Critical Third Parties – being brought within the regulatory perimeter

On 8 June 2022 HM Treasury (HMT) published a policy statement on how it intends to mitigate the risks from critical third parties to the finance sector.

Once passed into law HMT will be able to designate certain third parties as being ‘critical’ to the financial sector, they will then come under the scope of the financial regulators in the same way that our members do already, who will then be able to set minimum resiliency standards that those third parties must meet for any material services they provide to financial services firms. The financial regulators will also have the power to test third parties to ensure they are complying with these standards.

Setting out detail
In its policy statement HMT specifically calls out cloud service providers as being critical to the sector, noting the Bank of England Financial Policy Committee meeting from July 2021 which highlighted the risk to the sector from a reliance on a small number of providers. Since then, we have become aware that a joint discussion paper from the Bank of England, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) would be published in 2022, one that would set out the detail on how they would use such powers as granted to them by HMT. Publication of the policy statement suggests that there will not be long for us to wait before we see the discussion paper.

We welcome both the HMT policy statement and upcoming discussion paper. Our members have been highly engaged on this topic since the operational resilience and outsourcing and third party risk managements regulatory papers were first published, and throughout that time always acknowledged the unique and critical role a small number of third parties play in the sector. Once the discussion paper is published, we will convene member roundtables with the regulators to ensure that the full range of discussions take place.

International alignment
Central to many of our members’ views on critical third parties is ensuring that international alignment with other regulatory requirements takes places, for example the Digital Operational Resilience Act (DORA). Members also expect that the forthcoming consultation paper on the outsourcing register will help the regulatory authorities form a view on which third parties are critical to the point of causing a systemic risk if they do not meet resilience requirements, and we have already engaged with the PRA on the requirements of this register.

Our members understand above all the significant impact that certain third parties have on their business and welcome a pragmatic, risk-based regulatory approach to them. Ensuring materials services remain resilient has never been more important to our members. The significant and unprecedented geopolitical events effecting the global economy in the last few years show have not only tested them like never before, but have also shown that they can continue to offer services to customers in spite of those events. Having third party relationships that you can rely on, knowing they are trying to achieve the standards as you, will bring a heightened level of comfort and confidence to the sector.

As a next step, UK Finance will continue to engage with HMT and the financial authorities, and we will provide a formal update to members through our committees.

Area of expertise:
Critical Third Parties – being brought within the regulatory perimeter



You may be interested in

About us

Third-Party Partnerships

UK Finance has sourced, from a number of select organisations, certain products and services that may offer solutions to some of the challenges members face, or which may be of interest more generally to members.