A&O Shearman | FinReg | UK Regulators Propose Requirements for Critical Third Parties' Services to UK Regulated Firms
Financial Regulatory Developments Focus
This links to the home page
Financial Regulatory Developments Focus
  • UK Regulators Propose Requirements for Critical Third Parties' Services to UK Regulated Firms

    The Bank of England, Prudential Regulation Authority and Financial Conduct Authority (together, the supervisory authorities) have published a discussion paper proposing measures to supervise and enhance the resilience of critical third parties (CTPs) to the U.K. financial sector. Responses to the discussion paper may be submitted until December 23, 2022. The supervisory authorities intend to consult on proposed requirements for CTPs in 2023.

    Currently, the supervisory authorities' direct powers over entities providing critical services to U.K. authorized firms, their service providers (authorized e-money institutions, payment institutions and registered account information services) and financial market infrastructures (together, U.K. regulated firms) are limited. The Financial Services and Markets Bill, introduced to Parliament yesterday, would grant HM Treasury and the supervisory authorities' new express powers to oversee such third parties. HM Treasury will be able to designate an entity as a CTP if it provides services to U.K. regulated firms and its failure would pose financial stability or confidence risk to the U.K.

    The FSM Bill would empower the supervisory authorities to (among other things):
    • make rules governing the CTP services provided to U.K. regulated firms;
    • direct CTPs to, or prohibit CTPs from, taking certain actions;
    • publicly censure a CTP for rule breaches;
    • impose disciplinary measures against a CTP, including banning them from providing their services to U.K. regulated firms, preventing U.K. regulated firms from availing themselves of services from the CTP and imposing conditions on the provision of services by the CTP.

    The supervisory authorities would only oversee the systemic risks arising from the provision of services by a CTP to U.K. regulated firms. The obligations on U.K. regulated firms to manage the risks of all their third party service providers would not be affected by the new requirements for CTPs. In other words, it remains the position that if a U.K. regulated firm outsources a function to a third party, it cannot delegate responsibility for compliance with any regulatory requirements relating to that function.

    The supervisory authorities' discussion paper sets out proposals on:
    • Their approach to identifying potential CTPs and recommending their designation to HM Treasury.
    • Minimum resilience standards that CTPs could be required to satisfy in respect of material services provided to U.K. regulated firms, including disclosure to the supervisory authorities of the results of their self-assessments and participation in resilience tests.
    • Resilience testing of CTPs, such as scenario testing, participation in sector-wide exercises and cyber resilience testing.

    Return to main website.