At a glance:
UK financial regulators have published a Discussion Paper (DP) setting out their vision for what an oversight regime for Critical Third Parties (CTPs) could look like.
This initiative is intricately linked to the UK regulators’ operational resilience agenda and is intended to reduce the risk that a disruption to the services provided by unregulated systemic CTPs could threaten the operational resilience of financial services (FS) firms or Financial Market Infrastructures (FMIs).
While the DP is the beginning of a multi-stage policymaking process, the intention of UK regulators is clear: to extend the regulatory perimeter to presently unregulated service providers that are considered systemic and to create a new set of requirements to build their resilience.
The DP sets out a series of options and building blocks for an oversight framework that is centred around three pillars: (1) designation criteria for CTPs; (2) minimum resilience standards for CTPs; and, (3) resilience testing of CTPs.
TPPs need to assess how likely it is that the services they provide to FS clients might mean that they are considered critical and analyse their level of readiness for the new framework. Coming under FS regulatory oversight will likely mean a significant step change in terms of how they must think about, and demonstrate, their operational resilience.
FS firms should also consider what this means for their operational resilience and third-party risk management (TPRM) framework, and where this new regime could provide opportunities to receive more information and to increase their level of assurance about the resilience of the service providers they rely on.
Intended audience: CROs, COOs, CPOs, CISOs, Heads of operational resilience, ICT risk teams, TPRM teams in UK financial services firms and at third party providers working in the sector
The Bank of England (BoE), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) (referred to hereinafter as ‘the regulators’) published DP3/22 Operational resilience: Critical third parties to the UK financial sector. This followed the introduction of the 2022 Financial Services and Markets Bill in Parliament by HM Treasury (HMT) which is proposing to grant regulators new statutory powers as well as to allow HMT to designate certain third-party providers (TPPs) as ‘critical’. Following designation, the regulators would then be able to issue CTPs with specific rules and directives, to conduct investigations, and to enforce disciplinary measures in the case of non-compliance.
While the FSM Bill proposes to establish the powers necessary for the functioning of a CTP regime, it leaves most of the design of the oversight mechanism to the regulators – and the DP is where their thinking has been put forward. This comes at a time of rising regulatory interest in third party risk, as best seen in the EU where negotiators have just finalised an agreement on the Digital Operational Resilience Act (DORA) that introduces a similar oversight framework there.
The DP sets out what the regulators believe the UK’s approach to CTP oversight could look like. This blog reviews the regulators’ proposals and identifies several key issues that will be important to consider going forward.
Part I: The design of the UK CTP framework
The proposed CTP oversight regime described in the DP is structured around the following three pillars. While the DP identifies a number of options in each category that the regulators could use as building blocks for the framework, there is nevertheless a relatively clear direction of travel and several key principles outlined in each section.
1. CTP identification and designation
Despite being given the power to designate CTPs by the FSM Bill, HMT is still obliged to consult the regulators before designation and to ground its decision on two key criteria: the materiality of services provided by the TPP and the concentration risk for the FS sector. On this basis, the DP proposes a more proactive role for the regulators; namely that of identifying and recommending to HMT potential candidates for designation. Overall, the main aim of the regulators is to ensure the stability of the UK’s FS sector.
On this basis, the DP suggests that the regulators’ perimeter of identification would not be limited to Cloud Service Providers (CSPs) only but to any TPP that meets a set of specific requirements, including non-digital providers as well. Furthermore, the identification framework could allow for evolution over time to respond to rapidly growing technologies such as quantum computing, machine learning and artificial intelligence. The process would be evidence-based, technology-neutral, and would consider both the HMT designation criteria and the regulators’ own objectives.
Firms that are currently captured by the FS regulatory perimeter would be exempt from designation as a CTP since regulators will generally already have sufficient powers to address operational resilience risks that they might pose to the sector.
The DP sets out three principles for how the regulators will approach identification (in Table A below):
Table A: Criteria for identifying TPPs as critical
Potential impact of disruption on the regulators’ objectives
The degree to which the services provided by a TPP are critical for the delivery of a set of key functions.
