HM Treasury (‘HMT’) has recently issued a policy statement on ‘Critical third parties to the finance sector’.
It intends to regulate directly those who provide critical functions and services to firms regulated by the FCA and the PRA through outsourcing or similar arrangements. This will include (but not be limited to) some firms which provide cloud-based computing services.
Why is HMT proposing this?
Regulated firms have become increasingly reliant on cloud and other third party service providers.
This involves risk. Many regulated firms rely on the same third party for provision of critical services. In the event of failure or disruption of this ‘critical’ third party, there could be a threat to the stability of, or confidence in, the UK financial system. For example, as of 2020, over 65% of UK regulated firms used the same four cloud providers for cloud infrastructure services. Also, there are a rising number of cyber incidents at third party providers and their supply chains.
Regulated firms are subject to direct FCA and PRA rules requiring them to take steps to ensure operational resilience. They are also subject to detailed rules as to what their contracts with outsourced suppliers must contain. HMT does not, however, see these as sufficient to tackle the systemic risk that disruption at a third party providing key services to multiple firms could cause.
What is proposed?
HMT will – in consultation with the FCA, PRA and other bodies – be able to designate certain third parties supplying services to firms as ‘critical’. Designation may also be suggested by the FCA or PRA themselves or even at the suggestion of regulated firms.
HMT will consider representations. If it agrees that a supplier should be designated, it will do so by statutory instrument.
Firms that are designated will be subject to a regulatory framework that is similar to the regimes which apply to regulated firms. The FCA and/or PRA will be able to set rules applying to the designated firm. They will have powers to require information or to conduct investigations. They will be able to require a ‘skilled persons’ report (i.e. under section 166 of the Financial Services and Markets Act 2000) on specific aspects of a designated firm’s business. The regulators will be able to require that the designated firm take or refrain from taking any specified action. There will be the possibility of enforcement action, including a power to publicise failings, and (as a last resort) to prohibit a critical third party from providing future services, or continuing to provide services to firms. It is not clear whether this may also involve financial penalties, but this is likely to be clarified in the consultation exercises by the FCA and the PRA.
This framework will be introduced by primary legislation when parliamentary time allows. After the legislation is introduced, the FCA and the PRA will issue discussion papers as to how this new basis of regulation should work. After the legislation has received Royal Assent, the FCA and the PRA will conduct consultation exercises as to the content of any rules. When the rules are finalised, HMT will consider which critical third party suppliers should be designated.
How significant is this change?
This is potentially a profound change. It will make designated service providers subject to direct regulatory control (and the possibility of enforcement action) even though they are not themselves carrying out regulated activities.
This may in some ways make life easier for regulated firms who use the services of these ‘critical’ suppliers. Negotiating suitable contractual terms in service and outsource agreements is likely to be much easier if the service provider is itself regulated. It also acknowledges that individual firms cannot be solely responsible for ensuring operational resilience.
It is not clear how many critical supplier firms will be affected by this. It is also not yet clear how far the regulation will extend; will it, for example, involve personal responsibility of individuals under the Senior Managers and Certification Regime? In any event, it will involve a very significant change for designated firms. FCA/PRA regulation is extensive and often onerous – and enforcement action by the FCA and/or the PRA involves major commercial and reputational risk.
If you have any questions on the proposed changes to critical third parties to the finance sector, please contact Tony Watts.
This article is for general information purposes only and does not constitute legal or professional advice. It should not be used as a substitute for legal advice relating to your particular circumstances. Please note that the law may have changed since the date of this article.