Legal development

UK CTP Regime: Final rules from regulators

18 November 2024

Share Share
spiral background
Share

    The BoE, the PRA and the FCA (the regulators) have published final rules in relation to the UK critical third parties (CTP) regime. The CTP regime aims to reduce the risk of systemic disruption by introducing new outcomes-focused requirements on CTPs. The regime is set out in a joint policy statement (PRA PS 16/24, FCA PS 24/16), regulators’ expectations on how CTPs should comply in a supervisory statement (SS 6/24), as well as other relevant policy and guidance documents.

    Importantly, the new regime does not change the obligations authorised financial services firms have under existing outsourcing and operational resilience rules. The new regime provides the UK regulators with regulatory oversight of designated CTPs. However, these powers will only extend to the services provided by designated CTPs to the financial services sector, and not their entire operations. The regime will (among other things) require designated CTPs to provide assurance and notifications to the regulators, as well as carry out self-assessments and scenario-based testing. CTPs will also be required to report major incidents.

    The finalisation of the UK CTP regime follows a December 2023 consultation paper (CP 26/23) (see our briefing here) and a 2022 discussion paper (see our briefing here). The regime comes into force in January 2025, although there are various transitional provisions.

    Background

    The BoE, other regulators and policy making bodies have identified service providers as representing a financial stability risk if they fail or are disrupted. UK regulators have published various communications in this regard, including a June 2022 policy statement by HM Treasury (HMT) (see our briefing here) and a discussion paper in 2022.

    FSMA 2023 (see our briefing here and here) introduced a regulatory framework in respect of CTPs to UK financial services firms. This framework gives HMT the power to make rules imposing duties on CTPs in connection with the services they provide to firms; direct a CTP in writing to do, or refrain from doing, certain things specified in the direction; gather information from a CTP; and take disciplinary action against a CTP. Under section 312L of FSMA, as amended by FSMA 2023, HMT may designate a third-party service provider as a CTP "if, in its opinion, a failure in, or disruption to, the services that the third party provides to firms could threaten the stability of, or confidence in, the UK financial system". Factors that HMT is required to consider when deciding whether a third-party meets the statutory test for designation as a CTP are set out in section 312L(3) FSMA. CTPs will make up a small minority of third-parties providing services to firms. At the time of publishing the policy statement, no entity had been designated a CTP.

    HMT set out its approach to designation of CTPs in a March 2024 document outlining the process of designation, beginning with receipt of recommendation to publication of a designation order.

    The regulators identify potential CTPs for recommendation to HMT by assessing third-parties against: the concentration in the services which the third-party provides to firms; the materiality of the services which the third-party provides to firms; and other drivers of potential systemic impact. The concentration consideration will involve the regulators looking at both at concentration in absolute terms (the total number of firms that rely on a particular third-party service provider’s services) and the relative systemic significance of those firms. The assessment of materiality looks at the possibility of transmission of risks to the financial system via the financial services that the third-party services support. The regulators' risk assessment framework involves the regulators looking at the gross risk to the delivery of systemic third-party service(s) provided by the CTP (from the external environment or internal risks). The framework then considers any mitigating factors that a CTP may have (such as risk governance; management and controls; and operational resilience) that can reduce these gross risks. Further information on how the regulators intend to use oversight powers in respect of CTPs have been set out in the Approach Document.

    In December 2023, the regulators published CP 26/23 setting out proposals concerning Fundamental Rules for CTPs to observe; Operational Risk and Resilience Requirements for CTPs; and information-gathering, self-assessment and testing requirements.

    CTP Regime: Fundamental Rules

    CTPs will have to comply with the following Fundamental Rules in respect of services provided to regulated firms:

    • CTP Fundamental Rule 1: A CTP must conduct its business with integrity;
    • CTP Fundamental Rule 2: A CTP must conduct its business with due skill, care and diligence;
    • CTP Fundamental Rule 3: A CTP must act in a prudent manner;
    • CTP Fundamental Rule 4: A CTP must have effective risk strategies and risk management systems;
    • CTP Fundamental Rule 5: A CTP must organise and control its affairs responsibly and effectively; and
    • CTP Fundamental Rule 6: A CTP must deal with each regulator in an open and cooperative way and must disclose to each regulator appropriately anything relating to the critical third party of which it would reasonably expect notice.

