Source: BoE, PRA and FCA “The regulators’ approach to the oversight of critical third parties”
November 2024
On 12 November, the BoE, PRA and FCA jointly published a package of measures to establish an oversight regime for critical third parties (CTPs) to the financial sector. The package includes policy and supervisory statements on the identification of potential CTPs, recommendation for designation by HM Treasury (HMT), CTP fundamental rules, operational risk and resilience requirements, incident reporting, the regulators’ oversight regime and enforcement. A separate supervisory statement, BoE/PRA SS7/24, addresses reports by skilled persons on CTPs.
Background
The financial sector increasingly relies on services provided by third parties, allowing it to embrace innovation and improve efficiency. However, large parts of the sector rely on a small number of third parties for key services. The impact of disruption to these services could spread through the financial system and threaten financial stability, market integrity, or trigger a loss in confidence.
Parliament has already legislated to allow HM Treasury (HMT) to designate third parties as critical and bring them within the UK regulators’ remit. HMT will be able to designate any third party providing existing and emerging technology and non-technology services to the financial sector as a CTP, where disruption to those services could pose systemic risk.
The UK regulators have designed the CTP oversight regime to be “compatible with similar approaches in other jurisdictions” and have committed to continuing to engage internationally to strengthen cross-border cooperation.
Identification and designation of CTPs
Draft criteria for identifying potential CTPs have been published previously and are confirmed in the final policy and supervisory statements published today alongside the overarching Approach to the oversight of critical third parties. The regulators will assess third parties against three main criteria before recommending designation to HMT:
- Concentration in the services which the third party provides to firms – this will be considered in absolute terms, i.e. the number of firms using the third party, and also whether any of the firms receiving services are systemically important.
- Materiality of the services which the third party provides to firms – this will consider whether there are any channels through which a third party’s services to firms could create, amplify or spread risks to the financial system via the financial services being supported (“systemic third-party services”). Macro-vulnerabilities which may be relevant to regulators’ assessments of materiality include, but are not limited to, interconnectedness and speed of transmission.
- Other drivers of potential systemic impact – for example availability or absence of substitutes or contingencies for third party services, or third-party access to firms’ assets as a result of services provided.
To note: third parties already subject to authorisation, regulation or supervision by the BoE, PRA or FCA will not be further designated as CTPs.
The regulators plan to consult on a new policy for Outsourcing and Third Party (OATP) data collection as one of the sources of data to identify potential CTPs. This data will feed into the proposed OATP register.
If HMT decides to designate a third party as a CTP, it will write to the prospective CTP to communicate its decision prior to publishing the Designation Regulations. The prospective CTP will be informed of the services which the regulators and HMT consider to be systemic. The regulators will then periodically review whether the CTP still meets the criteria and update HMT. CTP designation can only be removed by HMT.
CTP Fundamental Rules
In CP26/23, the regulators proposed 6 Fundamental Rules with which CTPs would be required to comply in respect of all the services provided to firms. In the final policy, the regulators have decided to apply Fundamental Rules 1 to 5 only in relation to the provision of systemic third-party services to firms, as this represents a more proportionate approach. Fundamental Rule 6 (‘A CTP must deal with each regulator in an open and cooperative way and must disclose to each regulator appropriately anything relating to the CTP of which it would reasonably expect notice’) will continue to apply to all services provided to firms.
The regulators rejected proposals for additional Fundamental Rules and have amended SS6/24 to note that CTPs should comply with the requirements "in an open and cooperative way, and in line with the spirit as well as the letter of the relevant rules", adopting a "transparency by default" approach.
Recap on the CTP Fundamental Rules
The regulators’ six Fundamental Rules will apply to all the services CTPs provide to UK firms and FMIs, and act as a general statement of their obligations under the proposed regime. These are broadly similar to the Fundamental Rules applied to regulated firms:
- CTP Fundamental Rule 1: A CTP must conduct its business with integrity
- CTP Fundamental Rule 2: A CTP must conduct its business with due skill, care and diligence
- CTP Fundamental Rule 3: A CTP must act in a prudent manner
- CTP Fundamental Rule 4: A CTP must have effective risk strategies and risk management systems
- CTP Fundamental Rule 5: A CTP must organise and control its affairs responsibly and effectively
- CTP Fundamental Rule 6: A CTP must deal with the regulators in an open and co-operative way, and disclose to the regulators appropriately anything relating to the CTP of which they would reasonably expect notice
CTP Operational Risk and Resilience Requirements
In CP26/23, the regulators also proposed eight Operational Risk and Resilience Requirements with which CTPs would be required to comply in respect of their systemic third party services. The regulators have decided to retain all the CTP Operational Risk and Resilience Requirements, but have made some minor revisions and clarifications, to support effectiveness and proportionality.
Incident reporting and other notifications
In CP26/23, the regulators proposed to require CTPs to notify them, and their firm and FMI customers who receive an affected service of certain incidents and other events. In the final rules:
- The regulators distinguish between incident reports and other notifications.
- The definition of an operational incident has been redrafted to encompass an event or series of events that ‘impacts a CTP’s operations such that the availability, authenticity, integrity or confidentiality of assets belonging to firms which a CTP has access to as a result of it providing a systemic third party service to those firms is or may be seriously and adversely impacted’.
