UK financial regulators have confirmed new rules to bolster the resilience of technology and other third parties providing key services to financial firms.
Financial firms and financial market infrastructures (FMIs), such as payment systems, have become increasingly reliant on the services of a small number of third party providers, known as critical third parties. While these third parties can enhance competitiveness for the sector, disruption or failure to one of them—such as a cyber-attack or power outage—could affect a large number of consumers and firms, and threaten the stability of the UK financial system.
That is why, in 2023, the government gave regulators new powers to oversee the resilience of the services these third parties provide the sector, that may cause risks to financial stability. Today, the Financial Conduct Authority, Bank of England and Prudential Regulation Authority have set out how they intend to use their new powers, having consulted widely and working closely with industry to inform the design of the regime. The new rules align closely with international standards and similar regimes, like the EU’s Digital Operational Resilience Act.
The final rules, when implemented, will not only strengthen the resilience of the services that critical third parties provide to individual firms, but will improve the resilience of the UK financial services sector as a whole. By strengthening resilience and promoting market stability, this will ensure the UK is an attractive place to do business.
The government will decide which third parties should fall under the new regime based on advice from regulators.
The new rules do not reduce the responsibility of financial firms and FMIs in making sure they are resilient to operational shocks and for their management of third-parties, in-line with our existing outsourcing and operational resilience rules[1].
The regulators welcome engagement from industry over the coming months as the regime is implemented.
More information
- Policy Statement (PS) 24/16 Operational resilience: Critical third parties to the UK financial sector[2]
- Supervisory Statement: Operational resilience: Critical third parties to the UK financial sector[3]
- The Regulators’ approach to the oversight of Critical Third Parties[4]
- Joint Foreword[5]
- Enforcement statement[6]
- Critical Third Parties – HM Treasury’s Approach to Designation[7]
- The final rules and policy will come into effect on 1 January 2025.
- Critical third parties once designated will not be overseen in their entirety by the regulators, but the third-party services they specifically provide to the financial services sector will be overseen.
- The rules will require critical third parties, once designated, to:
- provide regular assurance, information and notifications to the financial regulators on their services
- undertake various forms of resilience testing and scenario-based exercises, including collaborating on some with their firms and FMIs
- report major incidents like cyber-attacks, natural disasters and power outages
- In December 2023, the financial regulators published an extensive consultation[8] with the sector, which received broadly supportive feedback from over 60 respondents in the industry.