Situation critical: Proposed new rules to regulate Critical Third Parties

As we have previously discussed in our Briefing on FSMA 2023 and 2024 New Year Briefing, FSMA 2023 amended the Financial Services and Markets Act 2000 ("FSMA 2000") to introduce a statutory framework for the designation by HM Treasury of certain technology businesses that supply firms and FMIs as CTPs (section 312L of FSMA 2000). The regulatory hook for HM Treasury's designation power is its opinion that a failure in, or disruption to, the provision of the services (either individually or, where more than one service is provided, taken together) could threaten the stability of, or confidence in, the UK financial system. The regime also includes a requirement that HM Treasury consult the Regulators before making a designation and, in practice, it is apparent that the Regulators expect that they will make proactive recommendations as to potential CTPs to HM Treasury.

The Regulators have since published a package of documents for consultation, led by CP26/23 – Operational resilience: Critical third parties to the UK financial sector and accompanied by a draft  joint supervisory statement from the Regulators, and draft new CTP rules (including an entirely new Critical Third Parties Sourcebook of the FCA Handbook and equivalent instruments from the Bank of England and PRA).

The genesis of this new regime was motivated mainly by the perception that firms and FMIs were collectively becoming highly reliant on a small number of cloud service providers (globally, some estimates suggest that the top three cloud providers account for nearly two-thirds of the market), and took place against a background of incidents such as the failed TSB IT migration (for which TSB was fined by both the FCA and PRA) and the Visa outage (which resulted in no technical enforcement action, but the Bank of England did exercise its powers to direct Visa Europe to implement the recommendations of an independent report), both of which took place in 2018. The policy conclusion that appears to have been reached is that existing requirements applying to firms and FMIs are insufficient, and that imposing risk management and supervisory requirements directly onto CTPs is needed to supplement the existing regime.

With the Post Office scandal bringing media and political scrutiny to the realm of external IT procurement, it is also important to note that there is no limitation in the statutory regime to cloud service provision, and the increased trend towards the use of software as a service ("SaaS") and platforms as a service ("PaaS") structures mean that it is highly foreseeable that this regime could ultimately apply to providers outside the household name global tech giants originally in mind when it was designed.    

It is also important to note that there is no requirement or expectation that firms and FMIs are to prefer designated CTPs, and indeed CTPs are to be prohibited from claiming that their designation makes them in any way superior to their competitors.

Material services

Having said that, it is clear from the consultation paper that the policy intention is that only a small number of providers will meet the statutory test and be truly "critical". In addition, the Regulators state that their "most granular" requirements will only apply to "material services". Rather oddly, the definition of material services in the FCA Handbook and the Bank of England and PRA Rulebooks is substantially identical to the statutory test for HM Treasury designation. What this means in practice would appear to be that, once designated, parts of the new CTP regulatory framework will apply across the CTP's business, with heightened requirements attaching to the services that mainly prompted designation.

Territorial application

This – a significant departure from the classical UK approach to regulation – is a clear response to the fact that, for example, cloud service providers operate globally (and indeed that is fundamental to their business models). We also regard this approach as the only way to implement a regime like this in such a way as to avoid disadvantaging the UK economy – had there been an attempt to limit it to UK-based CTPs, or force UK subsidiarisation, there would have been a considerable danger of either (or both) hobbling UK IT businesses or discouraging international businesses from operating in the UK.

On the related subject of international interoperability, the Regulators claim to have designed the regime to be as interoperable as was feasible with similar overseas initiatives such as DORA in the EU, or the Bank Service Company Act in the US. There are certainly overlaps, and, for example, certain regulatory notifications and other information requirements may be satisfied by re-using material generated for compliance with DORA (especially). We would caution CTPs operating in the EU, however, against thinking that compliance with DORA necessarily means that the task of implementing the CTP regime will already have been done (even putting aside that DORA is not fully applicable until 2025).

Individual responsibility for engagement with the Regulators

This must be an employee or member of its governing body with appropriate skills, experience and knowledge, including of the "requirements and expectations applicable to the CTP, and the firms and FMIs" to which it provides services. While that person is not required to be located in the UK, they "should be contactable during UK business hours".

