The PRA, FCA and the Bank of England (the Regulators) have identified, for some time, the growing dependency of the UK finance sector on critical third parties who supply services to the finance sector (CTPs), including, in particular, the largest cloud service providers. The Regulators have identified that this reliance on certain CTPs, without due oversight and controls, could pose a systemic threat to the stability of the UK financial system.
The same risk has been identified by regulatory authorities in Europe, who have legislated to try to mitigate the exposure, including the implementation of the EU Digital Operational Resilience Act (DORA), which has passed in to law and will apply from 17 January 2025 in EU Member States.
On 7 December 2023, the Regulators published a Consultation Paper (CP26/23) that sets out the UK Regulator’s response to this risk area and the proposed requirements for CTPs to the UK finance sector (Proposed CTP Regulations).
The Proposed CTP Regulations include guidance as to how third parties will be designated as CTPs and a series of proposed obligations on CTPs with a view to managing potential risks to the stability of the UK financial system that may arise due to a failure in, or disruption to, the services that a CTP provides to financial entities (firms) and financial market infrastructure entities (FMIs).
The proposed obligations on CTPs include rules in relation to risk and resilience management, management of supply chain, management of cyber risk, incident management, continuity of service for service recipients (on termination), scenario testing, notifications to service recipients and Regulators, record keeping and cooperation with Regulators.
The Proposed CTP Regulations are a further step towards recognising the importance of service providers themselves, as opposed to simply requiring the firms and FMIs to take appropriate actions in relation to their use of their services (whether via their contract terms or otherwise). Firms and FMIs should benefit from the scrutiny and direct oversight by the Regulators of the CTPs, and the imposition of additional and direct obligations on CTPs to help manage security, supply chain risk and business continuity risks.
Whilst the Proposed CTP Regulations align with DORA in creating a new regime for CTPs, we note that, in contrast to DORA, the Proposed CTP Regulations have a less broad scope than some of the standards set out in DORA and in particular do not include obligations on the CTPs to include particular contractual provisions or undertakings in their contracts with their customers in the financial services sector. For example, where DORA requires service providers to include certain termination rights and service levels for the benefit of the service recipients, there are no such requirements included in the UK regime. Equally, the Proposed CTP Regulations, unlike DORA, do not contemplate the application of rules to any other providers of information technology service providers that are not designated as CTPs, but that nonetheless provide services that might relate to the critical or important functions of the financial entity.
WHAT ARE CTPS & HOW WILL THEY BE IDENTIFIED?
HM Treasury (HMT), in consultation with the Regulators, will have the power to designate certain third parties that provide services to firms or FMIs as a CTP.
The key consideration for HMT is whether it believes that a failure in or disruption to the services provided by the third party in question could threaten the stability of, or confidence in, the UK financial system.
HMT must bear in mind the following two high-level criteria when making a CTP designation:
- the materiality of the services that the third party provides to firms and FMIs to the delivery of essential activities, services, or operations; and
- the number and type of firms and FMIs to which the person provides services.
Regulators could also consider the potential impact of the failure or disruption of services provided by third parties, taking into account possible factors such as substitutability of their services (and the lack of viable alternative). Regulators will also have regard to reports from firms and FMIs regarding third party support for their “Important Business Services” as defined under the Regulators other operational resilience policies / rules (including, for example, PRA SS 1/21).
The third parties likely to be identified are those whose failure/disruption could have an impact on the supervisory authorities’ objectives, including UK financial stability, market integrity and consumer protection. A key point is recognition is that the impact must be likely to be systemic, not just impactful, for a particular FMI or firm. Accordingly, CTPs are expected to account for a very small number and percentage of those third parties providing services to firms and FMIs. They will also not include service providers who are already subject to other regulatory regimes which are likely to provide the same or similar levels of comfort to that which the Proposed CTP Regulations seek to provide.
We note three developing areas are identified where the designation is likely to become increasingly important: the widespread use of AI, quantum computing and hyper-scale cloud.
SCOPE OF APPLICATION OF THE PROPOSED RULES
It is proposed that the rules will apply to CTPs in relation to their provision of services to firms and FMIs (in the UK) and will be agnostic as to the location of a CTP. Accordingly, for example, US domiciled services providers (such as the main hyperscale IaaS organisations) will fall within the ambit of the rules.
However, the regulators propose to apply their most granular proposed requirements and expectations only to CTP’s material services to firms and FMIs.
WHAT ARE THE PROPOSED RULES / REQUIREMENTS?
In summary, the obligations placed on CTPs include the following key elements:
CTPs will be required to comply with certain” fundamental rules” under the oversight regime. These rules are set out at a high level, and will likely provide the regulators with a broad scope for interpretation (especially with the benefit of hindsight!). The Fundamental Rules are that a CTP must:
- Conduct its business with integrity.
