PS24/16: Operational resilience: Critical third parties to the UK financial sector

Consultation opened
07/12/2023
Consultation closed
15/03/2024
Policy Statement published
12/11/2024
12/11/2024
Policy statements First published: Last updated: 12/11/2024

We set out, jointly with the Prudential Regulation Authority (PRA) and the Bank of England (the Bank), the final requirements and expectations for critical third parties (CTPs).

Read PS24/16

Why we are doing this

In CP23/30: Operational resilience: Critical third parties to the UK financial sector, which we issued jointly with the PRA and the Bank, we consulted on policy measures to manage the systemic risks posed by certain third parties to the UK financial sector.   

The new rules will allow the regulators (the FCA, PRA and the Bank of England) to monitor and manage these risks in an effective but proportionate manner.  

In this PS and accompanying Supervisory Statement (SS), we lay out the final requirements and expectations for CTPs. These rules follow extensive engagement, feedback, and cost-benefit analysis of our original proposals. 

Who this is for

These rules will primarily affect CTPs and potential CTPs.

They may also be relevant to:

  • Firms and financial market infrastructures (FMIs).
  • Trade associations representing the various market participants or member groups with thematic interests.
  • Wider financial market participants, such as researchers, academics and other market commentators. 

Next steps

The final rules for CTPs will take effect from 1 January 2025

The regulators may recommend third parties to HM Treasury for designation.  However, HM Treasury takes the decision to designate.   

Market participants impacted by the changes should read this Policy Statement (PS) and the final rules. 

While this PS summarises the most important aspects of our final rules, the new CTP sourcebook and related enforcement rules are the determinative instruments and should be read in their entirety along with this PS/SS to understand the full detail of our final rules. The regulators have also published an approach to oversight document, providing guidance on how we will oversee CTPs in practice. 

Background

Firms and financial market infrastructures (FMIs) have become increasingly reliant on the services of third parties. Disruption to or failure of one of these third parties, such as a cyber-attack or a power outage, could affect many consumers and firms and even threaten the financial stability and confidence of the UK.  

FSMA 2023 granted the regulators and the Treasury powers in relation to CTPs. The regulators’ new statutory powers aim to enable them to intervene to raise the resilience of the services that CTPs provide to firms and FMIs, thereby reducing the risk of systemic disruption to the financial sector.   

The new rules do not change the responsibility financial firms have in making sure they are resilient to operational disruptions and for their management of third-party suppliers, in line with our existing outsourcing and operational resilience rules.   

Related content

CP23/30: Operational resilience: Critical third parties to the UK financial sector
Bank of England’s approach to enforcement: proposed changes to statements of policy and procedure following the Financial Services and Markets Act 2023
Critical Third Parties – HM Treasury’s Approach to Designation

Request an alternative format

Please complete this form if you require this content in an alternative format.