Operational Resilience: Critical Third Parties – a further dimension
As part of an ongoing push by U.K. regulators to shore up the operational resilience of firms and financial market infrastructures (FMIs), the Financial Services and Markets Bill (FSM Bill; “the Bill”) sets out to overhaul the powers for supervisory authorities to designate and subsequently regulate what they deem to be ‘critical third parties’ (CTPs). Designation as a CTP by His Majesty’s Treasury (HMT) would act as a formal recognition of the potential systemic impact that disruption to services provided by CTPs could have on supervisory objectives, including but not limited to protecting the stability of, and ensuring confidence in, the U.K. financial system.
Despite this proposed change, DP3/22 makes it abundantly clear that firms and FMIs would be primarily responsible, and ultimately accountable, for managing risks to their resilience arising from their arrangements with third parties. The supervisory authorities recognise the benefits that well-managed outsourcing can bring to firms and FMIs in terms of cost reduction, efficiency improvement, and enhanced scalability. The two main problems identified by the regulators in relation to outsourced service providers (OSPs), however, are dependency and concentration, as these open up the potential for single-point-of-failure risks.
From a comparative perspective, the U.K.’s proposed CTP framework is wider in scope than the EU’s DORA. Whilst the latter focuses solely on the security of network and information systems, the former looks to cover any OSP where their services meet the requisite criteria (further below).
The current framework
Existing legislative operational resilience frameworks are limited insofar as no single firm or FMI can adequately monitor and manage the risks that stem from the concentration of service provision to multiple firms and FMIs by the same third party. Section 165A of FSMA 2000 allows the PRA to exercise information-gathering powers, but the thresholds for the exercise of these powers are prohibitively high. In response to this, the Bill proposes a new power with fewer hurdles to overcome, thereby making it easier for the PRA to gather the information it requires.
What makes an OSP a CTP?
DP3/22 sets out a range of factors that could possibly be considered when deciding whether or not to assign CTP status to an OSP. These include:
-
- Materiality – this would take account of economic functions, critical functions, and important business services.
-
- Concentration – this would assess the number, type, and significance of firms and FMIs that rely on a given third party for material services.
-
- Potential impact – as distinct from materiality, this would focus on the features of the CTP, and/or the services they provide, that could impact their potential to cause systemic risks.
Implications of designation as a CTP
The thrust of the changes to the supervision and regulation of CTPs lies in the introduction of minimum resilience standards and resilience testing. The proposed minimum resilience standards include the following elements:
-
- Identification and documentation of all services provided,
-
- Mapping of people, technology, and information required to provide services,
-
- Risk management and identification of risks to material services,
-
- Testing the resilience of material services,
-
- Engagement with supervisory authorities through incident and information reporting,
-
- Continuity playbook that details the specific risk mitigation measures adopted,
-
- Post-incident communication plans to be followed in the event of failure or disruption, and
-
- Learning and evolving from any incidents that occur.
The discussion paper also sets out a number of resilience testing tools that could be utilised to ensure continuity of service provision:
-
- Scenario testing,
-
- Sector-wide exercises,
-
- Cyber-resilience testing, and
-
- Skilled persons’ reviews.
New regulatory powers
The proposed changes to the regulation of CTPs also covers a range of new powers that supervisory authorities could use to oversee the activities of CTPs. The most fundamental changes are:
-
- Appointing a skilled persons’ review,
-
- Imposing limitations on service provision,
-
- Disqualifying CTPs from offering services to firms in the future, and
-
- Compelling actions through the issuance of directions to CTPs.
What’s next?
The period for submitting responses to the Discussion Paper has now elapsed, and it is expected that a Consultation Paper will be issued later in 2023 that sets out the specifics of the oversight regime that is to be put in place.
In the meantime, OSPs should carefully consider the points set out in the Discussion Paper and begin considering whether or not they will fall within the scope of CTP designation. As this is a radical overhaul, OSPs should thoroughly understand not only the potential new requirements that may be imposed on them, but also the often severe implications of failing to meet the standards demanded.
Novatus is a market-leading risk advisory firm. We have a great deal of experience in assisting firms across the financial services spectrum in bringing their current frameworks and existing practices up-to-speed with ever-changing regulatory requirements. We can provide a rapid health check of your operational resilience programme and support in the implementation of enhancements.
If you would like to discuss our offerings further, please contact Hugo Warner – hwarner@novatusadvisory.com.