- Conduct its business with due skill, care and diligence.
- Act in a prudent manner.
- Have effective risk strategies and risk management systems.
- Organise and control its affairs responsibly and effectively.
- Deal with the regulators in an open and cooperative manner, and disclose appropriately anything relating to the CTP of which the regulators would “reasonably expect” notice.
These are widely stated obligations (effectively the proactive notification requirement) and will likely operate to in effect create a de facto presumption of breach in any circumstance where a major incident or outage has caused disruption to the financial services system.
Operational Risk and Resilience Requirements
CTPs will be required, in relation to material services, to comply with eight broad requirements including the following:
- Governance – Establish clear governance in relation to responding to events that cause disruption to services, including the appointment of a central point of contract for the Regulators.
- Risk Management – Set up risk management processes and frameworks, including in relation to supply chain, cyber, data and financial risks, to be updated on an ongoing basis.
- Supply Chain – Manage risk to its supply chain, including managing “Nth party” service provider risk, and making third parties aware of and ensure they facilitate the CTP’s regulatory requirements, including permitting access to regulators to oversee the CTP’s operations. CTP’s should test supply chain disruption in its internal audit process.
- Technology and Cyber Resilience – Ensure the resilience of any technology that supports a service, including by having technology and cyber risk management and operational resilience measures and regular testing of those measures.
- Change Management – Ensure that it has effective approach to dealing with changes to a material service, including changes to the processes or technologies used to support a material service.
- Mapping – Identify resources, including technology, used to deliver, support, and maintain each material service it provides.
- Incident Management – Manage incidents that may affect the delivery of a material service, including by implementing appropriate measures to respond and recover from incidents in a way that minimises their impact, including documenting tolerance levels for disruption to services, business continuity plans and maintaining a financial sector incident management playbook.
- Termination – Put in place measures to respond to a termination of any of its material services, including arrangements to support the orderly and timely termination of those services, including (if applicable) their transfer to another person, and provision for ensuring access, recovery, and return of any relevant assets (including data) to the firms or FMI service recipients.
Information-gathering, Self-assessment and Testing
- Information-gathering – CTP’s must be able to evidence compliance with the rules on an annual basis and upon request.
- Self-assessment – CTP’s will be required to submit a balanced and thorough self-assessment of compliance with the rules, including areas for improvements.
- Testing – CTP must carry out regular scenario testing of its ability to continue providing each of its material services within its maximum tolerable level of disruption in the event of disruption to its operations. CTP must also test the measures in its financial sector incident management playbook annually.
- Sharing of assurance and testing information with firms and FMIs – CTPs must ensure sufficient and timely information is given to firms and FMIs it provides services to in order to enable them to manage risks related to their use of the CTP’s service.
- Incident Notifications – The incident notification requirements apply to an incident (planned or unplanned) that actually or has the potential to seriously disrupt the delivery of a material service; or seriously and adversely impact the availability, authenticity, integrity, or confidentiality of assets relating to the firms.
- Notification to firms, FMIs and regulators – CTPs must provide to the firms, FMIs and regulators an initial incident notification, one or more intermediate incident notifications and a final incident notification. The notifications must provide sufficient information in relation to the details of the incident, including the services impacted, the cause, the steps taken to restore the service, the anticipated recovery time and, once a relevant incident has been resolved, identified areas for improvement.
- Other Notification Requirements – CTPs must also notify regulators in circumstances where they are (i) involved in disputes or proceedings that pose a significant threat to its reputation or ability to provide any material service, (ii) subject to criminal proceedings or sanctions, or (iii) subject to financial difficulty and considering entering into an insolvency proceeding or restructuring plan.
Orderly Records – CTP must arrange for orderly records to be kept of its business in so far as it concerns the provision of services to firms or FMIs. These records must be sufficient to enable each Regulator to perform its oversight functions and ascertain whether or not the CTP has complied with its duties.
The Proposed CTP Regulations are significant to those service providers that may be designated to be CTP and who have not historically have been subject to direct oversight from the Regulators.
Firms and FMIs should benefit from the scrutiny and direct oversight by the Regulators of the CTPs, and the imposition of obligations on CTPs, including in relation to information sharing, security, supply chain management and business continuity.
We note, however, the Proposed CTP Regulations are less comprehensive than DORA. In contrast to DORA, the proposed regime falls short of including obligations on the CTPs to include particular contractual provisions or undertakings in their contracts with service recipients. For example, where DORA requires service providers to include certain termination rights and service levels for the benefit of the service recipient, there are no such requirements included in the UK regime. Equally, the Proposed CTP Regulations, unlike DORA, does not contemplate the application of rules to any other providers of information technology service providers, that are not designated as CTPs, but that nonetheless provide services that might relate to the critical or important functions of the financial entity.