The Bank of England, the Prudential Regulation Authority (or PRA) and the Financial Conduct Authority (or FCA) have teamed up for a rewriting of measures to oversee critical third parties. The move comes as an effort to increase the resilience of the financial sector. We’re breaking down what these new measures entail and how they are expected to be implemented.
In a discussion paper, the FCA, PRA, and the Bank of England layout mitigation actions to sway the risk of disruption in critical third parties. Critical third parties, or CTPs are services provided by third party companies designed to offer services to regulated financial firms and FMIs, or Financial Market Infrastructure firms. These, however, come from outside the UK and therefore they might cause harm to consumers or financial stability if they are disrupted. They come with a lot of benefits, but also increasing reliance on critical third parties will inevitably cause systemic risks to the supervisory authorities of the FCA, PRA and Bank of England’s objectives. Working with critical third parties is, therefore, a risk to UK financial firms and FMIs.
Designed to complement, not replace, UK firms’ and FMIs’ existing responsibilities, the discussion paper outlines how firms and FMIs are expected to make changes that will allow for faster innovation, efficiency gains, scalability, reduced costs, better customer results and improved operational resilience, as overseen by the FCA, PRA and the Bank of England.
The discussion paper linked on the FCA website outlines various potential measures for how the three supervisory authorities could implement these changes, including changes to UK legislation like the Financial Services and Markets Act 2000 and the Banking Act 2009. Such suggestions for changes include creating a framework for identifying potentially risky critical third parties, which would be used as evidence of recommendations for formal designation by HM Treasury, “minimum resilience standards” to be applied to all critical third party services that are applied to UK firms and FMIs, and a means of testing the resilience of material services that are offered by critical third parties to UK firms and FMIs. This last framework will include a range of tools, including scenario testing, participation in sector-wide exercises, cyber resilience testing and skilled persons reviews of critical third parties.
Stressing the importance of such measures, Nikhil Rathi, Chief Executive of the FCA said: “In an increasingly digital world, financial businesses are more dependent on a small number of third-party providers. That can bring significant benefits, but also comes with resilience risk. We want an open discussion about how we should use new powers Parliament is giving us to oversee the services these third parties provide to the financial sector and reduce the risk of major disruption, which could cause harm to consumers and markets.”
As mentioned, these additional measures are not intended to replace the existing responsibilities of UK financial firms and FMIs but instead will supplement existing responsibilities in an effort to manage risks from critical third parties. The combined supervisory authorities of the FCA, PRA and the Bank of England, are considered the overseers of these new measures and will follow the systemic risks expected to come from critical third-party services to firms and FMIs.
This need for new measures to stabilise critical third parties was stressed by Sam Woods, the Deputy Governor of Prudential Regulation and the CEO of the PRA who said: “It is vital that the firms we regulate can rely on services provided to them by third parties, particularly where those third parties
have become critical parts of the system. Today’s paper sets out our thinking on how we can ensure the right levels of resilience for those services – we would welcome views from anyone taking an interest in this area.”
Jon Cunliffe, Deputy Governor for Financial Stability said: “Financial market infrastructure firms are becoming increasingly dependent on third-party technology providers for services that could impact the financial stability of the UK if they were to fail or experience disruption. The potential measures examined in this DP provide an initial, but important step for the Bank of England to manage these systemic risks (in coordination with the FCA). The DP also includes suggestions to improve coordination between the Bank/PRA and FCA, international financial regulators, and UK non-financial regulators, which is key given the cross-border and cross-sectoral nature of many critical third parties and the services they provide.”
Comments on the discussion paper is open until December 23rd, 2022. The three authorities of the FCA, PRA, and the Bank of England plan to regroup in 2023 to consult on the suggested requirements and expectations for critical third parties. You can find the discussion paper on the FCA website or on the Bank of England website under DP3/22 – Operational resilience: Critical third parties to the UK financial sector.