CP26/23 – Operational resilience: Critical third parties to the UK financial sector

In view of the increasing use of third parties in UK financial services firms to aid in the facilitation of business services or to perform certain functions, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have launched a joint consultation in this context. Specifically, the authorities seek to establish rules for the designation of critical third parties (CTPs) that may pose risks to the UK financial market for example in case of failure or service disruption and seek to establish stringent requirements for CTPs, if they intend to provide services to UK financial firms and financial market infrastructures (FMIs). The location of a CTP would thereby be irrelevant for the rules to apply.
#### Designation as CTPs
Specifically, the PRA and FCA propose the HM Treasury to use its powers under Section 312L of the Financial Services and Markets Act 2000 to designate CTPs upon the recommendation of either the PRA or FCA. The designation (and recommendations) would primarily be based upon the following key two criteria:
– the significance of the services provided by third parties to essential functions of firms and FMIs, and
– the number and types of firms and FMIs reliant on these services.
However, the authorities also propose other factors to be considered such as the potential impact of service failure (e.g. in case of wind-down of a third party), the substitutability of these services (can another third party provide similar services), and the feedback from firms and FMIs on the use of third parties for purposes of supporting their “Important Business Services”. Another important aspect to consider would be, how fast and easy or complex it is for affected firms / FMIs to migrate to another service provider.
Once the HM Treasury has made a decision to designate a third party as a CTP, the third party would be notified of the decision in private. Upon this notification, the Treasury would release a corresponding order. A designation decision will be reviewed by the PRA and the FCA on a regular basis to ensure that the conditions for being designated are still met.
#### Proposed fundamental CTP rules to comply with
The two regulators propose to establish a set of fundamental rules that CTPs would have to adhere to. These rules are high level in nature and include the following – as quoted:
– a CTP must conduct its business with integrity.
– a CTP must conduct its business with due skill, care and diligence.
– a CTP must act in a prudent manner.
– a CTP must have effective risk strategies and risk management systems.
– a CTP must organize and control its affairs responsibly and effectively.
– a CTP must deal with the regulators in an open and co-operative way, and disclose to the regulators appropriately anything relating to the CTP of which the regulators would “reasonably expect” notice.
#### Proposed minimum resilience standards for CTPs
The two regulators further propose to implement various rules to ensure the resilience of CTPs and thus the proper functioning of the UK financial market. These rules include requirements as to the governance of CTPs, risk management, the management of technology and maintenance of cyber resilience, and the wind-down of operations. The most significant requirements include the following:
– a CTP would have to establish governance policies and procedures to clearly assign relevant tasks for responding to service-disrupting events and would be required to appoint a central contact point for regulators.
– a CTP would have to set up policies and procedures to oversee their own supply chain and to ensure that third parties to themselves are aware of the regulatory obligations. In this context, CTPs would also have to perform audits of and test disruptions in their own supply chain.
– a CTP would have to allow access to their systems for the regulators.
– a CTP would have to identify systems and technology that are critical to providing its service AND that are critical for its clients. Consequently, CTPs would be required to frequently evaluate and test these critical components to ensure resilience.
– a CTP would have to develop an incident response mechanism with clear tasks and responsibilities assigned in case of material incidents.
#### Recordkeeping and notification obligations
The FCA and PRA propose to require CTPs to report any incident (planned or unplanned) that seriously disrupts service delivery or impacts the security and availability of „assets“ in relation to the CTPs. Such reports would have to provide details in the incident such as the affected services, the causes of the incident, the steps taken to mitigate the impacts and to resolve the root cause, the expected recovery time, and areas for improvement post-resolution of the incident. CTPs would thereby have to provide initial, intermediate, and final incident notifications to affected firms, FMIs, and the regulators. Other notification requirements would also apply in cases of significant threats to reputation or service provision due to disputes, criminal proceedings, penalties, financial difficulties, or intentions to enter insolvency or restructuring.
Finally, CTPs would be required to maintain adequate records pertaining to their business activities concerning services provided to FCA and PRA supervised firms or FMIs. These records should be detailed enough to allow regulators to effectively oversee a CTP’s operations and determine if it has met its obligations as outlined above (and subsequently in the rules).