The FCA, PRA and Bank of England issue Joint Proposal into Overseeing Critical Third Parties (News Release on Bank of England website - 7 December 2023)
The Bank of England, Prudential Regulation Authority, and Financial Conduct Authority are consulting on proposals to oversee and strengthen the resilience of services provided by critical third parties to UK regulated firms.
Critical third parties supply various services to firms, providing benefits, including greater operational resilience and innovation. However, if they are disrupted or fail, there are potential risks to UK financial stability. Managing these risks fully is beyond the ability of any individual firm and requires an appropriate but proportionate level of direct regulatory oversight. These proposals will complement the responsibilities of individual firms relating to operational resilience and third-party risk management.
Sam Woods, Deputy Governor of Prudential Regulation and the CEO of the PRA said:
‘Third party service providers often play a vital role in the delivery of important services by banks and insurers. These arrangements bring benefits, but also potential risks. We are consulting today on proposals to implement new powers given to us by Parliament to manage these risks for those providers who could present risks to financial stability, in an effective and proportionate way.’
Sarah Breeden, Deputy Governor for Financial Stability said:
‘Firms are becoming increasingly dependent on third-party technology providers for services that could impact UK financial stability if they were to fail or be disrupted. The proposals build on last year’s discussion paper to enable the Bank of England, in coordination with the PRA and the FCA, to manage these systemic risks, while enabling UK firms also to benefit from using such providers.’
Nikhil Rathi, Chief Executive of the FCA said:
‘Well managed outsourcing can bring efficiencies, accelerate innovation and boost operational resilience. With a concentration of third parties serving multiple clients in financial services, there is, however, a risk of major impact if they are disrupted or fail. We believe these proposals will improve the resilience of the critical third-party services that financial firms and their customers depend on, support market integrity and enhance UK competitiveness and growth.’
The proposals follow the discussion paper published in July 2022. They include how the regulators may identify potential critical third parties and recommend them for designation to HM Treasury.
Other proposals include:
A set of fundamental rules that would apply to all the services critical third parties provide to UK firms, and act as a general statement of their obligations under the proposed regime;
A set of more granular operational risk and resilience requirements, to apply only to critical third parties material services to firms, such as requirements on technology and cyber resilience, as well as on supply chain risk, change and incident management;
Requirements for critical third parties to provide certain information and assurance to the regulators, including submitting an annual self-assessment, and conducting regular testing of their ability to provide material services in severe but plausible disruption.
Requirements for critical third parties to notify the regulators and the firms they provide services to, of specific disruptions which may adversely impact the services provided
Critical third parties will not be authorised or overseen in their entirety by the regulators, but the third-party services they provide will be overseen against these proposals, once finalised.