Regulated financial services institutions and financial market infrastructure (FMI) providers often rely on third parties who provide significant services to them behind the scenes, including “cloud” services and IT services like data analytics. These services are becoming increasingly important to the operation of these individual firms and to the financial sector as a whole. However, the service providers have not, hitherto, been subject to direct regulatory oversight.^[1] Risks are seen to arise from financial firms’ reliance on a small number of major service providers and the effect that any failure of those providers could have on the financial stability of the financial markets. The issue is one which is coming into sharp focus for regulators globally.

The U.K. is now taking steps to address the problem. The U.K. laid the groundwork for a critical third-party providers (CTP) regime through the Financial Services and Markets Act 2023 (FSM Act 2023). The detail of the new regime is now being consulted upon and it will be progressed by the U.K.’s financial regulators during the course of 2024.

By way of comparison:

• The EU Digital Operational Resilience Act^[2] (DORA) came into force last year. It aims to provide a comprehensive framework for managing digital and ancillary risk in the financial sector, with requirements for both financial services firms and the third parties that supply key digital services to them.
• The U.S. has so far focused on the banking institutions that utilize third-party services, as opposed to the third parties themselves. U.S. federal regulators have published interagency guidance for banking organizations on their relationships with CTPs.^[3] The U.S. Treasury Department has published a report on the provision of cloud services to the financial sector.^[4] The Department plans to examine the particular challenges posed by cloud service providers, including through its Cloud Executive Steering Group, enhanced monitoring of cloud services and encouraging the development of financial institutions’ risk management practices for cloud services.

This note provides an overview of the U.K.’s CTP regime and considers the U.K. regulators’ proposed rules, including the wider implications for the financial services sector and their CTPs and how they compare to the EU’s regime under DORA.

Scope

The FSM Act 2023^[5] granted HM Treasury new powers to designate service providers as CTPs if their failure would pose a threat to financial stability or confidence in the U.K. financial system. Once designated, a CTP will be subject to direct oversight by the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) (the Regulators). HM Treasury has not yet designated any CTPs, but the Regulators have begun consulting on their proposals for rules and regulatory expectations under the new regime.^[6] The deadline for the joint consultation is March 15, 2024.

The incoming U.K. regime will apply to the provision of any service by a third-party provider deemed to be sufficiently critical to financial stability or confidence. This is broader than the EU’s regime under DORA, which is restricted to “ICT third-party service providers,” namely those providing digital and data services on an ongoing basis through information and communication technology (ICT) systems.

Designation of CTPs

When designating CTPs, HM Treasury is required by the FSM Act 2023 to consider two factors:

• The materiality of the third party’s services to the delivery of essential activities, services or operations in the financial sector. “Essential” activities, services or operations are those which are essential to the U.K. economy or the stability of, or confidence in, the U.K. financial system.
• The number and type of “authorized firms” (meaning firms approved by the U.K. regulators to provide regulated services and products and referred to in this note as “regulated firms”), “relevant service providers” or FMI entities to which the services are provided. “Relevant service providers” are e-money and payment firms, regulated under the Electronic Money Regulations 2011^[7] and Payment Services Regulations 2017,^[8] FMI entities include recognized clearing houses, central securities depositories, investment exchanges and payment systems—collectively referred to in this note as “licensed entities.”

Before designating a CTP, HM Treasury must consult the Regulators, though in practice the Regulators are likely to recommend CTPs to HM Treasury for designation. In CP26/23, the Regulators state that they are unlikely to recommend designation of firms that are already overseen by a Regulator (e.g., a licensed entity that also offers a critical service), provided that the services offered are subject to a suitable level of supervision. The Regulators propose to recommend CTPs on the basis of the materiality and concentration of the services supplied to firms and FMIs and other drivers of systemic impact, such as the substitutability of the services. The Regulators have indicated that they intend to keep designations of third-party service providers to a small group of presumably the biggest IT firms. A service provider that is being considered for designation must be given advance notice and permitted to make representations about the proposal, which HM Treasury is obliged to consider before making its final determination. This approach to bringing CTPs under regulatory supervision reflects the fact that the nature of the activities that will be subject to oversight are not financial services, payments services or the provision of FMI for which advance regulatory approval is required before the activity is undertaken. In some respects, the CTP process is similar to that already existing for the recognition by HM Treasury of inter-bank payment systems, under which HM Treasury can recognize such a system of its volition.^[9] The new CTP process is also different to that of the U.K.’s new designated activities regime whereby any entity undertaking an activity that has been designated by HM Treasury must comply with specific legislative requirements and FCA rules.