More specifically, the potential key functions set out in the DP are:
To assess concentration risk, the regulators would consider:
To make this determination, regulators could draw on existing regulatory returns at their disposal or use the mapping of IBSs carried out by FS firms under the operational resilience policy.
The regulators would evaluate the following risks posed by potential third-party disruption:
2. Minimum Resilience Standards for CTPs
The regulators intend to use their new statutory powers to define a set of minimum resilience standards that CTPs should be able to meet at all times. This is a key difference from the CTP regime in the EU’s DORA, which grants the European Supervisory Authorities (ESAs) similar oversight powers but does not establish a clear resilience standard in the legislation.
The regulators highlight several pre-existing frameworks, including Annex F of the CPMI-IOSCO Principles for FMIs, as a good starting point for establishing a resilience framework for CTPs. The DP does not identify a detailed resilience standard at this stage, but it does give an indication of the direction of travel in regulators’ thinking. This comes across most clearly in a set of seven components to a potential resilience standard that the regulators elaborate:
Identification and mapping of key services;
Management of risk across the supply chain and implementation of adequate controls;
Testing (further elaborated in the next section);
Engagement with the regulators;
Establishment of an FS continuity playbook;
Post-incident communication plans; and
Learning and evolving from past disruptions.
If developed into a resilience standard, many of these components will require designated CTPs to enhance their risk and compliance capabilities which will be subject to regulatory scrutiny. For instance, CTPs may find it complex to identify all the key nth parties (or sub-contractors, as specified by the Financial Stability Board) and parts of their supply chain which could affect the stability of the FS sector if disrupted. It could be equally challenging to map all the people processes, technology, facilities, and information required for providing those services to FS clients.
It is also worth noting the proposed requirement to keep an FS-specific continuity playbook. CTPs would have to share this with regulators and regularly document and update the measures that they would take to mitigate impact in the case of disruption. In other words, this means that CTPs would have to differentiate their response to disruption depending on the kind of client affected, devoting specific attention to the FS Sector. CTPs will have their own resilience and business continuity plans already, but such a standard would force them to look at resilience through the lens of FS sector systemic stability and to take more ownership of the shared risk and control framework between themselves and their FS clients.
3. Resilience Testing for CTPs
Rather than imposing a set of common testing requirements for all CTPs, the regulators’ intention is to proportionally apply a range of different options depending on factors specific to a CTP. The latter may include the number of material functions provided by the CTP, the type of services provided, the level of prior engagement of the CTP with the regulators, and/or the regulators’ confidence about the CTP’s resilience.
The regulators intend to further shape the CTP testing regime based on feedback received from industry, but it appears likely that the general approach will be to pair testing at the individual CTP level with CTP participation in industry-wide resilience exercises such as the SIMEX tests. The full menu of resilience testing options discussed by the regulators in the DP are set out in Table B below:
Table B: Possible forms of CTP resilience testing
Scenario testing: this could potentially become the most frequent form of testing. Scenario examples which CTPs may be expected to test for could include those informed by threat intelligence or by previous disruptions in industry that are considered ‘severe but plausible’ events. CTPs may choose to run such tests in collaboration with other firms and external specialists.
Sector-wide exercises: these could represent a valuable resource, as this form of testing would allow regulators to evaluate the resilience of the whole FS sector and the CTPs’ role in it. Potential examples of such tests include the FPC’s cyber stress tests, the Cross Market Business Continuity Group’s SIMEX, and the Quantum Dawn series. However, it is expected that sector-wide exercises would be performed in conjunction with more routine individual testing due to the level of coordination, resources and time required to organise them.
Cyber-resilience testing: Threat-Led Penetration Testing (TLPT) programmes such as CBEST may represent another option for regulators. Given its intrusive nature and its high costs however, it might be necessary to employ this tool under different circumstances to better tailor it to each CTP. Examples of this might be:
Information gathering and skilled persons’ review: The FSM Bill grants the regulators with the power to conduct inspections and gather information akin to a Section 166 review. Regulators could employ this as grounds for testing resilience to allow a more selective review of CTPs depending on specific concerns they might have.
