The Bank of England, Prudential Regulation Authority and the Financial Conduct Authority (FCA) have issued a joint Policy Statement on the new Operational Resilience Rules for Critical Third Parties (CTPs) that will come into force on 1st Jan 2025.
E-money and payments firms need to note though, that they will remain accountable and responsible for managing the risks in any outsourcing or third-party arrangements with designated CTPs. Firms also need to take into account the observations from the FCA in respect of the CrowdStrike outage in July, which can be found here.
The regulators have also stressed that the fact that a third-party has been designated as a CTP by the Treasury does not mean that it is inherently more resilient or better suited to provide services than a non-designated third-party.
However, the Regulators state that some of the features of the CTP regime, such as the information-sharing requirements, may assist firms in managing these risks. These information sharing requirements include the results of testing including scenario testing and incident management playbook exercise and any action taken as a result, the annual self-assessment, and the maximum tolerable level of disruption set for each service provided to the firm.
How Neopay can help
Navigating the complexities of Operational Resilience can be challenging, but Neopay is here to simplify the process for your business. We offer expert guidance on designing and implementing robust operational resilience frameworks that align with regulatory expectations. Our team can assist in evaluating and managing risks associated with outsourcing and third-party arrangements, as well as preparing your organisation to meet the new requirements for scenario testing, incident management, and self-assessments.
By leveraging our compliance expertise, we help businesses not only meet but exceed regulatory standards, turning compliance into a strategic advantage. Whether you need tailored advice, hands-on support, or a comprehensive review of your operational resilience strategies, Neopay provides solutions designed to protect your business and support your long-term success. Contact us today to learn how we can help.
Contents of the new rules for Critical Third-Parties
The new rules include:
- Identifying potential CTPs and recommending them for designation
- CTP Fundamental Rules:
- CTP Fundamental Rule 1: A critical third party must conduct its business with integrity.
- CTP Fundamental Rule 2: A critical third party must conduct its business with due skill, care and diligence.
- CTP Fundamental Rule 3: A critical third party must act in a prudent manner.
- CTP Fundamental Rule 4: A critical third party must have effective risk strategies and risk management systems.
- CTP Fundamental Rule 5: A critical third party must organise and control its affairs responsibly and effectively.
- CTP Fundamental Rule 6: A critical third party must deal with a regulator in an open and co-operative way, and must disclose to a regulator appropriately anything relating to the critical third party of which it would reasonably expect notice.
- CTP Operational Risk and Resilience Requirements:
- Requirement 1: Governance;
- Requirement 2: Risk management;
- Requirement 3: Dependency and supply chain risk management;
- Requirement 4: Technology and cyber resilience;
- Requirement 5: Change management
- Requirement 6: Mapping;
- Requirement 7: Incident management; and
- Requirement 8: Termination of services.
- Assurance, scenario testing and incident management playbook exercise
- General evidence requirement
- Scenario testing
- Incident management playbook exercise
- Self-assessment
- Information sharing with firms, including, but not limited to:
- results of testing including scenario testing and incident management playbook exercise and any action taken as a result
- the annual self-assessment, redacted as appropriate;
- and the appropriate maximum tolerable level of disruption set by the critical third party for each systemic third party service provided to the firm.
- Incident reporting to Regulators and affected firms, including an initial, intermediate and final incident report
- Notifications to Regulators
- Reports by skilled persons
- Record keeping