Critical Third Parties: The unstoppable march of the regulatory universe

Expansion of the regulatory perimeter

The Financial Services and Markets Act 2023 establishes a new Critical Third Parties regime which gave power to the FCA, PRA and Bank of England to make rules to govern critical third party service providers (CTPs) to the UK’s financial services industry for the first time. The regulators have now published a joint consultation paper (CP26/23) for this new regulatory framework for CTPs. 

The new rules bring CTPs into the scope of the regulatory perimeter for the first time, reflecting a significant and transformative shift for CTPs but not, it seems, for firms who appoint them. The regulators have made it clear that this regime is about regulatory oversight of the infrastructure that supports the financial system and is not a let up of the outsourcing and third party risk management rules applicable to firms and financial market infrastructure entities (FMIs).

Who are CTPs?

CTPs are essentially those service providers to the financial services industry that provide services to firms and/or FMIs that could threaten the stability of, or confidence in, the UK financial system. Their identity will be proposed by the regulators and designated by HM Treasury (HMT) based on:

• materiality of the services which the third party provides to firms and FMIs to the delivery of essential activities, services or operations;
• the number and type of firms and FMIs to which the third party provides services.

The assessment is therefore based on the nature and impact of the services they provide, rather than their legal status or sector.

Some firms and FMIs that are already subject to regulation by one or more of the regulators may objectively meet the criteria for designation as a CTP in respect of the services they provide. But the regulators are unlikely to recommend these firms and FMIs for designation as CTPs if they are already subject to a level of supervision and oversight that delivers at least equivalent outcomes to this new regime.

We expect that CTPs will include entities such as cloud providers, data processors and payment system providers, amongst others. CTPs will not be ‘firms’ but will have a quasi-regulatory status with their own body of rules.

The framework

The proposed rules, in the main, are drawn from existing sections of the regulatory universe. The proposed requirements differ from the areas that were covered in the discussion paper (DP3/22) in many ways, for example, by including notification requirements.

At a high level, CTPs would be subject to:

• CTP Fundamental Rules that are drawn from the existing regulatory Fundamental Rules for firms;
• operational resilience and mapping requirements that have been drawn from the existing operational resilience regime that applies to firms (see SYSC 15A and PRA SS1/21);
• requirements to have governance, change, cyber security, supply chain and risk management frameworks that include requirements that will not be unfamiliar to CTPs, e.g. business continuity requirements and oversight over material subcontractors;
• obligations to notify the regulators, firms and FMIs in the event of certain incidents and incident management requirements, including to maintain and operate a Financial Sector Incident Management Playbook;
• new requirements not to unduly use their designation status as a CTP, which were not included in the discussion paper.

What does this mean for CTPs?

-        Internally CTPs will need to grapple with implementation. CTPs are expected to apply a proportionate and risk-based approach to these outcomes-based rules, taking into account the nature, scale, and complexity of each CTP's services, and the potential impact of a disruption, failure, or breach of those services.  Areas like the high level Fundamental Rules are not easy when it comes to practical steps. There is existing guidance but there is no clear definition of what the Fundamental Rules mean. To a large degree it may be a case of mapping and documenting robust systems and governance that are already in place by CTPs to demonstrate compliance, e.g. existing oversight over their supply chain and risk management frameworks. But in others, such as notifications, new processes will need to be embedded. CTPs may also need to review all of their own third party outsourcing arrangements to ensure that they accurately reflect their existing and new processes following the implementation of these rules.

-        When it comes to CTPs’ customers and terms of business, they may not need to change. But CTPs may want to develop packages or standard terms to be clear about the processes they have implemented in order to comply with the requirements, e.g. the impact tolerances that they have set to ensure that firms and FMIs align these targets with their own impact tolerances.

-        Interestingly, the regulators have tried to avoid the ‘halo-effect’ by proposing that CTPs will be unable to unduly use its designation for marketing purposes. A CTP would be required to refrain from indicating or implying that it has the approval or endorsement of the regulators by virtue of its designation as a CTP or being overseen by the regulators in respect of services it provides to firms or FMIs. We expect this will be challenging for CTPs to implement – for example, Sales Teams will need to be aware that this cannot be used as a selling point for new clients. Non-CTPs may also want to consider the approach to be taken so as not to risk being left behind in offering their services to financial institutions.

-        These requirements may be challenging for CTPs that operate cross-border, particularly given there are different rules in DORA in Europe. We expect CTPs will want to reach a highest common denominator approach but it will be particularly interesting to consider how some of the requirements will be implemented cross-border where there is a global operating model. By way of example, if there was a cyber-incident, it would be unlikely to be limited to a specific jurisdiction and may trigger notification requirements to numerous regulators, firms and FMIs in multiple jurisdictions. Logistically, this could be very difficult to manage, particularly where time sensitivity to resolution is critical.

What does this mean for firms and FMIs?

This new regime should not change compliance for firms or FMIs. They should continue to deploy the same tools of oversight as they do currently and for non-CTP suppliers in their supply chains.

Firms and FMIs that already engage a proposed CTP are likely to want to ask the CTP what they are doing to comply with these new requirements and how they are approaching the consultation. We think it will be particularly relevant for firms and FMIs in the context of operational resilience as the paper envisages that firms and FMIs will align their impact tolerances with CTPs and as such, firms and FMIs will want to know what those impact tolerances are. It has occasionally been challenging for firms and FMIs to get enough information from third parties to support their impact tolerance setting so we expect these proposals may be helpful for firms and FMIs in this regard.

Although the regulators have tried to address the potential for misuse of CTP designation status in the paper, it is difficult to see how that can be effectively implemented as firms entering into material outsourcing arrangements will want to understand how the CTP complies with the proposed new rules in their tendering and how it might impact their effective oversight. Firms are also likely to want to ensure that standard contractual terms (e.g. representations and warranties) in their agreements with the CTP reflect that the CTP is regulated directly and will comply with laws that apply to it - it will be interesting to see whether that will constitute ‘misuse’ from the regulators’ perspective.

What’s next?

The consultation closes on 15 March 2024.

The regulators intend to publish an approach document setting out how they will carry out their oversight roles in relation to CTPs. HMT will also produce a memorandum of understanding setting out how they intend to coordinate the exercise of their respective functions. Both of these documents are expected “in due course”. We understand that the MoU and approach document will provide further details on how the regulators will coordinate their engagement with and oversight of CTPs in practice.

For those designated as CTPs, who have never before been regulated directly by financial regulators, it will likely result in significant work for CTPs. Although CTPs will have a great deal of latitude on how they meet these requirements, they will also have to face a naturally dynamic regulatory environment.

Please let Joy Davey or Angela Greenough know if you have any questions on this consultation paper or on financial services outsourcings generally.

First published by Thomson Reuters.