology, cyber risk and operational resilience are put in place and regularly tested. Processes and measures should be updated to reflect lessons learned from testing and to assist in the risk management and decision-making processes.
5. Change Management: the CTP must have a systematic and effective approach to dealing with changes to material services by ensuring appropriate governance, process and controls are in place throughout the change management lifecycle to ensure any modification to the service minimises the risk of disruption and improves resilience.
6. Mapping: CTPs must identify and document the resources (Data and Information, Facilities, People, Processes, Technology and supporting Infrastructure) used to deliver, support and maintain each material service it provides, and any internal and external interconnections and interdependencies. Just as in the current Operational Resilience policy, mapping should enable a CTP to identify vulnerabilities.
7. Incident Management: the CTP must appropriately manage incidents that adversely affect, or are expected to adversely affect, the delivery of a material service by setting a maximum tolerable level of disruption. It must implement appropriate measures to respond and recover from incidents in a way that minimises impact, maintaining a financial sector incident management playbook as well as co-ordinating and engaging with the wider FS ecosystem.
8. Termination of Services: CTPs must have in place appropriate measures to respond to the termination of any of its material services, including arrangements to support the effective, orderly and timely termination of services and provisions for ensuring access to any relevant assets to the firms or FMIs it provides the material service to, along with the recovery and return of these assets.
These requirements may ultimately require the contracts and contracting processes between CTPs, firms and FMIs to be reviewed and updated.
Additionally, CTPs will also need to:
- Submit an annual self-assessment to the regulators demonstrating how it has complied with the specific requirements;
- Undertake scenario testing of its ability to continue providing each of its material services within its maximum tolerable level of disruption in the event of a severe but plausible disruption to its operations;
- Test the measures in its financial sector incident management playbook annually with an adequately representative sample of the firms and FMIs to which it provides material service; and
- Share assurance and testing information with firms and FMIs to enable them to adequately manage risks related to their use of the CTP’s services.
Alignment With Other Operational Resilience Regulations
The proposals set out in the Consultation Paper build on and compliment the Operational Resilience framework for firms and FMIs and are designed to be interoperable with other regimes such as DORA in the EU and the Bank Service Company Act in the US.
The oversight regime for CTPs assumes that disruption will occur and seeks to ensure that CTPs prevent, adapt to, respond to, recover from and learn from disruption (in collaboration with the firms and FMIs they provide services to where appropriate).
Therefore, the proposals are agnostic as to the location of a CTP. There is no requirement for a CTP to set up a UK establishment (e.g. a subsidiary) where one does not already exist. This proposed approach recognises that CTPs may provide services from multiple jurisdictions (which can help improve the efficiency and resilience of these services).
Consultation Paper responses are requested to be submitted by 15th March 2024.
For more information please get in contact with Georgia Hunter, or visit our Powered Resilience website for more information.