Critical third parties: final policy and rules demonstrate a welcome cooperation between regulators and industry

21/11/2024

The new critical third parties (CTPs) regime comes into force from 1 January, 2025 and will be hugely significant for designated CTPs to the UK financial sector.

The policy statement issued jointly by the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and Bank of England (PS24/16/PS16/24) provides feedback to responses received to the consultation paper earlier this year.

Overall, the finalised rules have focused this expansion of the regulatory perimeter on the most systemic risks to the financial industry presented by CTPs.

Clarification

The new rules offer some helpful clarifications:

  • The term "material service" is no longer used in favour of "systemic third-party services", which reflects that the concern, from a regulator's perspective, relates more to the systemic risk posed by potential disruption or failure of these services.
  • The CTP Fundamental Rules, which are broad principles of behaviour, apply to systemic third-party services only — and not to the whole of a CTP's business as originally proposed. This is a significant development as it is rare for the regulators to voluntarily cut down their jurisdiction in this way.
  • However, Fundamental Rule 6 — requiring the firms to be open and cooperative — still applies across the business. To reflect the reality of how this will work, the regulators have given some guidance in the SS6/24 about the situations that will engage this rule.
  • There is no need to have a bespoke financial sector incident management playbook where existing compliant policies and procedures can be used instead.
  • There is additional clarity on what "acting in a prudent manner" means. The concern from respondents had been that such a principle would import a prudential regime like those for banks or insurers through the back door and the guidance now clarifies this is much more limited in scope.
  • Supply chain risk management requirements on CTPs have been limited to its key service providers only. The obligation to inform and cooperate with companies providing services is now limited to key suppliers (when previously it appeared to apply to all providers, no matter how minor).
  • The principle of proportionality has been expressly encoded into the CTP rules at an overarching level. This makes clear that the strategies, processes and systems required by the rules must be proportionate to the nature, scale and complexity of the CTP's activities.
  • The Supervisory Statement has included the concept of a "shared responsibility model" and clarifies that the CTP rules do not require CTPs to take responsibility for things that are the responsibility of their customers under a contract.

The new rules only trigger the critical incident reporting requirements where there has been a critical incident that has caused serious disruption to the provision of critical services or impacts operations rather than a "near-miss".

Industry feedback accepted

Unsurprisingly, several of the suggestions made by respondents were not accepted:

  • A significant number of respondents advocated for additional fundamental rules requiring CTPs to be open and cooperative with their financial services clients and to support them in compliance with their own regulations. In rejecting the proposal, the regulators have been clear that firms' own regulatory obligations are not to be reduced.
  • The regulators stuck to their view that testing by a CTP of its ability to operate within its own impact tolerances should take place regularly and be done with a representative sample of customers. That said, the frequency of testing was reduced to once every two years (following the first test, which must take place within a year of designation).
  • A CTPs self-assessment received very conflicting responses on the proposed rule that a CTP share a summary of its regular self assessment with its financial services clients. The regulators rejected the suggestion that this should be removed and have not only retained it but have amended the final rule to require the full self-assessment to be provided to a CTPs client with redactions for confidentiality.

Interestingly, the regulators have highlighted that there are knowledge gaps in CTPs' responses. In the regulators' view, this could be an obstacle to the effective implementation of the regime, but this should not be surprising given that CTPs have not been regulated directly before.

Compliance with the spirit of the rules, not just the letter, is likely to need to be an iterative process for CTPs in their move toward embedding regulatory rules and expectations for the first time. It would be naïve to expect that new CTPs would automatically have an overnight culture of compliance. After all, the financial services industry has spent 25 years learning to live with the Financial Services and Markets Act 2000.

The fact that a significant amount of industry feedback has been accepted is unusual. The regulators normally do not accept wholesale redrafts of parts of their rules or supervisory statements and often accept only minor or corrective amendments to them.

The regulators have engaged with industry feedback. Despite the UK regulators' continuing adaptability, there have ever been questions on regulators' skill sets and knowledge base in developing areas and technological advancements. The level of adoption of suggested changes by regulators shows they have listened and are open to expert industry views. This is very much a good thing and indicates that regulators and industry will tackle the challenges of the future together.

 

This article was first published in Thomson Reuters on 20 November 2024