    In a change to the original proposals, the scope of the CTP Fundamental Rules 1-5 are limited to a CTP's provision of "systemic third-party services" (which in summary is a service from a CTP to a firm, where a failure or disruption in the services could threaten the stability of, or confidence in, the UK financial system). CTP Fundamental Rule 6 applies to all the services that a CTP provides to firms. Further guidance on the rules is set out in SS 6/24.

    Feedback from the consultation also suggested that the regulators should add an additional Fundamental Rule, or an extension to Fundamental Rule 6, requiring a CTP to be open and cooperative with the firms it provides services to. The regulators did not consider that this was necessary and also note that the SS 6/24 now includes that CTPs should comply with the requirements in an open and cooperative way, adopting a 'transparency by default' approach.

    CTP Regime: Operational Risk and Resilience Requirements

    The regulators are maintaining the proposed CTP Operational Risk and Resilience Requirements in respect of CTPs' provision of systemic third-party services to firms, subject to some amends:

    • Requirement 1: Governance. A CTP is to ensure that its governance arrangements promote the resilience of any systemic third-party service it provides. This include a central point of contact for the regulator and clear roles and responsibilities at all levels of its staff who are essential to the delivery of a systemic third party service.
    • Requirement 2: Risk management. A CTP must effectively manage risks to its ability to deliver a systemic third-party service. This includes identifying and monitoring relevant external and internal risks; and effective risk management processes.
    • Requirement 3: Dependency and supply chain risk management. A CTP should identify and manage any risks to its supply chain that could affect its ability to deliver a systemic third-party service.
    • Requirement 4: Technology and cyber resilience. A CTP must take reasonable steps to ensure the resilience of any technology that delivers, maintains, or supports a systemic third-party service.
    • Requirement 5: Change management. A CTP must have a systematic and effective approach to dealing with changes to a systemic third-party service, including changes to the processes or technologies used to deliver, maintain or support a systemic third-party service.
    • Requirement 6: Mapping. Within 12 months of being designated a CTP, a CTP must identify and document the resources used to deliver, support, and maintain each systemic third-party service it provides, and relevant internal and external interconnections and interdependencies.
    • Requirement 7: Incident management. A CTP must effectively manage CTP operational incidents. This includes implementing appropriate measures to respond to and recover from a CTP operational incident; setting an appropriate maximum tolerable level of disruption to each systemic third-party service; and maintaining and operating an incident management playbook.
    • Requirement 8: Termination of services. A CTP must have in place appropriate measures to respond to a termination of any of its systemic third-party services.

    CTP Regime: Feedback to responses

    Following feedback from respondents, the regulators made a number of adjustments to the final rules:

