UK Regulators Propose Rules for Supervising Critical Third Parties

Following feedback to their July discussion paper, the U.K. regulators—the Bank of England, Prudential Regulation Authority and Financial Conduct Authority—have launched a joint consultation proposing rules and regulatory expectations for critical third parties. This follows concerns that the financial sector relies heavily on unregulated service providers, particularly in the IT sector, for critical infrastructure whose failure could cause systemic issues or customer issues. The Financial Services and Markets Act 2023 gave HM Treasury powers to designate an entity as a "critical third party" if its failure would pose financial stability or confidence risk to the U.K. and the regulators will have new direct powers over third parties that provide critical services to authorized firms, their service providers and financial market infrastructures. The regulators' rules would only apply to the services provided by a CTP to one of those firms. Responses to the consultation may be submitted until March 15, 2024.

The consultation paper provides a summary of the responses to the earlier discussion paper and sets out the criteria the regulators propose to use to identify and recommend potential CTPs to HM Treasury for designation. At this stage, HM Treasury has not designated any CTPs. The regulators state that they are unlikely to recommend firms and FMIs that are already overseen by one of them, provided that the services provided are subject to a suitable level of supervision.

The regulators are proposing a two-tier approach to supervising CTPs consisting of a set of high-level CTP Fundamental Rules applicable to all the services a CTP provides to firms and FMIs and other more detailed operational risk and resilience requirements that would apply to a CTP's material services. It is proposed that "material services" would be those whose failure would pose a risk to the stability of, or confidence in, the U.K. financial system. It is also proposed that CTPs would be subject to self-assessment, testing and disclosure requirements, and would be required to notify the regulators and the firms and FMIs to which they provide services of any incidents impacting services.

It is not proposed that a CTP would be required to have a U.K. established entity. The regulators' rules and expectations would apply to the services, regardless of where they are carried out, provided by a CTP to firms and FMIs regulated by one of the regulators. CTPs without a U.K. head office would be required to nominate a legal person to carry out certain functions on their behalf, such as accept statutory notices issued by a regulator.

The regulators' rules and expectations would, it is proposed, apply from the time that an entity is designated a CTP by HM Treasury. This would be the same time that the statutory requirements apply to a CTP.

Finally, the regulators clarify that the CTP rules and expectations will not reduce the responsibility of the regulated firms and FMIs, their boards and senior management. Firms and FMIs must continue to assess the risks for their outsourcing and third-party arrangements, including undertaking appropriate due diligence.

You may like to read our client note on this topic, "The U.K.’S New Regime for Critical Third Party Supervision". 

Return to main website.