Critical Third Parties to the financial services sector
What has happened?
In August 2022, the Bank of England, the PRA, and the FCA published a joint discussion paper, DP 22/3, giving more details of their proposed approach to permitting the UK’s financial regulators to directly oversee and supervise previously unregulated critical third parties (CTPs) that provide services to the financial services sector.
What do you need to do?
The discussion paper discusses the Financial Services and Markets Bill’s proposal to allow supervisory authorities to create the rules for CTPs, setting out the expected resilience standards and associated requirements. As part of this, the Bill includes a proposed requirement for regulatory coordination by supervisory authorities, which could lead to a coordinated set of minimum resilience standards for CTPs.
The potential minimum standards proposed in the paper include:
- Identification: this would involve the CTP identifying and documenting services provided to firms and financial market infrastructure firms (FMIs) which, if disrupted, could affect their services,
- Mapping: this would include the CTP identifying and documenting the technology, processes, people, facilities and information required to deliver its services,
- Risk management: this is designed to ensure the CTP has controls in place against identified risks to its services,
- Testing: this is designed to ensure the CTP regularly tests, both internally and also through tests convened by the supervisory authorities,
- Engagement with the supervisory authorities: this would involve the CTP disclosing relevant information to the supervisory authorities, including information on threats and other similar topics,
- Financial sector continuity playbook: this is designed as a place for the CTP to document steps and measures it has taken to address specific risks. It is designed to be updated regularly and submitted to the supervisory authorities,
- Post-incident communication: the CTP should develop a communications plan which addresses loss of confidence and any estimated timeframes for the restoration of any lost materials or services, and
- Learning and evolving: this is designed to ensure that the CTP learns and evolves from disruption (either to itself or third parties) and from tests and that it shares the lessons with the supervisory authorities and their finance customers.
The regulators argue that a one-size-fits-all approach to resilience testing would not be resource-efficient, effective, or proportionate. They propose instead to rely on a variety of testing tools combined with cross-sectoral exercises, with the most relevant for each CTP being chosen periodically, taking into account factors such as the number of functions the CTP supports, the supervisory authority’s confidence about the CTP’s services and its prior engagement with the CTP and the type of services the CTP provides.
Some of the proposed testing methods include:
- Scenario testing,
- Sector-wide exercises,
- Cyber-resilience testing, and
- Information-gathering and skilled persons’ reviews.
The paper states that the ‘overriding goal’ of the proposals contained within it is to ‘manage the systemic risks that CTPs pose to the supervisory authorities’ objectives.’ As part of this, the FSM Bill contains proposals to give the regulators statutory powers, in addition to the regulator’s aim to encourage dialogue both with CTPs and the businesses they serve. The regulators could use these powers if circumstances suggest a CTP may have breached a requirement, or they believe it to be ‘necessary or expedient to advance their objectives’.
The proposed powers include:
- The power to issue a direction to a CTP, compelling it to do or not do something, as appropriate,
- In the event a CTP breaches a requirement:
- Instigating limitations or conditions on the CTP’s ability to provide services,
- Publishing a censure detailing the breach, and
- Issuing a notice of disqualification to the CTP which could prohibit it from entering into future services agreements (and also prohibiting firms from conducting agreements with the CTP in breach) or prohibit it from providing any services it may already be providing at that point, and.
- The power to appoint a skilled person to report on the CTP’s compliance. The subsequent report could then be used for a variety of purposes, including assessing whether the CTP has implemented any actions set out in a direction.
The proposed regime will result in compliance, governance and cost burdens to CTPs as a consequence of direct supervision and oversight by the regulators. This may have a commercial impact on the services that CTPs currently offer to firms and FMIs.
The deadline for responses to the discussion paper is Friday 23rd December 2022. Whilst the statutory framework for the proposal has already been put forward as part of the Bill, the details of the regime, such as the criteria for designating a third-party as critical, are at a very early stage.
How can we help you?
If you’d like to know more about how we can help you with your critical third party arrangements, or any other regulatory compliance issues, our specialist team is here to help. Contact us today on 0207 436 0630 – or email info@thistleinitiatives.co.uk.