Critical Service Providers
11 December 2023
The Prudential Regulation Authority, the Bank of England, and the Financial Conduct Authority are consulting on their approach to the management of systemic risks posed by critical service providers to the UK financial services sector. Their joint consultation, which is open through 15 March 2024, builds on previous work and will lead to: changes to the regulators' respective rulebooks; a joint supervisory statement for designated "critical third parties" (CTPs); and a joint Bank/PRA supervisory statement and FCA guidance on the use of skilled person reviews of CTPs. Further consultations on the use of disciplinary powers are expected to follow.
The regulatory concern being addressed is the reliance placed by firms (including authorised firms, electronic money institutions, payment institutions, registered account information service providers) and financial market infrastructures on distributed systems such as cloud services. Although authorised firms and FMIs are required already to address the resilience of their own operations, the potential failure of CTPs risks undermining the stability of and confidence in the UK financial system. The proposed rules are intended to ensure that regulators have adequate information about the sources of this risk and the ability to supervise the firms associated with it. They do not detract from the responsibilities of authorised firms and FMIs to address their resilience requirements.
The new rules are focussed on service providers designated as CTPs under s. 312L of the Financial Services and Markets Act 2000. The process for designation begins with the regulators, which make recommendations to HM Treasury. The focus is on those service providers which present a risk to the stability or of confidence in the UK financial system. This will be assessed with regard to the following factors:
The materiality test can be based on individual service lines or a combination of them. The regulators will have regard to the reporting of service providers by firms and FMIs, in the outsourcing and third-party register, that identifies the third party as supporting the delivery of "Important Business Services" under their respective operational resilience policies.
The concentration test is based on the overall risk posed by the provision of the relevant services to firms and FMIs. It is not intended to reflect the popularity of a service but the extent to which failures or interruptions might impact the financial system or individual markets within it. The reliance of a systemic firm or FMI on the relevant service could itself be a factor, as the assessment includes the type of firm as well as the number of firms involved.
Only a small number of service providers – mainly cloud computing service providers – are expected to be designated under the legislation. The regulators identify their sources of information as including regulatory reporting (including material outsourcing notifications and applications by FMIs for approvals or no-objection decisions) and public sources. There is not a comprehensive formula to be applied, and the regulators intend to use their judgement when data is not sufficient to indicate whether a designation should be made.
Where the relevant services are being provided by an authorised firm or FMI, the regulators note that it is unlikely to be identified as a CTP, provided that the services are subject to a level of regulation and oversight that delivers similar regulatory outcomes. Similar considerations will apply for utility-like services (eg, telecommunications or energy suppliers).
It is proposed that service providers recommended for designation as CTPs will have an opportunity to discuss the relevant services with HMT and the regulators. HMT's decision to designate a CTP will be communicated to the CTP prior to publication. Following designation, periodic reviews will be conducted to confirm whether the CTP meets the criteria; on the basis of which, recommendations to revoke the designation or to modify it will be made to HMT.
A firm designated as a CTP by HMT will be required to act in accordance with certain rules of the Bank, PRA, and FCA. These include six CTP Fundamental Rules, which will be found in the regulators' rulebooks in common form:
CTP Fundamental Rule 1: A CTP must conduct its business with integrity.
CTP Fundamental Rule 2: A CTP must conduct its business with due skill, care and diligence.
CTP Fundamental Rule 3: A CTP must act in a prudent manner.
CTP Fundamental Rule 4: A CTP must have effective risk strategies and risk management systems.
CTP Fundamental Rule 5: A CTP must organise and control its affairs responsibly and effectively.
CTP Fundamental Rule 6: A CTP must deal with the regulators in an open and co-operative way and disclose to the regulators appropriately anything relating to the CTP of which they would reasonably expect notice.
CTPs will also be required to comply with detailed CTP Operational Risk and Resilience Requirements, addressing governance, risk management, dependency and supply chain management, technology and cyber resilience, change management, mapping, incident management, and the termination of material services. These would formalise and standardise base requirements for CTPs; eg, by setting expectations for regular resilience testing and supply chain management. They would also draw CTPs closer to regulators and client firms in the testing and execution of business continuity arrangements.
CTPs will be required to demonstrate their ability to comply with the rules of the regulators annually and on request. Self-assessments will be required within three months of designation and annually thereafter. Regular scenario testing, based on the requirements for firms and FMIs, will be expected, as will annual testing of the financial sector incident management playbook.
The regulators may use their powers under s. 166(3) of FSMA to require the appointment of a skilled person to provide them with a report, including with respect to resilience testing. CTPs will be responsible for the costs, and they must provide all reasonable assistance to the skilled person. Detailed requirements for skilled persons reports are set out in the consultation paper.
To support client firms and FMIs meeting their own regulatory obligations, it is proposed that summaries of self-assessments and the results of scenario and financial sector incident management playbook testing should be shared with them.
CTPs experiencing certain incidents will be required to notify the regulators and firm and FMI clients throughout the life-cycle of the events, in addition to other reporting requirements. The threshold for a "relevant incident" will be one that has, or has the potential to:
A CTP experiencing a planned or unplanned event would be required to provide:
Additional reporting can be requested by the regulators. The CTP should undertake it if it involves disputes, criminal proceedings, sanctions, financial stress, or other events that could impact the ability of the CTP to restore and continue operations. The form of incident reporting is being considered by the regulators as part of the Transforming Data Collection Programme.
The status of a designated CTP is not intended as a "quality mark," and it will not be permitted to unduly use it for marketing purposes. A CTP is not an authorised firm for FSMA purposes.
The CTP rules will not require CTPs to establish in the UK; however, they will be expected to appoint a representative for service who can receive documents and notices from the regulators. Normally, this would be a law firm or other corporate representative.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.