Part II: Key considerations going forward
Third parties and preparing for regulatory oversight: the introduction of a FS oversight regime will be a step change in how CTPs think about resilience in their work with FS clients. It will mean a level of regulatory scrutiny and a much higher degree of transparency and information sharing around resilience and business continuity planning – at an individual level, sectoral level, and the shared responsibility model between a CTP and a FS firm – that many service providers will not be accustomed to.
As a result, the current operating model design, capabilities, and reporting frameworks of most providers will need significant enhancement if they are designated as critical under the UK (or the EU’s DORA) framework(s).
TPPs should begin to take some preparatory action to ensure they are ready for this new regulatory approach. This should begin with understanding the statutory powers granted to the regulators in the FSM Bill and refining their view of the services provided to FS clients that match the criteria described in the DP (i.e., materiality, the systemic impact of their failure, their market concentration, etc.). TPPs that, based on these criteria, believe they may be designated as critical should conduct a gap analysis to assess the differences between their current resilience practices and the minimum resilience standards and testing regime proposed in the DP. This should identify any pain points or areas that may require investment or remediation ahead of the introduction of new rules. They should also consider their strategy for developing an FS continuity playbook and identify what data/information/processes already exist that could be leveraged to support this task.
FS firms and obligations under existing operational resilience and TPRM frameworks: although the CTP initiative is linked to the UK regulators’ push for better sectoral operational resilience, the DP is clear that the establishment of an oversight framework does not lessen the responsibilities of FS firms to manage third party risks under existing outsourcing and TPRM frameworks, even if outsourcing to a designated CTP. This approach will keep up pressure on FS firms to take steps to build their own operational resilience, even when their IBSs may be heavily reliant on TPPs.
Overall, however, we expect most FS firms will broadly welcome the introduction of a CTP framework. While the exact oversight mechanism is still unclear, the DP will nevertheless facilitate a level playing field and introduce common objectives between the FS firm and the CTPs. This will not only likely give FS firms an added level of assurance for their relationships with designated CTPs but also pave the way for easier contractual negotiations and reporting mechanisms. FS firms should monitor the development of the CTP regime closely and identify any opportunities it creates to gain more assurance around a CTP’s own resilience. Resilience testing requirements for CTPs may be one such opportunity if useful information can be fed back to firms.
International regulatory alignment: UK regulators underline the need to encourage the development of common standards for CTP oversight among major FS jurisdictions. The DP identifies global standards for CTP designation and for CTP resilience as two areas of potential work, which could be facilitated by international bodies such as the Financial Stability Board (FSB), the Basel Committee on Banking Supervision (BCBS), and the G7. The regulators also indicate their willingness to carry out cross-border CTP testing with international partners.
Without this work, there is an elevated risk of international fragmentation on CTP oversight regulations that could potentially lead to higher costs and resource demands for CTPs operating internationally. Comparing the proposed UK approach and the DORA, for instance, a CTP operating and designated in both jurisdictions would need to simultaneously comply with a minimum resilience standard for UK regulators and the recommendations from the ESAs on resilience. Small steps towards a common approach, such as an agreement on the need for and the design of an FS continuity playbook, could lead to a meaningful simplification of requirements for CTPs. In the meantime, CTPs will need to monitor the evolving international regulatory landscape and develop a methodology to manage and respond to differing timelines and detail.
Part III: Next steps in the policy process
The DP is open for comments until 23 December 2022, during which time the FSM Bill is expected to make its way through the parliamentary process and become law. Assuming that the legislation of the FSM Bill proceeds as expected, the regulators will then have to take the next step of issuing a Consultation Paper (CP) in 2023 further specifying the CTP oversight regime they will seek to put in place. This CP is likely to be much more detailed in terms of the designation criteria as well as the resilience and testing requirements that CTPs will face.
The regulators will then finalise the framework in a Statement of Policy. At that point, the detailed design of the oversight regime and the exact timing of its implementation will become clear.