Operational Resilience for Critical Third Parties

Purpose of the Consultation Paper:

The Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA) and the Bank of England (BoE) have jointly produced this consultation paper CP26/23 in order to address the growing potential concern about unregulated Critical Third Parties (CTPs) and their potential risk to the stability and confidence in the UK financial system. Therefore, they have set out certain proposals for CTPs to mitigate these risks and maintain the financial market’s stability.

Understanding Critical Third Parties:

CTPs are external businesses that work and collaborate with financial institutions. More often than not, they offer innovative technology services to banks and credit unions, which these institutions do not possess themselves. These types of CTPs are frequently called FinTech companies, and their partnerships with financial institutions enhance their services. However, the use of CTPs increases the risk exposure. If there is a greater dependence on these third parties, which could also pose a threat and systemic risks to the UK’s financial stability, market integrity, and consumer protection.

Why regulation could be necessary:

Due to the sensitive nature of the information shared between financial institutions and CTPs, if this information were compromised, it would undermine the stability of the financial market and could cause a lack of confidence in consumers and members. Currently, there are no regulatory systems that CTPs must comply with, creating vulnerability in the financial systems and potential cyber security threats to cybersecurity.

The PRA, FCA, and BoE have proposed new regulations for CTPs. These regulations include:

1. CTPs must follow eight (so far) Fundamental Rules that apply to all the services they provide to UK firms and financial market infrastructures. These rules will serve as a general statement of the CTP’s obligations under the regime.
2. CTPs must comply with Operational Risk and Resilience requirements that apply only to the material services they provide to firms and FMIs. These requirements will concern technology, cyber resilience, and dependency.
3. CTPs must provide certain information to regulators periodically, including an annual self-assessment.
4. If requested, CTPs must provide certain forms of testing, including regular tests of their ability to continue providing material services in severe but plausible disruption.
5. CTPs must notify regulators, firms, and FMIs to whom they provide services about any requirements related to the services.

Criteria/ Determination of a CTP:

The regulators will use three proposed criteria to identify a firm as a Critical Third Party, and then inform HM Treasury. These criteria are as follows:

1) Materiality refers to the data and information that CTPs deal with. If this information were to be compromised, would it impact the economy’s financial stability?

2) Concentration: This examines the number of financial institutions each CTP is connected to. Specifically, how many firms do they work with?

3) Other factors:  consider other factors that pose a systemic threat to the economy’s financial stability.

Results of the proposals:

The document suggests that greater regulation is needed to manage systemic risks from CTPs. The regulation will be effective but proportionate. To ensure this, the following measures will be taken:

1) CTPs will be included in the Bank, FCA, and PRA Handbooks

2) A PRA, FCA and Bank joint supervisory statement will be issued to outline the regulators’ expectations on how CTPs should comply with and interpret the proposed requirements in their rules

3) A joint Bank/PRA supervisory statement and guidance will be issued to outline the regulators’ policy and expectations on using skilled person reviews of CTPs as an oversight tool.

4) To maintain a joint up approach to the CTP oversight regime across the three regulators, the FCA have published their Quarterly Consultation Paper on Critical Third Parties – ‘Statement of Policy relating to Disciplinary Measures’ seeking industry views on the FCAs proposed approach use of their enforcement powers against CTPs.

The regulators will release a document explaining their oversight responsibilities regarding CTPs soon. This document aims to guide CTPs, firms, and FMIs on how regulators will conduct their oversight duties in practice and ensure accountability to the public and Parliament by increasing transparency.

Questions:

The key questions to consider in relationship to this consultation paper are:

• Do you have any further comments on the proposal?

ABCUL will be responding to the regulator’s proposal included in this consultation paper on behalf of its members. We welcome any views and feedback on the proposals; please share these by getting in contact at advocacy@abcul.org by close of business on the 11^th March 2024.