The UK HM Treasury recently published its proposal for regulating critical third parties (“CTP”) to the finance sector, which was followed by the UK financial regulators’ joint Discussion Paper.
Why regulating CTPs is necessary
Regulating CTPs to the financial sector is by no means a new concept. The EU’s Digital Operational Resilience Act (“DORA”), which looks to regulate critical Information Communication Technologies (“ICT”) service providers to the financial sector, has been provisionally agreed.
Although regulators across the world have attempted to regulate firms’ and financial market infrastructure firms’ (“FMIs”) control over CTPs, one of the key challenges remains that third parties are not directly subject to similar regulations, with the exception of few limited areas. Additionally, the market share of certain CTPs further increases the risk of systemic disruption, which cannot be managed solely by contracts between firms/FMIs and third parties.
Designation of CTPs
Under the proposed regime, HM Treasury will be able to designate certain third parties as “critical”. Financial regulators will be consulted. Regulators may also proactively recommend the designation of CTPs.
The Financial Services and Markets Bill, which was recently put before Parliament, further sets out a proposed statutory framework for identifying CTPs. The two high-level criteria proposed are:
Materiality: the materiality of the services provided by the CTPs to firms’ and FMIs’ activities, services or operations that are essential to the economy of, or financial stability in the UK.
Concentration: the number and type of firms and FMIs to which the CTPs provide services.
Unlike DORA, both ICT and non-ICT service providers, such as claims management services to insurers, could be considered for such designation.
Measures applicable to CTPs
Once designated, CTPs will be subject to:
Rules made by the financial regulators: These rules will include minimum resilience standards and requirements to carry out resilience testing to demonstrate compliance with the minimum resilience standards. The Discussion Paper currently considers scenario testing, sector-wide exercises and cyber resilience testing. Testing results could then be shared with firms and FMIs.
The minimum resilience requirements may consider aspects of Annex F of the CPIMI-IOSCO Principles for FMIs, which is already widely considered by regulators in the UK and globally. A detailed list of potential minimum resilience standards for CTPs is further set out in Section 5.8 of the Discussion Paper.
Enforcement powers of the regulators: Such powers include the right to request information and investigate, the right to commission an independent “skilled person” report, the right to interview a representative of the CTP and entering relevant premises under warrant.
If a CTP breaches an applicable requirement, under the Discussion Paper, the regulators may publish a statement with details of such breach, impose conditions or limitations on CTPs’ provision of services to firms and FMIs, and issuing disqualification notices to prohibit or restrict CTPs’ abilities to enter into future agreements or provide future services to firms and FMIs.
What’s next
Some of the proposed measures are already applicable to CTPs via current outsourcing regimes. The significance of the HM Treasure’s proposal and the Discussion Paper however, is that CTPs will be subject to ongoing, continuous regulatory monitoring and enforcement powers of regulators. Breaches of the new regime by CTPs will have much more direct financial and reputational impact.
Responses to the Discussion Paper are requested by 23 December 2022. Subject to the outcome of Parliamentary debates on the Financial Services and Market Bill, and subject to responses to the Discussion Paper, regulators will further consult on their proposed requirements and expectations for CTPs in 2023.