Consultation opened
07/12/2023
Consultation closed
15/03/2024
Policy Statement published
12/11/2024
12/11/2024
We set out, jointly with the Prudential Regulation Authority (PRA) and the Bank of England (the Bank), the final requirements and expectations for critical third parties (CTPs).
In CP23/30: Operational resilience: Critical third parties to the UK financial sector, which we issued jointly with the PRA and the Bank, we consulted on policy measures to manage the systemic risks posed by certain third parties to the UK financial sector.
The new rules will allow the regulators (the FCA, PRA and the Bank of England) to monitor and manage these risks in an effective but proportionate manner.
In this PS and accompanying Supervisory Statement (SS), we lay out the final requirements and expectations for CTPs. These rules follow extensive engagement, feedback, and cost-benefit analysis of our original proposals.
These rules will primarily affect CTPs and potential CTPs.
They may also be relevant to:
The final rules for CTPs will take effect from 1 January 2025.
The regulators may recommend third parties to HM Treasury for designation. However, HM Treasury takes the decision to designate.
Market participants impacted by the changes should read this Policy Statement (PS) and the final rules.
While this PS summarises the most important aspects of our final rules, the new CTP sourcebook and related enforcement rules are the determinative instruments and should be read in their entirety along with this PS/SS to understand the full detail of our final rules. The regulators have also published an approach to oversight document, providing guidance on how we will oversee CTPs in practice.
Firms and financial market infrastructures (FMIs) have become increasingly reliant on the services of third parties. Disruption to or failure of one of these third parties, such as a cyber-attack or a power outage, could affect many consumers and firms and even threaten the financial stability and confidence of the UK.
FSMA 2023 granted the regulators and the Treasury powers in relation to CTPs. The regulators’ new statutory powers aim to enable them to intervene to raise the resilience of the services that CTPs provide to firms and FMIs, thereby reducing the risk of systemic disruption to the financial sector.
The new rules do not change the responsibility financial firms have in making sure they are resilient to operational disruptions and for their management of third-party suppliers, in line with our existing outsourcing and operational resilience rules.