Legal development

Operational resilience UK proposals

Insight Hero Image

    On 8 June 2022 HM Treasury published a policy statement on a new regime to mitigate the risk of what the Treasury considers to be critical third parties in the finance sector (critical third parties). Over the past few years, policy makers have become increasingly concerned about the risks of systemic disruption if there is a failure of an unregulated third party that provides crucial services to a large number of financial services businesses.

    This regime will provide new powers for regulators (likely the FCA and PRA) to have oversight of critical third parties and some substantial enforcement powers.

    Given that this targets entities that are not currently within the regulatory perimeter, for many this may be their first direct exposure to regulatory oversight by financial regulators, at least in the UK.

    What is the objective?

    The object of the proposals is to mitigate the risks of systemic disruption from critical third parties if they were to fail or suffer significant disruption. In recent years, regulators and policy makers (across the globe) have put increasing obligations on regulated firms to ensure appropriate outsourcing arrangements and maintain operational resilience. However, regulators are increasingly aware that this does not deal effectively with issues such as concentration risk and in many cases the relative bargaining power of the regulated firms against global technology companies can be limited.

    Who may be caught as a critical third party?

    Critical third parties are not regulated entities but instead service providers to regulated entities and the financial system more broadly.

    The obvious group are the largest cloud service providers, which are referenced in the policy statement. The Bank of England, other regulators and policy making bodies globally have identified these service providers as representing a financial stability risk if they fail or are disrupted, given the important role they play and the significant concentration in the market. Any entity providing the key "plumbing" that makes the financial system work, such as providing information and IT services, may well be caught. If you have been asked by regulated firms to provide information to enable them to comply with their outsourcing and/or operational continuity in resolution obligations, you may be caught.

    The question to ask is: 'if your business was disrupted or failed would this threaten the stability or confidence in the financial system?' If yes, then you could be a critical third party.

    What will regulators be able to do?

    Regulators will have broadly similar powers in respect of critical third parties as those they have with regulated firms. They will be able to:

    • request information directly from critical third parties on the resilience of their material services to firms, or their compliance with applicable requirements;
    • commission an independent "skilled person" to report on certain aspects of a critical third party’s services;
    • appoint an investigator to look into potential breaches of requirements under relevant legislation;
    • interview a representative of a critical third party and require the production of documents; and
    • enter a critical third party’s premises under warrant as part of an investigation.

    What happens if critical firms don't comply?

    The financial regulators will have a suite of statutory powers, including:

    • the power to direct critical third parties from taking or refraining from taking specific actions;
    •  enforcement powers including a power to publicise failings; and
    • ultimately, the power to prohibit a critical third party from providing future services, or continuing to provide services to firms.

    The power to prohibit the provision of the services in itself would potentially cause material disruption to the markets and regulated firms, but nonetheless it is a significant power.

    Will critical third parties need to be authorised?

    Based on the information available so far, this proposal will not require critical firms to apply for regulatory authorisation. Instead, HM Treasury will (in consultation with the financial regulators and other bodies) will be able to designate certain providers as critical firms (firms designated as critical will then be enshrined in secondary legislation). However, the proposal does create a quasi-regulatory regime of oversight and enforcement. Exactly what this looks like in practice, such as how much oversight will be exercised, prescriptiveness of rules and any duties, is yet to be established.

    What does this mean for regulated firms that use critical third parties?

    Unlike DORA - the EU's proposal in this space - the UK proposal does not impose new obligations on regulated firms. Firms are, however, subject to the FCA and PRA rules in relation to operational resilience, outsourcing, SMCR and reporting, which combined cover similar ground to the obligations that will be imposed on regulated firms by DORA.

    In the short term, a regulated firm complying with its operational resilience and outsourcing obligations may see limited impact. However, where a critical third party fails to comply with the rules and is prohibited from providing services, that could obviously have substantial implications for regulated firms. If a regulated firm obtains services from a critical firm and hasn’t done any outsourcing and operational resilience analysis it would likely be in breach of its obligations.

    This is another step in the global trend towards greater operational resilience and a stark acknowledgement that most of the financial system sits in a cloud that regulators cannot touch directly. UK and EU regulators have been imposing obligations on the firms they regulate for a long time. This could ease some of that burden, or at least make discussions over contractual rights to audit, access and testing etc. easier to negotiate.

    What is the territorial impact?

    At the moment this is not addressed, but given the number of non-UK service providers, we anticipate the intention would be to capture any entity providing functions to UK regulated firms regardless of where the legal entity, servers or other key information is located.

    What now?

    The current policy statement is relatively light on detail and the mechanism for the designation of critical third parties, the relationship with regulators and the expectations are not set out. The devil will be in the detail. Entities that may fall within this regime will want to keep a close eye on this to ensure that timeframes, obligations and oversight are realistic. This may be difficult given that similar regimes, such as DORA, are likely to come into effect leading to an ever-increasing patchwork of competing and potentially contradictory obligations on critical third parties.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.