On 12th November 2024, The Financial Conduct Authority (‘FCA’), the Bank of England (the Bank) and Prudential Regulatory Authority (‘PRA’) (‘regulators’) published a joint Policy Statement (PS) 24/16 ‘Operational Resilience: Critical third parties to the UK financial sector’ containing the final rules, expectations and guidance under a new, proportionate oversight regime for critical third parties (‘CTPs’) to the financial services sector.
The statement notes that the regulators have seen a continued trend in third party related incidents since the beginning of 2023 and that while every incident is unique, recurring themes have been observed, such as failure to carry out sufficient prior testing of IT systems before updates are realised and a lack of clear and timely information to the regulators when an incident does occur.
This article looks at what CTPs are required to do as part of the final rules, however the key takeaway is that the rules do not diverge significantly from those set out in the consultation paper and will take effect from 1 January 2025.
Background
Firms and financial market infrastructures (‘FMIs’) have become increasingly reliant on the services of third parties. Disruption to, or failure of one of these third parties, such as a cyber-attack or a power outage, could affect a large number of consumers and firms and even threaten the financial stability and confidence of the UK.
The risk of disruption is exacerbated in some cases by the concentration of a large number of market participants on one or two CTPs.
What’s expected of CTPs
The Supervisory Statement sets out the regulators’ expectations of how CTPs should comply and interpret the requirements in their rules with a set of high-level Fundamental Rules that will mainly apply to the ‘systemic services’ that CTPs provide to UK firms and FMIs.
Key requirements for CTPs are as follows:
- Governance and accountability: establish governance structures that provide clear accountability and appoint a central point of contact with sufficient authority to interface with regulators.
- Operational risk management: implement comprehensive risk management frameworks, including robust systems for identifying, assessing, and mitigating risks associated with their services.
- Cyber and technology resilience: demonstrate strong cyber resilience. This involves securing IT infrastructure, conducting regular penetration tests and ensuring rapid response capabilities to address breaches or vulnerabilities.
- Incident management and reporting: notify both regulators and client firms promptly. The incident reporting framework includes initial, intermediate and final reports detailing the nature of the incident, its impact and the mitigation steps taken.
- Scenario testing: conduct regular scenario testing. These tests simulate severe but plausible disruption events to assess the resilience of critical services. Results must be shared with regulators to demonstrate ongoing compliance and readiness.
- Mapping and dependency analysis: comprehensively map service dependencies, identifying critical points of failure within a CTP’s operations and across their supply chains.
- Termination planning: develop robust plans to ensure an orderly wind-down or transition of services without disrupting the financial system.
- Self-assessment and continuous improvement: conduct regular self-assessments of operational resilience. These assessments are submitted to regulators to ensure continuous compliance and to identify areas for improvement.
It is important to note that the new rules do not change the responsibility financial firms have in making sure they are resilient to operational disruptions and for their management of third-party suppliers, in line with existing outsourcing and operational resilience rules. If you want to revisit what we have previously said about Operational Resilience and the March 2025 deadline for firms to operate within their impact tolerances, please view our last webinar on the topic here.
The bottom line…
We welcome the proposed new framework which in our view is long-overdue. The risk to the UK financial system of disruption whether of an accidental or malicious nature has been growing for sometime. Indeed perhaps the UK has been lucky thus far because while there have been periodic problems, these have been relatively contained.
We also believe that many firms will welcome the proposals given that they will, in effect, subject CTPs to similar operational and managerial requirements and norms as the firms to which they supply service.
However, as is made clear in the paper, none of this absolves firms from looking at themselves and taking proportionate and sensible measures to ensure their own resilience (and indeed to think about whether any CTP they use is carrying a concentration risk or raises any red flags more generally). Above all firms need to avoid seeking “bargain basement” solutions to their own operational requirements.
A catastrophic failure is potentially terminal but even a merely embarrassing glitch or outage is enough to impact negatively on a firm’s reputation.
