Third-party service providers are the backbone of the financial sector, offering critical digital infrastructure, cloud computing, payment processing, and outsourced IT services. However, the increasing reliance on external providers has exposed firms to systemic risks, particularly in cases of disruption or failure. Recognising these vulnerabilities, the Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) (collectively the Regulators) have introduced a new regulatory framework to enhance the oversight of Critical Third Parties (CTPs) in the UK financial sector.
The new CTP framework introduces direct oversight and compliance obligations for third-party providers designated as CTPs by HM Treasury. A provider qualifies as a CTP if it delivers services to financial firms that, if it suffers failure or disruption, could threaten the stability or confidence of the UK financial system (a systemic service). Once designated, the CTP must adhere to a set of regulatory requirements that are aligned closely with the regulatory expectations imposed on financial firms relating to operational resilience and third party risk management imposed on financial firms. This creates a shared responsibility model, ensuring that risks capable of destabilising the entire financial sector are mitigated.
What are the new operational risk and resilience requirements for CTPs?
CTPs will be required to meet strict operational resilience and risk management standards, which include:
- Governance: ensure that its governance arrangements prioritise the operational resilience of any systemic third party service it provides.
- Risk management: identify, assess, and manage risks that could affect the CTP’s ability to deliver systemic services.
- Supply chain & Dependency risk management: active management of risks within the supply chain that could affect its ability to provide systemic third party services.
- Technology and cyber resilience: ensuring the resilience of technology infrastructure supporting systemic services by implementing comprehensive risk management strategies, robust security controls, and regular resilience testing.
- Change management: ensure any changes affecting systemic services are risk-assessed, documented, tested, verified, and approved before implementation.
- Mapping: complete and keep updated mapping documenting the resources, assets, supporting services and technology, involved in delivering each systemic service.
- Incident management: have robust incident response mechanisms to address serious IT or operational incidents that disrupt the delivery of systemic services.
- Termination & service transition planning: establish clear exit and transition plans to manage the termination of services and/or contracts with firms.
How firms will benefit from the CTP regime?
While the CTP regime does not impose direct obligations on financial firms, firms will indirectly benefit from greater regulatory oversight, increased transparency, and enhanced risk management practices by CTPs. These benefits include:
Stronger contractual safeguards
CTPs are expected to revise their standard contractual terms to comply with the new framework, resulting in several key improvements for firms:
- Termination rights and exit assistance provisions. CTPs will be required to provide structured exit plan for termination of the services or contract. a level of detail previously seen only in outsourcing agreements.
- Information on the identity of key contractors in the CTP’s supply chain. Firms will gain better visibility into subcontractors and key service providers in the CTP’s supply chain. Historically, this information has been difficult to obtain unless data protection laws required disclosure of sub-processors.
- Enhanced incident response and recovery commitments. CTPs will need to define incident classification criteria, commit to objective recovery timelines, and set maximum tolerable levels of disruption for each systemic service.
Improved incident reporting and information sharing
CTPs will be subject to more detailed incident reporting requirements than most financial firms currently impose on third parties. In the event of a major incident, CTPs must:
- Disclose incidents affecting systemic services that could disrupt firms or undermine financial stability.
- Provide firms with detailed insights on incident causes, mitigation strategies, and areas for improvement.
- Share annual self-assessments of their compliance with CTP resilience requirements, enabling firms to make more informed risk assessments.
- Provide results of testing and resilience exercises, giving firms better oversight of the CTP’s operational preparedness.
This Information-sharing requirement marks a significant cultural shift for many technology service providers, which have traditionally been reluctant to open their operations to scrutiny from both Regulators and their customers.
Comment
The CTP regime represents a significant regulatory shift for third party providers aligning them with the operational resilience and outsourcing framework that financial which firms have long been subject to. High-profile incidents such as the CrowdStrike update error in July 2024 which caused global system outages, have reinforced the urgent need for stronger regulatory oversight of critical suppliers. The new framework aims to harmonise operational resilience requirements between financial firms and their most critical external providers, ultimately, strengthening the stability of the UK financial sector. While many third-party providers have already begun improving their operational resilience, this is the first time they will be directly accountable to UK financial regulators.
Related item: Why complying with DORA may be beneficial for your business in the EU and the UK