Over the last year, the UK financial services industry has been busy implementing their regulators’ new operational resilience framework1; identifying and mapping important business services and setting associated impact tolerances. But a potential vulnerability in all this good work was identified some time ago and the UK Government has set its sights on addressing this.
Firms providing services to the finance sector may not be used to interacting with the financial services regulators but could soon be facing FCA and PRA scrutiny and at risk of enforcement action which could extend to a ban on providing services. Such scrutiny will apply to any service provider that the UK Treasury (HMT) considers has the potential to threaten the stability of, or confidence in, the financial system of the United Kingdom, regardless of where that service provider itself is based. These proposals follow recent announcements in the EU of political agreement on the Digital Operational Resilience Act (DORA)2, which will require critical third-country information communication technology (ICT) related service providers to financial entities in the EU to establish a subsidiary in the EU and be subject to oversight.
Mitigating risks
Financial services firms are already required to identify and have an understanding of their reliance on critical service providers. They need to have appropriate and effective risk management systems and strategies in place to deal with outsourced service providers3. These measures are only part of the picture, however, and there has been an awareness and growing concern of the increasing reliance by many on a small number of cloud service providers and other critical third parties. No single firm can manage risks originating from a concentration in the provision of critical services by one third party to multiple firms. In the words of the UK’s Financial Policy Committee “absent a cross-sectoral regulatory framework, and cross-border co-operation where appropriate, there are limits to the extent to which financial regulators alone can mitigate these risks effectively4”. Enter the HMT, working with the Bank of England, including the PRA, and the FCA “to understand what ‘direct regulatory oversight’ of critical third party services might involve”. The outcome is set out in a policy statement published by HMT on 8 June 20225.
Who will be caught by this new regime?
HMT want to be granted the power to designate certain third party firms as ‘critical’. As mentioned above, this assessment of criticality is determined by reference to the risks that a failure or disruption of a service provider poses to the financial system of the United Kingdom, irrespective of where the service provider is located.
The designation will be made in consultation with the financial regulators and “other bodies”. The regulators might proactively recommend a third party be designated as critical, but the final say will rest with HMT. This power will be granted in primary legislation, which will presumably prescribe the criteria to be considered in order to regulate HMT’s use of the power.
There is no indication of what HMT might consider ‘critical’. There is, however, a clear focus on certain cloud providers. Beyond this HMT state simply that any assessment will be based on their analysis of data and information from firms.
In terms of such information, a joint consultation paper on incident reporting and outsourcing and third party reporting is expected to be published by the Bank of England, PRA and FCA any time between now and the end of Q3. The drivers behind this policy include enabling the regulators to collect certain information on regulated financial services firms’ outsourcing and third party arrangements in order to manage the risks they may present to the regulators’ objectives, including resilience, concentration and competition risks. The PRA is also considering an online portal that financial services firms would need to populate with certain information on their outsourcing and third party arrangements, or a subset thereof, such as those deemed material6 in order to help identify common critical third parties.
Implications for ‘critical third parties’
Once designated, the FCA and PRA will be able to exercise “a range of powers in respect of any material services that the third party provides to the finance sector”. The regulators will be able to make rules relating to the provision of these services, request information from the service provider and take “formal action (including enforcement) where needed”.
Resilience standards
The primary act proposed by this policy statement will grant the regulators the power to make rules to set minimum resilience standards that a critical third party will be directly required to meet in respect of any material services it provides to the UK finance sector. It will also allow the financial regulators to require critical third parties to take part in a range of targeted forms of resilience testing, to assess whether these standards are being complied with.
Direct supervision
Critical third parties will join the ranks of supervised firms. Such entities will have to establish relationships with the supervisory teams at the FCA and PRA. The regulators will scrutinise how they conduct their business. They will ask for information. They will also be able to commission independent skilled person reports “on certain aspects of a critical third party’s services” or appoint investigators to look into potential breaches of the requirements. Critical service providers should anticipate regular dialogues with the financial services regulators and it is likely that board engagement will be expected.
Penalties
The policy statement anticipates “a suite of statutory powers” for the regulators, including the power to direct critical third parties to take or refraining from taking specific actions, and enforcement powers including a power to publicise failings, and (as a last resort) to prohibit a critical third party from providing future services, or continuing to provide services to firms.
Service providers beware!
This will be a new world for a number of critical service providers. What is clear from this policy statement is that their ‘material services’ will be subject to regulation. Open questions include:
- How will HMT exercise its power? What will the thresholds of criticality be? Although the policy statement accepts that HMT will need to “have regard” to representations made by potential critical third parties, what will the process involve and what rights of challenge might a firm have?
- Once designated as “critical”, how will “material services” be determined? Will this map to the identification of ‘material outsourcings’ by financial services firms? If so, what transparency around this will be available to the third parties? If not, who will determine materiality and how? Will it be limited to ICT services in line with the EU’s DORA?
- What will the ‘resilience standards’ be? Will they be tailored and proportionate or blanket standards? How will they dovetail with the requirements already indirectly applicable to service providers to financial service firms by virtue of the contractual requirements for such outsourcings? Will they mirror the operational resilience requirements on regulated financial services firms that require impact tolerances and mapping, processes, systems and controls, and governance and communication strategies? How will the testing requirements compare to the penetration tests due to be required by the EU’s DORA? Inevitably there will be compliance costs. The policy paper states that this new regime for service providers will not replace the individual responsibilities of regulated financial services firms, but will critical service providers risk guilt by association? Service providers will be keen to ensure that any enforcement risks are isolated to performance metrics within their control.
- Given the extra-territorial reach of the proposals, how do the regulators anticipate ensuring an adequate oversight of third country service providers? Will the ‘resilience standards’ include any presence or localisation requirements similar to the requirement to establish a subsidiary in the EU’s DORA? Will an assessment of adequate regulatory cooperation and equivalence be required in relation to the service provider’s home state?
The government intends to legislate for this regime “when parliamentary time allows”. The regulators will then issue a joint discussion paper setting out how they might exercise the powers granted to them. The recent regulatory initiatives grid suggests simply that this will be sometime this year. This will be followed, once the primary act is passed, by a consultation on their proposed rules. Once the regulators finalise their rules, HMT will begin designating the first critical third parties under this new regime. Given the regulatory focus on operational resilience, as soon as parliamentary time allows the primary act to be made, the regulators are likely to act fast. Service providers are advised to watch this space and engage in the discussion paper and subsequent consultation.
Footnotes
1. New operational resilience requirements and guidance for UK financial services firms
2. Political agreement on DORA
3. SS 2/21 para 4.4
4. FPC Summary July 2021
5. Policy statement on critical third parties to the financial
6. PRA policy statement on outsourcing and third party risk management