In a paper published on 7th December, the Bank of England, as well as both the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), have outlined their plans to bring critical third party (CTP) suppliers to the financial services industry under their supervision.
Changes to the way CTPs are managed were first proposed in a paper released by the Treasury in 2022, but now in an updated discussion paper the regulatory bodies have detailed how they hope to create homogenous rulebooks that “manage potential risks to the stability of, or confidence in, the UK financial system that may arise due to a failure in, or disruption to, the services that a CTP provides”.
One of the key components leading to this heightened awareness and scrutiny has been firms’ ever-increasing reliance on technology and internet services
They propose introducing a “set of six fundamental rules” which all CTP’s would have to abide by when providing services to any financial firm, intermediary or financial market infrastructure firms. The proposed rules are as follows:
1) A CTP must conduct its business with integrity
2) A CTP must conduct its business with due skill, care and diligence
3) A CTP must act in a prudent manner
4) A CTP must have effective risk strategies and risk management systems
5) A CTP must organise and control its affairs responsibly and effectively
6) A CTP must deal with the regulators in an open and co-operative way, and disclose to the regulators appropriately anything relating to the CTP of which they would reasonably expect notice
These rules are “similar but less extensive than the PRA Fundamental Rules and FCA Principles of Business” and are being introduced to recognise the risk posed by CTPs to the financial services industry as a whole. The discussion paper and its responses on this topic released by the regulators back in July 2022 has formed the basis for these plans, but CTPs have been monitored for several years in the build up to this, with their potential risk to the stability of the UK financial system being highlighted in the Financial Stability Report (FSR) in June 2017.
One of the key components leading to this heightened awareness and scrutiny has been firms’ ever-increasing reliance on technology and internet services, specifically cloud-based services, and cyber-attacks. The FSR from November 2018 specifically noted the risk posed by cloud service providers due to the limited number of operators in this market, emphasising the fact that “disruption at one provider, for example due to cyber-attack, could interfere with the provision of vital services to several firms”. In a policy statement last year, The Treasury stated that as of 2020, 65% of all financial firms use the same four companies for their cloud services, clearly displaying the over-concentrated reliance on a small number of providers.
The response from the UK Government has resulted in legislative changes included in the Financial Services and Markets Act 2023. Under the new legislation, the Treasury has been given the power to designate suppliers as CTPs, and the regulators have been given the authority to impose rules, investigate and enforce judgements against CTPs, as well as the power to order a CTP to either do something in a certain way or refrain from doing something in a way that they deem unsuitable. The new rules proposed by the regulators are a direct result of these new powers.
So how do these new rules affect financial firms?
Up until now, financial firms’ only power to manage the systematic risks posed by third party suppliers have been the contractual agreements between them. It is the responsibility of the financial firm to ensure these agreements comply with the regulators’ existing operational resilience frameworks, but those have been deemed inadequate to effectively manage the risk posed. The potential problem of a power imbalance between service providers and smaller firms has been shown to be of particular concern, and the hope is that by introducing these new regulatory powers, the responsibility for mitigating the risk posed by suppliers will be returned to the supervisory bodies.
That does not mean that firms’ can totally abandon their responsibility for ensuring their contractual agreements are sufficient to provide operational resilience, as these new rules will only apply to third party suppliers designated as ‘critical’ by the Treasury. The anticipation is that this will only cover a small number of firms from within the vast network of suppliers across the financial services industry. As a result, firms will still need to ensure that they have adequate assurance through their agreements that any disruption to the service will not materially impact their operational capacity.
The new rules are not replacing the existing frameworks for operational resilience but should be seen in conjunction with existing guidance. For example, the PRA has previously announced a requirement for firms to able to demonstrate that they can remain within self-defined impact tolerances towards their Important Business Services (IBS), by 2025. They are keen to see firms identify, map and test their plans to deal with the impact of any disruption from third party supplier services, and consider the impact this may have to their Important Business Services.
What impact will this have on supplier-firm relationships?
A common worry expressed by those in the industry is that these new rules could be cited by suppliers as a valid reason to increase the price of their services. The argument has been made that at a time when many business costs – from energy to wages to rent for office premises – have been steadily rising, implementing a regime that will cause suppliers to incur significantly increased costs could be detrimental to the provision and access to these services for smaller firms if these costs are then passed on to customers.
Another fear is that these suppliers could use their designation as a sales tool, promoting their designation as validation from regulators that they are operating in a manner that is compliant with operational resilience rules. This could then lead to a further concentration in the supply chain with smaller third-party suppliers, not designated as ‘critical’, being further pushed out of the industry unable to compete for business.
The paper has tried to address this potential misuse of the designation by indicating that suppliers must refrain from claiming the designation means they have the ‘endorsement’ of regulators. However, it is hard to see a scenario where this designation will not affect a firm’s choice when choosing a supplier for their outsourced service. All firms will want to understand and contractually agree on how suppliers plan to remain compliant within the new regime, handing a huge advantage to firms who can demonstrate their compliance through direct supervision from the regulators.
To summarise, firms should not deviate or change their approach when it comes to their compliance strategies for any third-party suppliers, whether designated as ‘critical’ or not. All supply chain members should be thoroughly assessed for their impact to a firm’s operational resilience and firms should still rely upon robust contractual agreements that provide adequate assurance of regulatory compliance and proportionate impact to Important Business Services, in the event of disruption to those services.
The new CTP regime is designed to provide additional powers and oversight for the regulators when dealing with third-party suppliers that are considered critical to the stability of the financial system, but should not impact a financial firm’s decision making when interacting or contracting any supply chain member.