On 7 December 2023, the Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA) and Bank of England (BoE) jointly published a Consultation Paper (CP) on Operational resilience: Critical third parties to the UK financial sector (PRA CP26/23 and FCA CP23/30).
The CP sets out the proposed requirements to be established in rules and accompanying expectations for critical third parties (CTPs).
The key aim of the proposed requirements and expectations in the CP is to manage potential risks to the stability of, or confidence in, the UK financial system that may arise due to a failure in, or disruption to, the services that a CTP provides to one or more authorised persons, relevant service providers, and/or financial market infrastructure entities (FMIs) (either individually or, where more than one service is provided, taken together).
The proposals
The proposed requirements for CTPs in the CP are set out in three identical but separate rule instruments issued by each of the FCA, the PRA and the BoE – these are identical in effect and substance and should be interpreted accordingly. The regulators propose to apply the rules to all CTPs that are designated by HM Treasury, regardless of the specific firms and FMIs to which the CTP provides services.
The regulators propose to introduce:
- A set of six Fundamental Rules that CTPs would be required to comply with in respect of all the services they provide to firms and FMIs (wherever carried out).
- Eight Operational Risk and Resilience Requirements that CTPs would be required to comply with in respect of their material services, on governance, risk management, dependency and supply chain risk management, technology and cyber resilience, change management, mapping, incident management, and termination of services.
- A range of information-gathering and testing requirements.
- Requirements for CTPs to notify the regulators, as well as the CTP’s firm and FMI customers that receive an affected service, of certain incidents.
- Requirements to prevent a CTP from unduly using its designation for marketing purposes.
- A requirement for a CTP whose head office is outside the UK to nominate a legal person with authority to receive documents and notices from the regulators.
- Record keeping and emergency relief requirements.
Next steps
The deadline for feedback to this consultation is 15 March 2024.
The BoE and PRA note that they also intend to consult on a joint statement of policy in relation to the use of their disciplinary powers over CTPs in due course, which will be aligned to their ongoing wider review of enforcement. To maintain a joint approach to the CTP oversight regime across the three regulators, the FCA intends to consult on its statement of policy on the use of disciplinary powers over CTPs around the same time.
The regulators also intend to publish a document setting out how they will carry out their oversight roles in relation to CTPs in due course. This document will aim to help CTPs, firms and FMIs understand how the regulators will oversee CTPs in practice and uphold the regulators’ accountability to the public and Parliament through greater transparency.