Under the EU’s DORA, the European Supervisory Authorities (the European Securities and Markets Authority, European Banking Authority and European Insurance and Occupational Pensions Authority (together, the ESAs)) will designate CTPs upon the recommendation of the Oversight Forum, a sub-committee made up of representatives from the ESAs and EU Member State regulators. The designation of CTPs will be determined on similar criteria to those applicable under the U.K.’s regime. These include the systemic impact that the CTP’s failure would have on the stability of the provision of financial services, the systemic character or importance of the financial entities that rely on the CTP’s services and the extent to which financial entities rely on the services supplied for their “critical or important functions” (being functions which, if disrupted, would materially impair the financial entity’s performance or service continuity), as well as the substitutability of the third-party service provider.

Location of CTPs

Under the U.K. regime, the location of the CTP is irrelevant—service providers located anywhere in the world may be captured if their failure would pose financial stability or confidence risk to the U.K. and they otherwise satisfy HM Treasury’s thresholds for designation.

It is not proposed that a CTP would be required to have a U.K.-established entity. CTPs without a U.K. head office would be required to nominate a legal person to accept statutory notices issued by a regulator and any related litigation process documents.

Like the U.K. regime, the EU’s DORA can apply to CTPs anywhere in the world. DORA imposes more stringent requirements regarding the establishment of CTPs than the U.K., requiring them to establish an EU subsidiary if they are providing services that affect the supply of financial services in the EU.

Regulatory Supervision of CTPs

Rules

The FSM Act 2023 empowers the Regulators to make rules for CTPs in connection only with services provided to licensed entities. Services that designated CTPs provide to other types of business will not be captured by the Regulators’ rules.

Once designated, CTPs would not be permitted to suggest or imply that designation indicates an advantage to potential users of its services.

The Regulators are proposing a two-tier approach for supervising CTPs; this will consist of high-level CTP Fundamental Rules and detailed operational risk and resilience requirements.

• Six high-level CTP Fundamental Rules would apply to all the services a CTP provides to licensed entities. These would require a CTP to:
  • conduct its business with integrity;
  • conduct its business with due skill, care and diligence;
  • act in a prudent manner;
  • have effective risk strategies and risk management systems;
  • control its affairs responsibly and effectively; and
  • deal with regulators in an open and cooperative way and disclose to the regulators anything of which they would reasonably expect notice.

These proposed fundamental rules are a lighter-touch version of the Principles for Business applied to regulated banks and investment firms. Notably, the FCA’s high-level principles that are geared towards adequacy of financial resources or customer protection are not proposed for CTPs; the new Consumer Duty will similarly be inapplicable.

• Eight detailed operational risk and resilience requirements would apply to a CTP’s “material services” (i.e., those whose failure would pose a risk to the stability of, or confidence in, the U.K. financial system). The requirements relate to:
  • governance;
  • risk management;
  • dependency and supply chain risk management—this requirement is separate to, but forms part of, the risk management requirement and requires CTPs to ensure that firms which are key to its delivery of material services to licensed entities satisfy certain resilience outcomes;
  • technology and cyber resilience;
  • change management, requiring a CTP to have a systematic approach to managing changes to a material service;
  • mapping, for example identifying and documenting the resources the CTP uses to deliver its material services and interdependencies between the resources it identifies;
  • incident management; and
  • termination of services.

It is proposed that CTPs would be subject to self-assessment, testing, disclosure and notification requirements. The Regulators would require CTPs to notify them and the licensed entities to which they provide services of “relevant incidents” impacting services. Broadly, these are incidents that could seriously disrupt the delivery of an important financial service or the availability or integrity of financial services firms’ assets.

Under the EU regime, CTPs will be subject to an Oversight Framework monitored by a Lead Overseer (being one of the ESAs, appointed for each CTP upon the recommendation of the Oversight Forum) who will conduct monitoring missions and inspections of CTPs’ rules and processes and the overall impact of their activities on the financial sector.

Disciplinary Measures

A range of disciplinary measures are available to the Regulators if they consider a CTP has breached their rules, including:

• public censure;
• prohibiting the CTP from providing services to licensed entities;
• prohibiting licensed entities from using the services of the CTP or entering into arrangements to receive those services; and
• imposing conditions upon the provision or receipt of a CTP’s services.

The Regulators will consult on draft statements of policy on the approach to disciplinary measures prior to publication of the final CTP rules. It is unclear at this stage how actively the Regulators will pursue third parties; nor can it be anticipated whether they will adopt a similar approach to that for regulated firms. Regulatory enforcement actions can be brought against regulated firms for breaches of high-level rules known as “principles”—such as, for example, conducting business with integrity and due care, skill and diligence. The vaguely defined nature of these principles has led to some inconsistent application and, in places, a lack of sophisticated legal reasoning when Regulators take disciplinary action against regulated firms. It remains to be seen whether a similar approach will be adopted with enforcement of the CTP Fundamental Rules.

In the EU, under DORA, Member States are empowered to establish administrative penalties for breaches, which must include the following: cease and desist orders for non-compliant conduct, temporary or permanent bans on practices or conduct that are contrary to DORA, and the ability to publish public notices identifying those who have committed breaches. Member States are also entitled to impose criminal penalties. The U.K. regime avoids such a harsh approach, making no provision for criminal liability for breach of the proposed CTP regime.

