Critical third parties for the financial sector: policy statement
1.1 Financial services firms and financial market infrastructure firms (“firms”) increasingly rely on third parties outside the financial industry for key functions or services (e.g. cloud computing services ) through outsourcing and other arrangements. These arrangements can have many benefits, but can also create risks. In particular, if many businesses rely on the same third party, failure or disruption of that ‘critical’ third party could threaten stability or confidence in the UK financial system.
1.2 The potential for such disruptions was highlighted in 2019 when the Treasury Select Committee published a report on information technology (IT) failures in the financial services sector. [footnote 1] International bodies, including the International Monetary Fund and the Financial Stability Board, have also noted these potential systemic risks.
1.3 Since then, businesses have become increasingly dependent on the cloud and other third-party providers. This led the Bank of England’s Financial Policy Committee (FPC) to conclude in 2021 that “increasing reliance on a small number of cloud service providers and other critical third parties could increase risks for financial stability without more direct regulatory oversight of service resilience”. They provide”.[footnote 2]
1.4 Following feedback from the 2021 FPC, the UK Treasury has worked with the Bank of England, including the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) (“the financial regulators”) to understand what is the “direct regulatory oversight” of critical third-party services might involve; and provide a framework for them to manage risks to financial stability and their statutory objectives.
1.5 HM Treasury has worked with financial regulators to develop a proposal on critical third party risk mitigation for the financial sector. Various industry stakeholders participated in this proposal. Industry feedback has been positive and it has been widely recognized that direct oversight of some key services provided by third parties essential to the financial sector could be useful.
1.6 This policy statement details the UK Treasury’s proposal to reduce the risks of systemic disruption of the objectives of financial regulators, including financial stability and market confidence. Under this proposal, HM Treasury may, in consultation with financial regulators and other bodies, designate certain third parties who provide business services as ‘critical’. Financial regulators will then be able to establish rules, gather information and take enforcement action regarding certain services that critical third parties provide to companies and which are of particular interest to the objectives of the regulators (which the regulators call “material” services).
Objective of the critical third party regime
1.7 If many companies rely on the same third party for material services, the failure or disruption of this “critical” third party could have a systemic impact on the entire financial sector. Additionally, companies’ reliance on a limited number of critical third parties for key services in the financial services industry has increased in recent years and continues to do so. In 2020, for example, over 65% of UK businesses used the same four cloud providers for cloud infrastructure services.[footnote 3]
1.8 Disruptions to third parties and their supply chains also appear to be an increasing risk. The National Cyber Security Center (NCSC) 2021 Annual Review noted that there had been an increasing number of cyber incidents in 2021, which highlighted the viability, effectiveness and global reach of chain operations. as a means of compromising relatively well-defended targets. [footnote 4] This review warned that “further such operations are almost certain within the next twelve months”. In 2022, the NCSC also highlighted the increased risk of cyber threats due to geopolitical issues and issued targeted guidance, including on supply chain risk management. [footnote 5] These guidelines reflect the main objective of limiting the UK’s dependence on individual suppliers or technologies that are developed under regimes that do not share our values, which was highlighted in the foreword. About the UK Government’s National Cyber Strategy 2022. [footnote 6]
1.9 The current powers of financial regulators allow them to impose requirements and expectations on businesses which they have used to develop and implement an operational resilience framework. Companies are required to ensure that their contractual arrangements with third parties allow them to comply with this operational resilience framework, which includes requirements in areas such as data security, business continuity and exit planning. .[footnote 7]
1.10 However, these powers alone are not enough to address the systemic risk that could result from a disruption at a third party providing key services to multiple businesses. In particular, no company alone can manage the risks arising from a concentration of the provision of essential services by a third party to several companies – for example, if these services cannot be easily restored or replaced quickly and without cost and undue risks in the event of the failure or disruption of the third party. There may also be significant information and power asymmetries between certain third parties and companies, which may prevent companies from obtaining adequate assurances that their contractual arrangements achieve an appropriate level of operational resilience. Businesses are responsible for managing the risks to their operational resilience and will remain so under the proposed regime, the objective of which is to manage potential systemic risks arising from concentration in the simultaneous provision of material services to multiple businesses. The framework will therefore complement but not replace individual company responsibilities.
1.11 The proposed regime will fill this gap in the powers of regulators, allowing them to directly oversee the services that essential third parties provide to businesses. This will allow regulators to ensure that essential services provided by third parties to businesses in the financial sector are resilient, thereby reducing the risk of systemic disruption.
1.12 It is important for the government that the financial sector and its supply chain remain competitive and innovative. This is why the proposed regime aims to be flexible and proportionate, ensuring that the UK is able to reap the benefits of outsourcing, while combating the systemic risk it poses.
The critical third party regime
1.13 Under the proposed regime, HM Treasury will be able – in consultation with financial regulators and other bodies – to designate certain third parties to companies as ‘critical’.
1.14 Prior to appointing a critical third party, HM Treasury should consult with financial regulators and other relevant bodies. Financial regulators could proactively recommend the designation of certain third parties as “critical” to the UK Treasury, based on their analysis of data and company information. HM Treasury will also need to consider representations made by potential critical third parties. Companies in the financial sector could also make representations to HM Treasury in relation to their own third parties.
1.15 Designation will then be made by secondary law taking into account high-level criteria such as the number and type of services that a third party provides to businesses; and the materiality of these services. This designation framework will be defined in the primary legislation.
1.16 Once a third party has been designated as ‘critical’, financial regulators will be able to exercise a range of powers with respect to any material service the third party provides to the financial sector. In particular, financial regulators will be able to establish rules relating to the provision of these material services, collect relevant information from critical third parties and take formal (including coercive) measures if necessary. Financial regulators will be required to coordinate in the exercise of these powers.
1.17 A regulatory power will allow financial regulators to set minimum resilience standards that critical third parties will be directly held to in relation to the material services they provide to the UK financial sector. It will also allow financial regulators to require critical third parties to participate in a series of targeted forms of stress testing, to assess whether these standards were being met.
1.18 Financial regulators will be empowered to assess whether resilience standards have been met. These will include powers for financial regulators to:
- request information directly from critical third parties about the resiliency of their business hardware services, or their compliance with applicable requirements;
- appoint an independent “qualified person” to report on certain aspects of the essential third party services;
- appoint an investigator to investigate potential breaches of legal requirements;
- question a representative of a critical third party and demand the production of documents;
- enter the premises of an essential third party under mandate in the context of an investigation.[footnote 8]
1.19 Financial regulators will have a range of statutory powers, including the power to order critical third parties to take or refrain from taking specific action; and enforcement powers, including the power to make breaches public and (as a last resort) to bar a critical third party from providing future services or continuing to provide business services. The powers of financial regulators in relation to CTP will be defined in primary legislation.
1.20 Financial regulators will issue a joint discussion paper, outlining in detail how the powers conferred on them by the legislation could be exercised, and seeking industry input on the most effective and proportionate way to do so . It will also explore the role of financial regulators when designating, including how they might make recommendations to Her Majesty’s Treasury when consulting. The discussion paper will also explore potential specific ways for financial regulators to coordinate the exercise of their powers with overseas financial regulators, UK authorities and regulators outside the financial services sector.
1.21 The government intends to legislate for this plan when parliamentary time permits.
1.22 The Joint Financial Regulators Working Paper will be published shortly after the introduction of this legislation. Following Royal Assent, the financial regulators plan to release another consultation paper on their proposed rules, building on comments received in their discussion paper and new statutory powers that they offer.
1.23 Following the finalization of the Regulators Rules, HM Treasury will then expect to begin appointing the first Critical Third Parties under this new regime.