By David Norton, Senior Manager at fscom
The dependence on AWS, Microsoft and other global suppliers by financial services firms, not just in the UK but globally, is well-recognised but not so well-addressed, yet. It’s the question that constantly comes up in my discussions with clients when I advise on operational resilience, and indeed, during wider industry forums.
It reflects a sector-wide quandary. The struggle to manage this ‘over-reliance’ on critical third parties (CTPs) that are intrinsic, not only to the delivery of important business services of an individual firm, but to the entire UK financial sector due to their size, extensive service offerings, and global reach. This has prompted a decisive response from UK regulators.
Regulatory Response: A Proactive Approach
Recognising the potential risks this dependence poses, UK regulators, including the Bank of England (BOE), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA), have actively sought to address these challenges and tackle them head on. This has resulted in the publication of consultation paper CP26/23 – Operational resilience: Critical third parties to the UK financial sector | Bank of England, published in December 2023, as well as the proposed framework with which the UK regulators plan to address these risks.
How will the regulators define Critical Third Parties?
“The financial sector’s increasing reliance on CTPs (Critical Third Parties) including, but not limited to, cloud service providers, could increase UK financial stability risks in the absence of greater direct regulatory oversight of the resilience of the services they provide”
Bank of England, Financial Policy Committee (FPC), Financial Policy Summary and Record, October 2022
This statement acknowledges that individual firms cannot provide absolute assurance of resilience particularly when it comes to large CTPs who supply services to regulated firms.
This raises a number of questions. How do the supervisory authorities define a supplier of services as critical to the UK financial sector? More importantly, how do they define a supplier to be a risk to the stability of the whole sector?
The supervisory authorities propose, under a new CTP Oversight Regime, to recommend to HMT certain organisations which pose a systemic risk to the UK financial sector’s stability based on certain parameters:
- The materiality of the services which that third party provides to firms;
- The number and type of firms/FMIs which use a third party; and
- The potential impact of a failure in/disruption to services.
HMT will then consult with the organisation before reaching a decision on whether to designate them as a Critical Third Party.
How do the regulators propose to oversee CTPs?
The regulators propose to extend the current supervisory framework to designated CTPs.
This would include fundamental rules which they would expect from CTPs (Integrity, Prudence, Transparency with Regulators, Effective Risk Management systems) and a second set of more granular rules dealing with material services only – mapping, technology and cyber resilience, incident management, change management , governance, risk management, dependency and supply chain management, incident management and termination of services, which they would have to self-assess on a regular basis.
These self-assessments would be examined under the information gathering and assurance testing that is currently in place for other firms – for example “Information on request under s312P FSMA” and “Skilled person reviews under s166(3) FSMA”. In some instances, CTPs may be required to share their assurance and testing information with their firms and FMI customers to ensure they can comply with their regulatory obligations.
Additionally, there would be an obligation for designated CTPs to notify the regulators separately of certain events or disruptions.
Conclusion
As a firm maps out its Important Business Services as part of its operational resilience programme, have the regulators now answered the question that firms have when dealing with the challenges posed by dependency on Critical Third Parties?
The regulations are very clear. It is a firm’s responsibility to ensure that they gain assurance on the resilience of all critical processes that deliver their important business services; that they can continue to deliver these within the impact tolerances in the event of a disruption; and they remediate any vulnerabilities.
This means that efforts must continue to be made in gaining that assurance, irrespective of whether any supply chain includes a supplier which will be designated, by the regulators, as Critical Third Parties.
Obviously, this will continue to be a challenge, particularly where an individual firm seeks to gain assurance from a larger organisation. This is commonly the case when regulated entities seek to gain detailed information from large multinational, multi-jurisdictional companies, such as cloud suppliers. It is not totally clear at this moment whether individual companies will be able to rely on evidence gathered by the regulators as satisfying requirements in this area.
A Call to Collaborative Action
Hopefully firms will have engaged in the consultation which closed last week, and have shared their opinions on how the regulators’ efforts to develop policy in this area are advancing. We also hope that firms have been able to convey the challenges which they face in gaining assurance from Critical Third Parties and, seek clarity on the level of assurance they need to ensure their firm’s resilience in the event of a disruption on the scale that potentially could impact the wider market.
fscom continues to provide expert advice on Operational Resilience and, if you would like to speak on any aspects of the subject please get in touch with me, David Norton, or indeed any of our team here.
This blog contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.