- The term "affected firm" has been introduced, meaning, (i) any firm to which a CTP supplies a systemic third party service impacted by that CTP operational incident; or (ii) any firm whose assets are or may be seriously and adversely impacted by that CTP operational incident.
- Under CTP Fundamental Rule 6, the regulators reasonably expect to be made aware of incidents that have not yet had an impact on a CTP’s provision of systemic third party services or operations, but are highly likely to do so.
- CTPs should report aggregate incidents and near-misses in their self-assessment. The regulators may also request these data on an ad-hoc basis.
- Firms will still be expected to submit phased, i.e. initial, intermediate and final incident notifications. Initial notification requirements are updated to be "as soon as practicable" after the occurrence of a CTP operational incident. Intermediate notifications should be submitted "as soon as practicable" after any significant change in the circumstances described in the initial notification. Final notifications will be expected no later than 30 days following the resolution of a CTP operational incident.
Oversight
- Annual self-assessment: CTPs will be required to carry out annual self-assessments setting out how they have complied with the regulators’ rules and expectations. These will provide an indication of the CTPs’ risk management and resilience capabilities and will include an assessment of the CTP’s approach to testing and assurance. In the first year of designation/oversight a CTP will also carry out an interim self-assessment to assist the regulators in understanding the extent to which it is able to meet its duties at the point of designation.
- Annual Review meeting: the typical CTP oversight assessment period will be 12 months and will involve an Annual Review meeting during which the regulators will:
- Discuss the key risks a CTP poses to the regime’s Overall Objective based on developments over the preceding 12 month cycle, including oversight activities, any CTP operational incidents, recent or planned major change initiatives and engagement with other authorities.
- Agree the oversight strategy for the next 12 months, including planned oversight activities and actions the CTP will be requested to take, such as specific testing or remediation. - Actions from Annual Review: following the Annual Review, the regulators will write to the CTP clearly outlining the risks that are of greatest concern and where it is expected that the CTP takes risk management, risk mitigation or remediation actions.
- Additional reviews: the regulators will take a risk-based approach to the assessment of CTPs. This will include fundamental assessment activities to form a view of risks, such as review of a CTP’s self-assessment and testing outputs, analysis of regular and ad-hoc data and information, meetings with CTP staff and engagement with other authorities. The regulators may also carry out further assurance via deep dive examinations, thematic reviews, skilled person reports or other relevant assurance, exercising or testing activities.
- Engagement: the regulators expect CTPs to interact in an open and co-operative manner, as noted in Fundamental Rule 6. They caution that CTPs should not approach their engagement as a negotiation. The regulators will typically engage with a CTP via an appointed employee/s or member/s of its governing body. However, if appropriate, the regulators may also engage with other CTP employees or members of its governing body, including specialists in specific areas.
- Intensity and format of oversight – the oversight regime is intended to be proportionate, reasonable and robust. Intensity may vary across CTPs, reflecting the regulators’ judgement of the potential impact of disruption in a CTP’s systemic third-party services on the financial system and on the advancement of their objectives.
- Coordination: the PRA, BoE and FCA will share responsibility for the oversight regime, through a shared common Overall Objective and the statutory duty to coordinate the exercise of their respective CTP functions under FSMA section 312U and consult with each other. The regime will be coordinated through a joint CTP Consultation and Coordination Forum (CCF) as well as common memberships of the FCA Board, PRA Prudential Regulation Committee (PRC) and the BoE’s Financial Market Infrastructure Committee. Coordinated oversight activities will include:
- Reviews of self-assessments (interim and annual) and any supporting documentation provided by the CTP (certifications, standards etc)
- Regular and ad-hoc meetings with the CTP
- Deep dive and thematic reviews (including skilled person reports)
- Use of powers, including information gathering and referrals to enforcement
- Participation in incident management playbook exercises (including any feedback provided to the CTP after the exercise)
- Consideration of incident reports and follow-up actions
- Engagement with other UK authorities and non-UK financial regulators
- Enforcement: the FCA confirms that it will take a proportionate approach to enforcement, considering all relevant factors before taking any enforcement action. However, it is not possible to prescribe the exact circumstances in which the FCA would use any given power. The regulators have agreed a new tripartite memorandum of understanding on how they will approach CTP oversight and enforcement. To note, FSMA does not give the regulators the power to impose fines on CTPs. This was proposed under the Financial Services and Markets Bill in DP3/22 but has not been consulted on and is not part of the policy statement.
Implications for firms
The final rules for CTPs will take effect from 1 January 2025. However, the statutory obligations of a CTP under FSMA, the requirements in the regulators’ rules and the expectations in the SS6/24 and other documents listed in this PS, will only apply to a CTP on the date the HMT designation order comes into force. Compliance with certain requirements in the regulators’ rules will be subject to a transitional period that will also start from the date specified by HMT in the designation order - see Chapter 2 of PS16/24 and Section 12 of SS6/24 for a list of the requirements that are subject to a transitional period and the applicable transitional periods.
Although CTPs now have their own regulatory regime, firms using their services must continue to meet their own requirements under the regulators' third-party risk management policies. The new regulatory regime for CTPs does not change the need for financial services firms to conduct due diligence and perform ongoing monitoring of third parties with which they engage, whether these are CTPs or not. The regulators stress that contracting with a CTP will not relieve a firm from liability in any potential enforcement action.