Critical Third Parties to the financial services sector discussion paper published

Background

Following a recent Law-Now on this topic which focused on HMT’s confirmation that it will legislate to permit financial regulators to directly oversee and supervise (previously unregulated) “critical” third parties (“CTPs”) that provide services to the finance sector, the Bank of England, PRA and FCA (together, “the regulators”) have published a joint discussion paper (the “paper”) giving more detail on their proposed approach. This follows the publication of the Financial Services and Markets Bill (the “FSM Bill”) on the 20th July 2022 (see our Law-Now for our comments on the FSM Bill here). Discussed below are some of the regulators’ initial ideas on resilience standards and testing, their proposed use of statutory powers and how they might best coordinate with other relevant authorities outside the finance sector. For the purposes of this article, we have assumed that the third party has already been designated as a CTP by HM Treasury.

Minimum resilience standards for CTPs

The paper discusses the FSM Bill’s proposal to allow supervisory authorities to create the rules for CTPs setting out the expected resilience standards and associated requirements. As part of this, the FSM Bill includes a proposed requirement for regulatory coordination by supervisory authorities which could lead in practice (the paper argues) to a coordinated set of minimum resilience standards for CTPs, with any difference in standards between supervisory authorities being necessary with regard to their statutory requirements.

The potential minimum standards proposed in the paper include:

1. Identification: this would involve the CTP identifying and documenting those services provided to firms and financial market infrastructure firms (“FMIs”) which, if disrupted, could affect their material services;
2. Mapping: this would include the CTP identifying and documenting the technology, processes, people, facilities and information required to deliver their services (including in the supply chain);
3. Risk management: this is designed to ensure the CTP has controls in place against identified risks to its services;
4. Testing: this is designed to ensure the CTP regularly tests, both internally and through tests convened by the supervisory authorities
5. Engagement with the supervisory authorities: this involves the CTP disclosing relevant information to the supervisory authorities, including on threats and other similar topics;
6. Financial sector continuity playbook: this is designed as a place for the CTP to document steps and measures it has taken to address specific risks. It is designed to be updated regularly and submitted to the supervisory authorities;
7. Post-incident communication: the CTP should develop a communications plan to engage with all relevant stakeholders which addresses loss of confidence and any estimated time frames for the restoration of any lost materials or the services; and
8. Learning and evolving: this is designed to ensure that the CTP learns and evolves from disruption (either to itself or third parties) and from tests, while sharing the lessons with the supervisory authorities and their finance customers.

Resilience testing of CTPs

In the paper, the regulators argue that a one-size-fits-all approach to resilience testing would not be resource efficient, effective or proportionate. As such, they propose instead to rely on a variety of testing tools combined with cross-sectoral exercises with the most relevant for each CTP being chosen periodically, taking into account factors such as the number of functions the CTP supports, the supervisory authority’s confidence about the CTPs services (and their prior engagement with them) and the type of services the CTP provides (amongst others). It is proposed that where appropriate, the regulators may carry out testing jointly, while they could also take any tests the CTP carries out internally or by non-UK financial supervisory authorities or UK competent authorities and public bodies, provided they meet certain criteria.

Some of the proposed testing methods include:

• Scenario testing ;
• Sector-wide exercises;
• Cyber-resilience testing; and
• Information-gathering and skilled persons’ reviews.

Supervisory authorities’ use of proposed statutory powers over CTPs

The paper states that the ‘overriding goal’ of the proposals contained within it is to ‘manage the systemic risks that CTPs pose to the supervisory authorities’ objectives.’ As part of this, the FSM Bill contains proposals to give the regulators statutory powers, in addition to the regulator’s aim to encourage dialogue both with CTPs and the businesses they serve. The regulators could use these powers if circumstances suggest a CTP may have breached a requirement, or they believe it to be ‘necessary or expedient to advance their objectives’.

The proposed powers include:

• The power to issue a direction to a CTP, compelling them to do or not do something as appropriate;
• In the event a CTP breaches a requirement:
  • Instigate limitations or conditions on the CTPs ability to provide services;
  • Publish a censure detailing the breach; and
  • Issue a notice of disqualification to the CTP which could prohibit them from entering into future services agreements (also prohibiting firms from conducting agreements with the CTP in breach) or prohibit the CTP from providing any services it may be providing at that point.
• The power to appoint a ‘skilled person’ to report on the CTP’s compliance. The subsequent report could then be used for a variety of purposes including assessing whether the CTP has implemented any actions set out in a direction.

