Operational Resilience and Critical Third Parties | Wayne Scott, NCC Group

techUK's Hugo Rousseau, Head of Financial Services and NCC Group's Wayne Scott, Regulatory Compliance Solutions Lead discuss a number of key topics including future changes to the policy-making landscape, ensuring operational compliance and the release of the DP3/22 discussion papers. 

The Prudential Regulatory Authority's (PRA) Supervisory Statement 2/21 regulations are already set to be mirrored across the Financial Markets Infrastructure with the same rules expected to be applied to critical third parties. Doing so would place the UK financial services critical third parties in line with the upcoming Digitial Operational Resilience Act (DORA) regulation too.

SS2/21 predominately focuses on “important business services”, such as business critical third-party applications, which, if disrupted, would impact the PRA’s objectives in creating a more coherent regulatory landscape, a firm’s reputation and ultimately the financial stability of the UK. As a result, the PRA makes it clear that firms should assess the materiality and risks of all third-party agreements using all relevant criteria set out in Chapter 5 of the statement. 

Organisations should assess the resilience of their supply chain, categorising outsourcers on their criticality, financial stability and concentration risk, with particular attention paid to services in the cloud. Once this is understood, businesses can put the appropriate strategies and systems in place to manage risk. This can include implementing robust onboarding and procurement policies and ensuring software escrow agreements and verification testing are built into any supplier contracts. 

Once this is understood, businesses can put the appropriate strategies and systems in place to manage risk. This can include implementing robust onboarding and procurement policies and ensuring software escrow agreements and verification testing are built into any supplier contracts.