The supervisory statement also clarifies that a CTP may have more than one such person – that is not immediately obvious on the face of the draft rules and appears somewhat to cut across the concept of a single point of contact.

Depending on the nature of the CTP and its services, it may be that CTPs will look to recruit people with compliance and/or regulatory relations backgrounds to carry out these roles. There is no suggestion at this stage of any individual accountability attaching to this function (still less that there will be an equivalent of the UK's "Senior Managers Regime", which regulates the conduct of senior individuals within regulated firms and includes a strong element of individual accountability). Nevertheless, those familiar with dealing with regulatory scrutiny of major operational incidents will appreciate that it is not always a comfortable seat to fill.

Non-designation of regulated firms and FMIs, and questions about group structures

The designation power given to HM Treasury by FSMA 2023 is permissive and, within constraints, discretionary. The consultation paper indicates that there are certain cohorts of businesses that could satisfy the statutory test but for which the Regulators would not recommend designation. These include firms and FMIs whose "services…are subject to a level of regulation and oversight that delivers at least equivalent outcomes" to the CTP regime.

In addition, third parties that are subject to other regulatory regimes that can deliver the same outcomes (such as telecommunications or energy providers) are unlikely to be designated.

While it is obviously welcome that the Regulators accept the need to minimise overlapping regulation in this field, we would note some limitations as to how much businesses can rely on them: these points are not included in the supervisory statement, are an overlay to the legislation and are qualified as being the Regulators' expectations (that is, they do not consider themselves bound by what they have said if circumstances turn out differently). Regulated firms, FMIs and entities already subject to stringent business continuity regimes may wish to take the opportunity to argue that the supervisory statement should expressly state that the Regulators will not recommend their designation, as the principle outlined in the consultation paper – effectively that there is no need to designate as a CTP a firm that is already subject to the Regulators' remit via other routes – is clearly a sound and logical position.

Moreover, many technology firms (and suppliers of other services) have already become authorised or regulated, and are often structured in complex corporate groups. Conversely, many regulated businesses (especially in the payments and fintech fields) have deliberately (and often for very good operational resilience reasons) separated, within their groups, IT systems and other technology assets from the provision of services within the regulatory perimeter. UK regulation has essentially always been applied at an entity level, and the relevant legislation describes HM Treasury's power to designate "a person" – i.e. this designation is also intended to be at entity level.      

What is unaddressed is whether, for example, an FMI that had placed its technology assets into a subsidiary (or several) that supplied services both intra-group and to other FMIs or firms, such that it met the statutory test for designation, would be likely to have that subsidiary designated or whether the Bank of England's existing supervision of the FMI entity would be regarded as sufficient. On the face of the legislation, it looks to be the former (i.e. the group ends up having companies falling within both regimes). Whether that would happen in practice probably depends heavily on the story the group was able to tell the Regulators and HM Treasury about its governance and intra-group dependencies. 

CTP Fundamental Rules

Designed to be similar to the FCA's Principles for Business, and PRA Fundamental Rules (the foundational obligations applicable to FCA- and PRA-authorised firms respectively), the CTP Fundamental Rules will apply to all services provided by the CTP. They are:

• CTP Fundamental Rule 1: A CTP must conduct its business with integrity.
  
  
• CTP Fundamental Rule 2: A CTP must conduct its business with due skill, care and diligence.
  
  
• CTP Fundamental Rule 3: A CTP must act in a prudent manner.
  
  
• CTP Fundamental Rule 4: A CTP must have effective risk strategies and risk management systems.
  
  
• CTP Fundamental Rule 5: A CTP must organise and control its affairs responsibly and effectively.
  
  
• CTP Fundamental Rule 6: A CTP must deal with a regulator in an open and co-operative way, and must disclose to a regulator appropriately anything relating to the critical third party of which it would reasonably expect notice.