The proposed powers could be used to target all or some of the services that a CTP may provide, and to all or some of those to whom it provides those services.

Coordination with UK competent authorities and public bodies outside the finance sector

The paper acknowledges that in addition to providing their services to the finance sector, CTPs may also serve customers in other sectors, including those that form part of the UK’s critical national infrastructure. While the FSM Bill only proposes to give the regulators powers relating to ensuring CTP compliance from a finance sector point of view, the paper confirms the regulators intention to investigate how best to coordinate with other non-financial regulators.

Other entities who are suggested the regulators may seek to coordinate with include:

• The Information Commissioner’s Office (the “ICO”) (beyond the MoU already in place);
• The National Cyber Security Centre; and
• Members of the Digital Regulation Cooperation Forum (which includes the ICO alongside Ofcom).

The paper then goes on to highlight areas of potential coordination with each of these regulators such as working with the ICO on the revised Network Information Security Regulations and on incident reporting, and suggests the possibility of cross-sectoral resilience testing.

Interplay with existing regulatory requirements

Firms, FMIs and individuals performing Senior Management Functions within firms and FMIs are already subject to existing regulatory requirements. It is intended that the CTP regime will be complimentary to such existing requirements. What this means in practice is that the new CTP regime is not intended to reduce the responsibilities that firms and FMIs have for managing potential risks to their own operational resilience arising from third parties under existing requirements. This is irrespective of whether those third parties are CTPs or not.

As the regulators develop greater understanding of CTPs through their supervisory engagement, it is not entirely clear whether firms and FMIs may find themselves needing to strengthen their existing management or monitoring of CTPs. The paper assumes that this will occur as it expects the regulators to ask firms and FMIs (through their business-as-usual interactions) to enhance their due diligence, monitoring or business continuity and exit plans for material services they receive from a specific CTP, particularly if there are concerns about the resilience of those CTPs.

Impact on CTPs

The proposed regime will result in compliance, governance and cost burdens to CTPs as a consequence from direct supervision and oversight by the regulators. This may have a commercial impact on the service offerings CTPs currently offer to firms and FMIs.

We expect that regulatory status will have greater emphasis during contractual negotiations. Firms and FMIs are likely to use the regime to increase their negotiating leverage when seeking assurances from CTPs relating to operational resilience (which in the past the service providers may have attempted to resist) to take into consideration the measures envisaged under the FSM Bill. This would be in addition to the usual provisions which firms and FMIs need to flow down to service providers in order for the firms and FMIs to comply with the current operational resilience framework.

As CTPs are likely to be dependent on the conduct of firms and FMIs in order for the CTPs to fulfil certain of their regulatory obligations, it is likely that CTPs themselves may also seek to impose certain requirements on firms and FMIs, such as in the areas of cooperation, coordination, and information requirements. Where appropriate CTPs will also need to flow down their new regulatory requirements on entities in their supply chains. The paper expressly covers this scenario as it proposes requirements for CTPs to develop, maintain and test financial services sector continuity playbooks. The paper explains that the playbooks are intended to promote greater coordination among multiple CTPs, firms and FMIs and the regulators when responding to disruption.

Comment

The paper provides welcome detail on the approach the regulators are initially proposing to take following the publication of the FSM Bill. It also includes questions at the end of each chapter, giving an opportunity for stakeholders to provide feedback which should assist the regulators in shaping their proposals as they develop further. In keeping with the time periods suggested in our previous article, the deadline for responses is Friday 23rd December 2022. Whilst the statutory framework for the proposal has already been put forward as part of the FSM Bill, however the details of the regime (such as the criteria for designating a third-party as critical) is at a very early stage. This, in addition to the regulators having issued a high level “discussion paper” rather than a detailed “consultation paper” incorporating draft rules indicates to us that the timelines and planning for this new regime may not be entirely practicable.

While the proposals contained in the paper are only initial, and the FSM Bill has only recently been issued, the direction of travel appears to be clear. Those entities designated as CTPs are likely to be subject to further regulation and will need to ensure that as the proposals are finalised and subsequently introduced, they can comply with them. At this initial stage, technology service providers to the UK financial services sector may find it useful to review their existing and future arrangements with firms and FMIs and with entities in their supply chains to ascertain whether they have potential to be designated as CTPs. If designation looks likely the paper provides a useful outline of the regulators’ areas of focus. This could be useful guidance to support an initial scoping exercise to understand the practical implications of the regime and for informing ongoing and future engagement with firms and FMIs.