Timing

The Regulators’ rules and expectations would, it is proposed, apply from the time that an entity is designated as a CTP by HM Treasury. The statutory requirements would apply to the CTP at the same time. Because no entities have yet been designated and the Regulators’ rules are still under consideration, CTPs are unlikely to be obliged to comply with the new regime until much later in 2024, at the earliest.

The EU’s DORA regime came into force on January 16, 2023, and will apply from January 17, 2025.

Bank Resolution and Recovery

Banks subject to the EU Bank Recovery and Resolution Directive (EU BRRD II),^[10] or the U.K.’s equivalent regime (U.K. BRRD II),^[11] are required to make provision in their resolution plans for disruption to “critical” and, in the case of EU BRRD II, “essential” services supplied by third parties. “Critical services” are those needed to provide a “critical function” (i.e., an activity which, if discontinued, would be likely to lead to the disruption of services essential to the real economy or to threaten financial stability). Under U.K. BRRD II, “critical services” also include the equivalent of the EU’s “essential services,” which are those associated with core business lines of the firm (i.e., which represent material sources of revenue, profit or franchise value) whose continuity is necessary for the implementation of the firm’s resolution strategy.

These essential or core business line services capture a slightly broader range of services than the U.K. CTP regime, which primarily focuses on threats to financial stability and systemic risk. Under the U.K. CTP regime, the U.K. Regulators can consider the materiality of CTPs’ services to a firm’s “Important Business Services”^[12] (which include those relevant to the individual firm’s safety and soundness), but this is not determinative for the purposes of designation.

Banks are expected to undertake various activities with respect to relevant services under the EU and U.K. resolution and recovery regimes, including mapping those services, assessing the level of risk posed to operational continuity in the event of their interruption and ensuring that contracts for the provision of those services are resolution-resilient (e.g., by including non-termination and transferability provisions).

The resolution and recovery rules are not part of the DORA regime or the incoming CTP regime in the U.K. and represent a separate set of rules that firms subject to EU or U.K. BRRD II must consider.

Implications for Regulated Financial Services Firms and FMIs

The Regulators clarify that the CTP rules and expectations will not reduce the responsibility of licensed entities, their boards and senior management. Licensed entities must continue to assess the risks for their outsourcing and third-party arrangements, including undertaking appropriate due diligence.

DORA adopts the same position, clarifying that the Oversight Framework governing CTPs does not replace firms’ obligation to manage their own CTP risks. DORA also imposes requirements directly upon the financial services firms that rely on CTPs, including internal governance frameworks and the need to include contractual provisions in their arrangements with CTPs, such as a clear description of the services provided by the CTP and the location from which the services are provided.

Footnotes

[1] EU and U.K. outsourcing requirements applicable to banks and other firms have resulted in essentially an indirect form of regulation of third party service providers, since they require regulated firms and certain FMI to carry out diligence on their outsourced service providers and impose detailed service levels, amongst other requirements.
[2] See Regulation (EU) 2022/2554.
[3] See Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency, “Interagency Guidance on Third-Party Relationships: Risk Management”, June 6, 2023.
[4] See U.S. Department of the Treasury, “The Financial Services Sector’s Adoption of Cloud Services,” February 8, 2023. The Financial Stability Oversight Council, which is chaired by the Secretary of the Treasury, has called for enhanced coordination among state and federal regulators on third-party service provider examinations, including with regard to cloud computing. See Financial Stability Oversight Council, “2023 Annual Report”.
[5] The FSM Act 2023 is discussed in our client note, “A Boost for UK Financial Services.”
[6] Following feedback to their July discussion paper, “DP3/22 – Operational resilience: Critical third parties to the UK financial sector,” July 2022, the Bank of England, PRA and FCA have now published a consultation paper, “CP26/23 - Operational resilience: Critical third parties to the UK financial sector,” 7 December 2023.
[7] S.I. 2011/99.
[8] S.I. 2017/752.
[9] See HM Treasury, The recognition process for inter-bank payment systems: a guidance note, August 2009.
[10] The EU’s regime for critical services under EU BRRD II is primarily contained in Commission Delegated Regulation (EU) 2016/778 with further guidance provided in the Single Resolution Board’s “Expectations for Banks” and “Operational Guidance for Operational Continuity in Resolution.”
[11] The U.K.’s regime for critical services under U.K. BRRD II is primarily contained in the Banking Act 2009 and the PRA’s Operational Continuity Rulebook.
[12] “Important Business Services” are services provided by a firm, or by another person on behalf of the firm, to another person which, if disrupted, could pose a risk to: (1) where the firm is, or is controlled by, an O-SII, the stability of the U.K. financial system; or (2) the firm’s safety and soundness (1.2, Operational Resilience part of the PRA Rulebook).

[View source.]