UK Financial Regulators to Have Direct Oversight of Critical Third Parties

Pillsbury Winthrop Shaw Pittman LLP

Pillsbury Winthrop Shaw Pittman LLP

Under a proposed new regime, UK financial regulators will be granted a range of powers over third parties that provide critical services to the finance sector.


  • Third parties will be designated as “critical” by HM Treasury under secondary legislation, in consultation with other regulators (FCA, PRA, Bank of England, etc.).
  • Once designated, third parties will be required to meet minimum resilience standards and be subject to direct oversight from the UK regulators.
  • Further details are expected in a Discussion Paper, which will seek views from the industry on the most effective and proportionate way to proceed.

The dependency of many firms on a limited number of critical third parties for key services within the financial services sector has increased in recent years. As of 2020, over 65% of UK financial services and financial market infrastructure firms used the same four cloud providers for cloud-infrastructure services. The failure or disruption of one of these critical third parties could have a systemic impact across the financial sector. Against this backdrop of reliance, the UK Government has confirmed that it will legislate to bring third-party providers into the regulatory perimeter.

The current regulatory regime consists of an operational resilience framework which primarily covers data security, business continuity and exit planning. Regulated firms are required to ensure that their contractual arrangements allow them to comply with this framework, but the regime does not apply to the third-party providers in their own right and so does not address the systemic risk that disruption could cause for a third party providing key services to multiple firms.

According to a policy statement issued by the UK Government, under a new regime, HM Treasury (in consultation with other regulatory bodies) will have the power to designate third parties as “critical.” Once designated, financial regulators will be able to exercise a range of powers directly against such third parties, including:

  • Rulemaking powers relating to the provision of material services and minimum resilience standards that must be met;
  • The power to require the third parties to take part in targeted resilience testing;
  • Information gathering and investigatory powers (including the power to conduct formal interviews, appoint investigators and enter premises under a warrant);
  • The power to commission a “skilled person’s” report;
  • Powers to direct the third parties to take (or refrain from taking) specific actions; and
  • The ability to bring formal actions and enforcement (including publicizing failings and, as a last resort, prohibiting the provision of future services).

Draft legislation will be published implementing the new regime, and a Discussion Paper will then follow, setting out in detail how the powers will be exercised in practice and seeking views from industry participants. Once the new legislation is passed, a Consultation Paper is anticipated which will build on feedback from the Discussion Paper and contain the proposed rules. Once finalized, HM Treasury will begin the process to designate the first critical third parties under the new regime.


The new UK announcement comes shortly after the European Parliament and the Council of the European Union reached a provisional agreement on the EU Digital Operational Resilience Act (DORA). Like the new UK proposal, DORA seeks to bring critical third parties, such as cloud-service providers, within the regulatory perimeter. While the two regimes have a broadly common purpose, there are some key differences in the approach being taken. For example, the new UK regime seeks to take a broader approach, in contrast to the detailed risk management requirements contained in DORA. International financial service firms and cloud-service providers will need to review both regimes to ensure their proposed compliance plan meets all requirements.

While more details will become available once the proposed legislation and the Discussion Paper are published (although no date is given for when these can be expected), it does look like a step towards partial standardization across the providers of critical services to the financial services sector. This will be welcome news to regulated firms who have been calling out for consistency, especially in the context of cloud-service providers. The proposal may also ease the burden of contractual negotiation with the critical service providers.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury Winthrop Shaw Pittman LLP | Attorney Advertising

Written by:

Pillsbury Winthrop Shaw Pittman LLP

Pillsbury Winthrop Shaw Pittman LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.