Operational Resilience: Discussion paper outlines proposed measures to supervise critical third parties
Posted on 1 Aug 2022
The UK’s supervisory authorities, including the PRA, FCA and the Bank of England have published a discussion paper (DP3/22 – Operational resilience: critical third parties to the UK financial sector) this month outlining potential measures to be implemented to monitor services provided by critical third parties (CTPs). The proposed statutory framework for overseeing these critical third parties that many financial firms rely on are contained within the Financial Services and Markets (FSM) Bill, which is currently being put before Parliament.
Why is it necessary
Firms are becoming increasingly reliant on certain third parties to deliver key functions and services, with examples including cloud service providers (CSPs) and data analytic providers. Whilst the benefits of these arrangements are recognised within the paper, including efficiency gains, reduced costs, scalability and improved operational resilience, it is also recognised that this increased reliance poses certain systemic risks. Failure or disruption to these services could potentially impact the multiple firms they service, these firm’s customers and, in extreme cases, the financial stability of the UK.
The new proposed measures are not seeking to replace the current financial regulatory framework imposed on individual firms to manage risks to their operational resilience, which include risks associated with third party providers. Instead, the new measures are aimed at providing supervisory authorities with tools to manage any systemic risks that could arise if these third parties’ services are disrupted.
The potential measures themselves set out in the discussion paper include setting out minimum resilience standards that CTPs will be required to meet in respect of the material services they provide to firms. These standards would be demonstrated by providing attestations to the supervisory authorities and participating in sector-wide assessments and ‘resilience tests’ such as scenario testing. CTPs would be required to identify and document all services which could impact the supervisory authorities’ objectives, map out how these services are provided and engage in regular disclosure with the supervisory authorities.
The supervisory authorities believe these additional measures would help to align and build on the existing operation resilience framework and help to provide consistency in the market by improving market discipline. Additionally, these measures would help to identify potentially harmful CTPs, allowing the supervisory authorities and the firms to take appropriate action before any failure or disruption occurs.
The FSM Bill further outlines how the supervisory authorities would look to identify and categorise third parties as CTPS. The criteria for being designated as a CTP would be based on the number and type of firms to which the third party provides services to, and the materiality of the services the third party provides to firms, and therefore the potential harm caused by a failure or disruption of these services. However, it has already been acknowledged that only a small number of third parties are likely meet the threshold to be classified as a CTP.
Why it matters and who it affects
As the discussion paper was issued jointly by the PRA, the FCA and the Bank of England the potential changes are likely to impact all regulated financial service providers. The largest impact, however, will be for third party firms who receive the CTP classification and will therefore be subject to the increased scrutiny outlined within the paper.