    • Governance (Requirement 1): Respondents sought clarification on the level of knowledge that the CTP's central point of contact was required to have in respect of financial regulation. The regulators have clarified that the central contact's knowledge should be enough to enable the CTP to comply with duties under the regime, but the regulators acknowledge that this knowledge will to develop gradually. The regulators have added an expectation to SS 6/24, which requires CTPs to implement appropriate training of relevant financial regulation.
    • Dependency and supply chain risk management (Requirement 3): Adjustments made to this rule in light of feedback include a provision in SS 6/24 that a CTP may need to be mindful of confidentiality and security issues when sharing information concerning their supply chain.
    • Technology and cyber resilience: Further clarification provided that while a CTP's adherence to recognised standards can partly demonstrate compliance with this requirement (for example, by confirming certain cyber security controls are in place), it may not fully meet the regulators' need for assurance, particularly concerning the effectiveness of these controls. As a result, CTPs may need to provide additional evidence to confirm full compliance with Requirement 4.
    • Mapping (requirement 6): Regulators have incorporated a proportionality angle and have clarified that each CTP is responsible for developing its own mapping methodology and identifying the necessary resources for delivering, supporting and maintaining its systemic third-party services.
    • Incident management (requirement 7): Rules were amended and a provision in SS 6/24 was added to provide that a CTP should use appropriate metrics and targets when setting the appropriate maximum tolerable level of disruption for its systemic third-party services. The regime now provides that when setting an appropriate maximum tolerable level of disruption, a CTP should encourage firms it supplies systemic third-party services to identify which of their systemic third-party services are key to the resilience of their Important Business Services (indicating, where possible, the recovery times expected for those systemic third-party services). The rules also require the CTP to share its appropriate maximum tolerable level of disruption for each systemic third-party service with the firms it provides these services to. The regime also allows for CTPs to agree stricter service levels in contractual arrangements with firms and to test their systemic third-party services against these stricter service levels (in addition to testing them against their appropriate maximum tolerable level of disruption). SS 6/24 provides further clarification on the meaning of cooperation for the purposes of Requirement 7 so that the CTP can give appropriate updates and support to firms.
    • Termination (Requirement 8): Some feedback suggested aligning Requirement 8 with the regime for firms in relation to outsourcing and third-party risk management, particularly stressed exit planning. Regulators have clarified that Rule 8 exists to enable regulated firms to comply with existing regime on operational resilience, outsourcing and third-party risk management, including in relation to stressed exit strategies. This involves a CTP giving reasonable support to firms after the termination of a systemic third-party service (as well as during any transitional period), and the absence of undue barriers disrupting / discouraging the orderly termination / transfer of the systemic third party service. CTPs would not be required under the regime to transfer ownership / grant use of their intellectual property to another third-party / relevant firms beyond what is necessary.

    Self-assessment, scenario tests, incident management playbook exercises and information sharing

    As proposed in the CP 6/23, CTPs will be required to:

    • submit an interim self-assessment to the regulators within 3 months of being designated a CTP; and annually thereafter; and
    • share a summary of the information in the self-assessment with customer firms.

    In response to feedback, the regulators have set out differences between the purpose of the interim assessment and the annual assessment, with the interim intended to serve as an initial, diagnostic overview and not intended to be as polished or as comprehensive as the annual self-assessment.

    CTPs will also need effective and secure processes and procedures for information sharing with firms that they provide any systemic third-party services to, to enable the firm to adequately manage risks related to its use of the CTP's systemic third-party services.

    Following feedback, the regulators have provided further information in SS 6/24 on scenario selection, calibrating the severity and plausibility of scenarios. Scenario tests are to be carried out on an annual basis at least. The regulators have also given further information in relation to incident management playbook exercises:

    • for the time being, participation by firms in the incident management playbook exercises is not mandatory;
    • firms are able to scale the level of participation depending on systemic significance and available resources; and
    • "participating" incudes at a minimum: attending the exercise; considering the quality and timeliness of information and support given by the CTP during the exercise; and providing feedback to the CTP.

    Notification requirements

    CTPs will be required to notify the regulators, their firm and FMI customers receiving the affected service of certain incidents and other events. The regulators proposed a phased approach to CTP incident reporting consisting of: an initial incident report; one or more intermediate incident reports as needed; and a final incident report. As proposed, the regulators will also be providing a voluntary incident reporting template.

    CTPs' use of designation in marketing

    Under the rules, designated CTPs are restricted from using their designation as a badge of honour. However, the regulators have clarified that the marketing restriction does not prevent a CTP from making fair, clear, and non-misleading statements about (i) its designation by HMT, (ii) that it is subject to regulatory oversight for systemic third-party services, and (iii) the specific services it provides to firms. Additionally, the regulators have updated the requirement for CTPs to ensure that persons acting on their behalf do not breach these restrictions, instead requiring CTPs to take reasonable steps to prevent such breaches.

    UK address for service

    In a change to the original proposal, CTPs will be required to provide the regulators with an address in the UK for the service of documents. The regulators had initially proposed in CP 26/23 that CTPs with head offices outside of the UK should nominate a legal person to receive documents and notices from the regulators. This would have been in addition to Requirement 1 of the Operational Risk and Resilience Requirements (point of contact).

