HM Treasury to publish a critical third party regime
The regulators’ approach to resilience
The Prudential Regulation Authority (PRA) issued outsourcing requirements which relate to operational resilience, cloud, data, data locations, data security, data classification and business continuity, together with a range of other matters relevant to technology providers. The Supervisory Statements SS1/21, pertaining to operational resilience, and SS2/21, pertaining to outsourcing and third-party management, have set the tone to what the regulators expect from financial services firms and the expected increased scrutiny.
From identifying their important business services that could cause intolerable harm to consumers to testing their ability within their impact tolerances, financial services firms have been required to perform a significant number of tasks to complete on all aspects of operational resilience by 31 March 2025.
Whilst regulators have adopted a principles-based approach, financial services firms are facing several operational challenges. As firms have had to change their operating models during the pandemic, with hybrid working and ambitious digital transformation programmes, adding further requirements in terms of resilience and third-party management is increasing the task of the financial services sector.
In this process firms have outsourced a lot more services and automated many manual processes. Companies have to reconsider their operating models and supply chains as regulators will require more accountability to financial services firms.
This could prove difficult, as many services are not run on the premises of financial services institutions. It also means a reconsideration of many contracts with IT providers. In this new digital world, the expectation from regulators could alter some existing developments and operating models, if firms must perform and maintain their due diligence of their suppliers and perform risk and materiality assessments in relation to the provision of core services.
Beyond operational resilience there is now a much stronger requirement for enterprise-wide supply chain management capabilities that map and manage third party risks to core business processes.
Whilst regulators have established a dialogue with industry, these new regulatory developments are impacting firms’ IT deployments and risk management, as they use innovative technologies to compete in a more competitive market.
Critical third parties brought in within the regulatory perimeter
Following on these development, earlier this month HM Treasury published a policy statement announcing that it will designate certain third parties which provide services to financial services firms as ‘critical’. The financial regulators will then be able to make rules, gather information, and take enforcement action, in respect of certain services that critical third parties provide to firms of particular relevance to the regulators’ objectives.
This move from Treasury also fits within a wider international regulatory context. The European Union has also published similar draft requirements for technology providers within Digital Operational Resilience Act (DORA). DORA indeed comprises direct regulation of major technology providers to financial entities, on top of additional requirements for financial services firms.
HM Treasury considers that whilst financial regulators’ current powers allow them to set requirements and expectations on financial services firms, these powers are not, by themselves, sufficient to tackle the systemic risk that disruption at a third party providing key services to multiple firms could cause. In particular, HM Treasury highlights the risk stemming from concentration and the information and power asymmetries between firms and some services providers, which may prevent firms from obtaining adequate assurances that their contractual arrangements achieve an appropriate level of operational resilience.
HM Treasury therefore considers that there is a ‘gap’ in the current regulatory framework, whereby the individual responsibilities of financial services firms are not deemed enough to achieve operational resilience and guarantee systemic financial stability.
Under the proposed regime the financial regulators will be granted powers to assess whether the resilience standards are being met. These will include powers for the financial regulators to:
- request information directly from critical third parties on the resilience of their material services to firms, or their compliance with applicable requirements;
- commission an independent ‘skilled person’ to report on certain aspects of a critical third party’s services;
- appoint an investigator to look into potential breaches of requirements under the legislation;
- interview a representative of a critical third-party and require the production of documents;
- enter a critical third party’s premises under warrant as part of an investigation.
The financial regulators will be publishing a joint Discussion Paper, setting out in detail how any powers granted to them in legislation might be exercised, and seeking views from industry on the most effective and proportionate way to do so. This will also explore the role of the financial regulators during designation, including how they might make recommendations to HM Treasury during consultation. The Discussion Paper will also explore potential specific ways for the financial regulators to coordinate the exercise of their powers with overseas financial regulators, and UK authorities and regulators from outside the financial services sector.
Join the Financial Services Programme
Now more than ever, financial services providers embark on new digital transformation journeys to improve processes, resilience, and services. We bring together and connect firms from across the ecosystem to ensure innovation and technology can be fully harnessed and embraced by industry and regulators.