On June 2022, HM Treasury published its ‘Critical third parties to the finance sector’ Policy Paper in which it describes the trend for financial services firms and financial market infrastructure firms to increasingly rely on third parties for the delivery of key functions and services through outsourcing and other arrangements such as cloud-based computing services.
Whilst recognising the cost saving and other benefits that these arrangements typically offer, the paper calls out potential systemic risks to the financial services sector, with firms increasingly reliant on a small number of cloud service providers and other critical third parties:
“In particular, if many firms rely on the same third party, the failure or disruption of this ‘critical’ third party could threaten the stability of, or confidence in, the financial system of the United Kingdom.”
According to a January 2020 report from the Bank of England, approximately 65% of UK firms use the same four cloud providers for cloud infrastructure services. The report doesn’t name the providers, but the usual suspects include Amazon Web Services, Microsoft Azure, and Google Cloud.
Following engagement with financial regulatory and industry participants, the policy statement sets out HM Treasury’s proposals for reducing the risk of systemic disruption to the financial market, whilst ensuring financial stability and market confidence.
Current regulatory framework
Currently, the regulators each set their own requirements and expectations for the operational resilience of firms. In turn firms must ensure their contractual arrangements with third parties permit compliance with the operational resilience framework, including requirements for key issues such as data security, business continuity and exit planning. For example, the Prudential Regulation Authority published a detailed Supervisory Statement in March 2021 which describes the PRA’s regulatory requirements and expectations for the firms it regulates in relation to outsourcing and third party risk management.
Critical third party regime
The new regime (which will require primary legislation for it to be brought into effect) will enable HM Treasury – in consultation with financial regulators and other bodies – to designate certain third party providers as ‘critical’. Once designated as critical, which will take place through secondary legislation taking into account high-level criteria such as the number and type of services the third party provides and the materiality of these services, the financial regulators will be able to exercise a range of powers over the critical third party in respect of any material services it provides to the finance sector.
In particular, the financial regulators will be given powers to make rules relating to the provision of these material services, gather relevant information from critical third parties, and take formal action (including enforcement) where needed.
They will also be able to set minimum resilience standards that critical third parties will be directly required to meet and require them to take part in a range of targeted forms of resilience testing, to assess whether these standards are being complied with. In this regard, the regulators will have powers to:
- request information about the resilience of material services provided to firms, and compliance with applicable requirements;
- commission an independent ‘skilled person’ to report on the critical third party’s services;
- appoint an investigator to examine potential breaches of the new requirements;
- interview a representative from the third party and require production of documents; and
- enter the third party’s premises under warrant as part of an investigation.
Other powers, to be set out in the primary legislation, will include the power to direct critical third parties to take or refrain from taking specific actions, as well as enforcement powers to publicise failings, and (as a last resort) to prohibit a critical third party from providing future services, or continuing to provide services, to firms.
The government plans to introduce the legislation needed for the new critical third party regime as soon as parliamentary time permits. Then, shortly after such legislation is introduced, the financial regulators will publish a joint Discussion Paper describing how the powers granted to them might be exercised, and seeking views from industry on the most effective and proportionate way of doing so. A Consultation Paper will then follow, building on feedback to the Discussion Paper. Once the regulators new rules are final, HM Treasury expect to start designating the first critical third parties under the new regime.
HM Treasury does not mention the EU’s proposed regulation on digital operational resilience for the financial sector (aka DORA) which will establish, for the first time, an EU-wide regime for the direct oversight of certain critical ICT (information and communications technology) third party providers.
Post Brexit, we can expect the UK’s new rules to diverge somewhat from DORA, which envisages a more detailed, prescriptive approach, meaning that service providers designated critical under both regimes will need to keep abreast of two new regulatory frameworks, although generally speaking we expect the two regimes to be broadly aligned. And whilst firms will not be directly affected by the new UK rules, they remain responsible for managing their operational resilience risk, hence they will need to consider any impact on policies and processes including, as appropriate, contractual terms and conditions.
If you would like to discuss how the new critical third party regime will impact your business and how to get ready for it, please get in touch with the author or your usual Fladgate contact.