The Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and the Bank of England (the regulators) have today published a joint policy statement on operational resilience and critical third parties (CTPs) in the UK financial sector, which takes into account the CP26/23 - Operational resilience Consultation Paper.
This is a significant step to enhance Operational Resilience in the UK financial services sector, providing concrete measures for firms and their critical service providers to follow.
But why this emphasis on CTPs? CTPs, such as cloud providers and technology partners, have become essential to the operation of many financial institutions. However, the reliance on these external providers introduces new risks. A disruption in any of these key services could have a domino effect, potentially impacting multiple financial firms and customers simultaneously. Recognising this, the regulators have developed standards to ensure that CTPs are resilient, minimising the risk of sector-wide disruption and strengthening the overall stability of the financial system.
Direct Oversight Standards: The new policy empowers regulators to directly oversee certain CTPs. CTPs deemed critical to the financial sector will need to meet specific resilience standards set by the BoE and PRA, promoting consistent levels of protection across the industry. Testing and Simulation Requirements: Just as financial firms conduct stress testing, CTPs will be expected to demonstrate their ability to recover from various scenarios. The focus is on real-world threats—cyber breaches, infrastructure failures, and other vulnerabilities that could impact service delivery to financial institutions.
Rigorous Testing Standards: CTPs will now face regular testing and scenario analyses to demonstrate their ability to recover from disruptions. This includes resilience against cyber threats, technology failures, and other potential crises, helping financial institutions understand and manage these risks more effectively.
Enhanced Collaboration and Transparency: The policy encourages financial institutions to work closely with their CTPs, sharing risk information and resilience plans to ensure that vulnerabilities are identified and managed proactively.
For financial services firms, this policy statement means a renewed focus on strengthening their third-party oversight and operational resilience. Firms will need to work closely with CTPs to ensure compliance with the new standards and address any gaps in resilience. This likely involves reassessing due diligence, updating risk assessments, and enhancing communication with critical partners.
If you’ve not done so already, now is the time to evaluate and strengthen your relationships with CTPs to understand their resilience measures, update your risk assessments, and ensure that your oversight practices align with the new standards.
For enquiries, please contact us at 0207 436 0630 or via email at info@thistleinitiatives.co.uk.