New UK rules for critical third parties
The UK regulators confirmed their new rules for critical third parties (CTPs) on 12 November 2024. The new rules are intended to be closely aligned with international standards and similar regimes, including DORA.
A CTP is a person designated as a critical third party by HM Treasury. The Treasury may designate an entity as a CTP “only if in the Treasury’s opinion a failure in, or disruption to, the provision of those services (either individually or, where more than one service is provided, taken together) could threaten the stability of, or confidence in, the UK financial system”. The Treasury must have regard to the materiality of the services “wherever carried out” and the number and type of authorised persons, relevant service providers (eg authorised payment institutions and authorised e-money institutions), or FMI entities (eg recognised clearing houses, UK recognised investment exchanges) (Firms). The Treasury is also required to consult with the regulators and the prospective CTP when considering a designation.
Once designated, the CTP will be subject to PRA/FCA supervision (the Oversight Regime) – but only in relation to the services that the CTP provides to Firms. The term “services” is to be interpreted broadly and includes, but not limited to: (a) a facility as noted in section 312L(8) of FSMA; (b) activities, functions, processes and tasks, as noted in the FSB TPR toolkit; and (c) Information and Communications Technology (ICT) Services.
Whilst the regulators’ statutory powers extend to all the services that a CTP provides to Firms, most of the regulators’ rules that impose significant obligations only apply in relation to its provision of “systemic third party services” (the services which if failed etc. could threaten the stability of, or confidence in, the UK financial system) “wherever carried out” – so it will cover services provided by a CTP from outside the UK.
In summary:
- There is no requirement to establish a UK subsidiary or branch (if it doesn’t already have a UK subsidiary or branch), but there is an obligation to provide the regulators with a central point of contact and UK address for service of documents.
- The regulators’ information-gathering powers under FSMA will also apply to undertakings in the CTP’s group.
- A CTP is required to inform the regulators of any changes to its group structure that may prompt a reconsideration as to the appropriate entity that should be designated and/or impact the delivery of systemic third party services to Firms.
- A CTP must:
- comply with the ‘CTP Fundamental Rules’ – these are similar to some of the PRA Fundamental Rules/FCA Principles for Business that apply to Firms;
- comply with operational risk and requirements in relation to the provision of systemic third party services, eg have in place sound, effective and comprehensive strategies, controls, processes, and systems that enable it to comply with the regulators’ rules;
- ensure that its governance arrangements promote the resilience of any systemic third party service it provides, eg clear roles and responsibilities at all levels for its staff; clear communication channels and escalating issues and risks; establish etc. an approach to preventing, responding to, and recover from an operational incident; and implementing lessons learnt;
- effectively manage risks to its ability to deliver a systemic third party service;
- identify and manage any risks to its supply chain that could affect its ability to deliver a systemic third party service;
- take reasonable steps to ensure the resilience of any technology that delivers, maintains or supports a systemic third party service;
- ensure that it has a systematic and effective approach to dealing with changes to a systemic third party service, including changes to the processes or technologies used to deliver, maintain or support a systemic third party service;
- within 12 months of being designated by HM Treasury, carry out a mapping exercise to identify and document (a) the resources, including the persons (including key nth-party providers), assets, supporting services and technology, used to deliver, support, and maintain each systemic third party service it provides; and (b) any internal and external interconnections and interdependencies between the resources identified under (a) in respect of that service; and (2) thereafter regularly update the mapping exercise;
- effectively manage CTP operational incidents, eg setting an appropriate maximum tolerable level of disruption; maintaining and operating an incident management playbook; facilitate effective communication with, and support to, the regulators and affected firms; and cooperating and coordinating with the regulators and affected firms in response to CTP operational incidents;
- have in place appropriate measures to respond to a termination of any of its systemic third party services (for any reason).
- The PRA/FCA can take enforcement action against a CTP for breach of its rules.
The regulators clarified in the joint Supervisory Statement that the Oversight Regime does not impose additional requirements on Firms in relation to operational resilience, and outsourcing and third party risk management.
The new rules will take effect from 1 January 2025. However, the regulators’ rules and expectations will only apply to a CTP on the date the designation order made by the Treasury comes into force, subject to transitional periods that apply to certain rules.
The prospective CTP will be consulted will be given notice of the date on which the designation takes effect (if appliable). The designation process is expected to take around 6 months to complete.
- HMT has a statutory obligation to consult with the UK regulators and the prospective CTP when considering a designation (and any other parties to considers appropriate, eg other Government departments or public sector regulators).
- If HMT decides to designate a person as a CTP it will need to make a legal instrument (a Designation Regulation) to give effect to the designation. The Designation Regulations are not subject to debate or approval in either House of Parliament.
Please see: New rules to strengthen resilience of UK’s financial sector which includes links to various documents, including the final rules, joint supervisory statement on CTPs and HMT’s approach to designation.