The Bank of England (the Bank), Prudential Regulation Authority (PRA) and FCA (collectively the ‘supervisory authorities’) have set out potential measures to oversee and strengthen the resilience of services provided by critical third parties (CTPs) to the UK financial sector.
CTPs provide certain services to regulated financial services firms and financial market infrastructure firms (‘FMIs’) that could affect financial stability and cause harm to consumers if they fail or are disrupted. The potential measures included in the discussion paper published today aim to mitigate this risk.
Well managed outsourcing and other arrangements with third parties can bring benefits to firms and FMIs, for example through efficiency gains, reduced costs, scalability, faster innovation, better customer outcomes, and improved operational resilience.
However, as the Bank of England’s Financial Policy Committee (FPC) highlighted in 2021, financial stability could be affected by disruption at a small number of third-party service providers relied upon by firms and FMIs. In response, the Government included legislative proposals in the Financial Services and Markets Bill, currently before Parliament, to grant the supervisory authorities’ powers to directly oversee the resilience of services that CTPs provide to the UK financial sector.
The discussion paper sets out potential measures for how the supervisory authorities could use their proposed powers, which include:
- A framework for identifying potential CTPs, which would inform the supervisory authorities’ recommendations for formal designation by HM Treasury.
- Minimum resilience standards, which would apply to the services that designated CTPs provide to firms and FMIs.
- A framework for testing the resilience of material services that CTPs provide to firms and FMIs using a range of tools, including but not limited to scenario testing, participation in sector-wide exercises, cyber resilience testing, and skilled persons reviews of CTPs.
These measures would complement, not replace, firms and FMIs’ existing responsibilities to manage risks from contracts with third parties. The supervisory authorities would only oversee the systemic risks arising from the services CTPs provide to firms and FMIs.
Comments are open until 23 December 2022. Subject to the outcome of Parliamentary debates on the Financial Services and Market Bill, and having considered responses to this discussion paper, the supervisory authorities plan to consult on their proposed requirements and expectations for CTPs in 2023.
Sam Woods Deputy Governor of Prudential Regulation and the CEO of the PRA said:
‘It is vital that the firms we regulate can rely on services provided to them by third parties, particularly where those third parties have become critical parts of the system. Today's paper sets out our thinking on how we can ensure the right levels of resilience for those services - we would welcome views from anyone taking an interest in this area.’
Jon Cunliffe, Deputy Governor for Financial Stability said:
‘Financial market infrastructure firms are becoming increasingly dependent on third-party technology providers for services that could impact the financial stability of the UK if they were to fail or experience disruption. The potential measures examined in this DP provide an initial, but important step for the Bank of England to manage these systemic risks (in coordination with the FCA). The DP also includes suggestions to improve coordination between the Bank/PRA and FCA, international financial regulators, and UK non-financial regulators, which is key given the cross-border and cross-sectoral nature of many CTPs and the services they provide’.
Nikhil Rathi, Chief Executive of the FCA said:
‘In an increasingly digital world, financial businesses are more dependent on a small number of third-party providers. That can bring significant benefits, but also comes with resilience risk. We want an open discussion about how we should use new powers Parliament is giving us to oversee the services these third parties provide to the financial sector and reduce the risk of major disruption, which could cause harm to consumers and markets.’
Notes to editors
- Operational Resilience: Critical Third Parties Discussion Paper
- Supervisory Statement SS2/21 Outsourcing and third-party risk management
- Financial Stability Report Q3 2021: Building the resilience of the financial system
- Read the Financial Services and Markets Bill
- Find out more information about the FCA.