    Enforcement

    In March 2024, the BoE issued a consultation paper on its approach to enforcement, while the FCA published a Quarterly Consultation (CP 24/3) setting out FCA enforcement powers in relation to CTPs (changes to DEPP, disciplinary measures for CTPs and relevant financial entities in the event that a CTP has ignored a direction from the FCA; contravened a requirement imposed upon it; or breached any rules imposing duties on it in relation to provision of services to authorised persons). The FCA and the BoE are largely proceeding with their proposals and have published final details.

    Interaction with other rules for FS firms

    The regime is intended to complement the existing regime for financial services firms relating to operational resilience and outsourcing and third-party risk management (see out briefing here). These firms (and Boards and Senior Management (including, where applicable, SMFs under the SMCR) still remain responsible and accountable for meeting requirements under the respective regimes.

    Interaction with other CTP oversight regimes

    In the EU, the Digital Operational Resilience Act (DORA) provides for a similar oversight regime in respect of ICT third-party service providers which are designated as "critical" for financial entities (see our briefings here and here for more information). The UK regulators state the UK CTP oversight regime is designed to be as interoperable as possible with similar regimes, such as the EU’s DORA. Steps regulators propose to take to achieve interoperability include:

    • asking CTPs for information provided to the other regulators with responsibility for responsible for these other regimes and taking this into account in their oversight;
    • accepting incident notifications/reports submitted by CTPs to firms, FMIs, and/or the authorities responsible for these other regimes; and
    • looking at ways to enhance cooperation in the area of CTPs (e.g. via new cooperation arrangements).

    New Regulatory Guidance on Skilled Persons for Critical Third Parties

    Regulators have also issued the supervisory statement "Reports by Skilled Persons: Critical Third Parties" (SS 7/24) outlining the policies and expectations for the appointment and use of skilled persons as supervisory tools for CTPs. This supervisory statement aims to ensure the effective and transparent use of skilled persons, aligning with regulatory objectives while considering the associated costs and resources.

    The guidance clarifies that the PRA and the BoE may appoint skilled persons to produce reports or require CTPs to do so. These reports serve various supervisory purposes, including diagnosing, monitoring, preventing and remedying risks. The use of skilled persons can be triggered by specific information requirements, assessments, expert advice or the need for assurance in regulatory returns. The PRA and BoE will consider factors such as the CTP's relationship with regulators, history of similar issues, quality of systems and records and potential conflicts of interest when deciding to use these powers.

    Cost considerations are also crucial, as the CTP or connected persons bear the costs of skilled persons. The PRA and the BoE will evaluate whether the CTP benefits from the skilled person's work, the quality of the CTP's record-keeping and the risks to regulatory objectives. Additionally, the regulators will assess their own expertise and resources before deciding to appoint skilled persons.

    The appointment process involves either the PRA and the BoE directly appointing skilled persons or requiring CTPs to contract with pre-approved skilled persons from a designated panel. Skilled persons are expected to maintain open communication with both the regulators and the CTPs, provide periodic updates and adhere to specified timelines. Confidentiality is paramount, with skilled persons bound by FSMA's confidentiality provisions.

    Ashurst Risk Advisory LLP is a limited liability partnership registered in England and Wales under number OC442883 and is part of the Ashurst Group.  Ashurst Risk Advisory LLP services do not constitute legal services or legal advice, and are not provided by qualified legal practitioners acting in that capacity. Ashurst Risk Advisory LLP is not regulated by the Solicitors Regulation Authority of England and Wales. The laws and regulations which govern the provision of legal services in other jurisdictions do not apply to the provision of risk advisory services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com.

    This material is current as at 18 November 2024 but does not take into account any developments after that date. It is not intended to be a comprehensive review of all developments in practice, or to cover all aspects of those referred to, and does not constitute professional advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent advice.

    No part of this publication may be reproduced by any process without prior written permission from Ashurst.

    While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    Key Contacts