UK Regulators propose framework to mitigate risks posed by critical third parties


On 21 July 2022, HM Treasury, with the Bank of England, the Financial Conduct Authority (“FCA”) and the Prudential Regulation Authority (“PRA”), issued a discussion paper (the “Paper”), setting out its proposal for mitigating risks of systemic disruption and strengthening of critical third party (“CTP”) services in the UK financial sector. The Paper also sets out the statutory framework for overseeing the operational resilience of CTP providers and how supervisory authorities could use their proposed powers in the Financial Services and Markets Bill 2022-23, which includes the relevant proposed statutory measures. This followed the release of a Policy Statement issued by HM Treasury, which proposes a framework to oversee CTPs, including increased financial stability and market confidence.

The proposed framework aims to complement the existing regulatory framework, however, with more focus on the risks and disruption that could occur as a result of regulated firms outsourcing services to CTPs. The intent is to address the regulatory gap and limited powers in the current supervisory framework for authorities to properly deal with issues arising from the increasing reliance of regulated firms on certain third-party service providers. In scope, the proposed framework will apply to firms regulated in the UK by the PRA and FCA, and the framework will focus on third parties who provide services to one or more financial services firms and/or financial market infrastructures (“FMI”) in the UK.

Well-managed outsourcing can provide significant benefits to firms and FMIs, including lower costs, efficiency gains, faster innovation, scalability, and others. However, the growing dependency on third-party services, the concentration of the services provided, and its ability to recover or substitute in case of disruption could lead to single-point-of-failure that can impact firms, FMIs, customers, and, ultimately, the financial stability of the UK.

The key proposed framework guidance comprises:

Designations –       under the FSM Bill, HM Treasury will have powers to designate certain third parties that provide services to firms as ‘critical’, following the statutory criteria and consultation with supervisory authorities.

–       Enables financial regulators to make rules, gather data and information, and construct a plan, in relation to specific services CTPs provide.

–       The designation will consider the materiality of the services provided, the concentration, and potential impact of disruption in the regulator’s objectives.




Minimum Resilience

–       Sets out the minimum resilience standards and requirements: current regulatory frameworks rely on a set of global standards for CTPs, such as risk identification and management, information security, reliability and resilience, technology planning, and communications with users.

–       CTPs will now need to demonstrate compliance with the new standards through resilience tests and exercises, and attestations to regulators.

–       There will also be a rating system to assess compliance with the minimum standards.




Resilience Testing

–         Regulators have considered that one approach to CTP resilience testing may not be effective, proportionate or resource efficient, and instead tests should apply if they are suitable for that specific CTP.

–       Regulators would be able to require scenario testing to understand a CTP’s ability to continue to provide services in the event of their failure or disruption.



Obligations and Enforcements



–       CTPs will need to disclose to regulators any information which they would reasonably expect, including incidents and threats to stability.

–       Regulators will be able to make decisions as to what CTPs can do or refrain from doing.

–       In the instance that a CTP breaches its requirements, the identification of the CTP will be published


When the legislation is introduced, the regulators’ joint discussion paper will be published. Furthermore, the financial regulators will publish a Consultation Paper on their proposed rules as set out in the discussion paper.

If you are a firm that outsources to CTPs, you may have to make changes to your contracts with them once the new framework is established. We will be tracking this new piece of legislation closely so follow us on Linkedin to receive the latest updates.

For more information, guidance, or advice on the UK regulator’s proposal framework for CTPs or for support with updating or negotiating your contracts with critical third parties, Cleveland & Co External in-house counsel™, your specialist outsourced legal team, are here to help.

Please click here to follow us on LinkedIn to receive the latest information on this and other important topics!


Leave a reply

Your email address will not be published. Required fields are marked *



We'd love to hear from you, please get in touch with us if you have any questions.


©2023 Cleveland & Co

Log in with your credentials

Forgot your details?