These concepts will be extremely familiar to financial services specialists, and CTPs can be forgiven if they are slightly relieved that there are no equivalents to the FCA's Principle 6 (a firm must pay due regard to the interests of its customers and treat them fairly) or Principle 12 (a firm must act to deliver good outcomes for retail customers – known as the Consumer Duty).

These CTP Fundamental Rules are, however, supplemented by eight extensive and detailed additional requirements on operational risk and resilience. These apply to all material services provided by the CTP. We summarise the core of the requirements before expanding on a couple of the issues and challenges they could raise in practice.

·       Requirement 1: Governance – A CTP must ensure that its governance arrangements promote the resilience of any material service it provides. (Requirement 1 incorporates the appointment of an individual as the single point of contact for the Regulators that we have described above.)

·       Requirement 2: Risk management – A CTP must effectively manage its risk to its ability to continue to deliver a material service.

·       Requirement 3: Dependency and supply chain risk management – A CTP must identify and manage any risks to its supply chain that could affect its ability to deliver a material service.

·       Requirement 4: Technology and cyber resilience – A CTP must ensure the resilience of technology that delivers, maintains or supports a material service.

·       Requirement 5: Change management – A CTP must ensure that it has a systematic and effective approach to dealing with changes to a material service, including changes to the processes or technologies used to deliver, maintain or support a material service. (This was an area in which TSB was subjected to particular criticism.)

·       Requirement 6: Mapping – A CTP must identify and document (i.e. map): a) resources, including the assets and technology, used to deliver, support and maintain each material service it provides; and b) any internal and external interconnections and interdependencies between those resources. This must be completed within 12 months of designation. 

·       Requirement 7: Incident management – A CTP must appropriately manage incidents that adversely affect, or may be reasonably expected to adversely affect, the delivery of a material service.

·       Requirement 8: Termination of a material service – A CTP must have in place appropriate measures to respond to a termination of any of its material services, for any reason.   

These Requirements are expanded upon with specific additional tasks. It is highly likely that major technology providers will already be doing some, if not many, of the risk management and governance practices required (especially those that are already in scope of DORA, as discussed above).

Regulatory expectations and disciplinary powers

However, this regime requires a new lens. In terms of conduct and governance, financial services make up one of the most intensively regulated sectors in the UK, and the expectations of the Regulators are commensurate with that. In this respect, the supervisory statement gives CTPs a "Northern Star" (easy to follow, but fiercely bright in terms of the regulatory scrutiny it presages) when it describes the regime's "overall objective" as being that CTPs must manage potential risks to the stability of, and confidence in, the UK financial system that may arise due to a failure in, or disruption to, the CTP's services to firms and FMIs. The Regulators will seek to achieve this by improving and overseeing CTPs' resilience. That said, the Regulators stress that the regime is intended to be proportionate and not "one size fits all".

The new rules additionally include rules on testing, information-sharing (especially with clients), notifications (during incidents, for example), and skilled persons reports under s.166 FSMA 2000. For readers unfamiliar with the Regulators' powers, skilled persons reports can sometimes be perceived as a "soft" form of enforcement action. In fact, they can be both extremely costly in the literal sense as the Regulators will make the sanctioned business cover the cost, as well as absorbing enormous amounts of management time, and distracting the business from its commercial agenda. This power should not be excessively downplayed.

On the subject of sanctions, what is conspicuous by its absence is a new power to fine CTPs for breaches of the regime, which is sanction the Regulators have a long track record of imposing on firms, especially. TSB was fined a total of over £48 million by the FCA and PRA in 2022 after its well-publicised problems with an IT migration. However, just as we caution CTPs against thinking that skilled persons reports are little to worry about, a similar sentiment applies to the new disciplinary powers given to the Regulators.

Where the rules have been breached, the Regulators can:

·       Force CTPs to stop providing services to firms and FMIs. This would cover both existing and proposed contracts.

·       Prohibit firms and FMIs from receiving services from CTPs. Again, this would include the cessation of existing relationships and a ban on new ones.

·       Impose conditions or limitations on the business relationships between CTPs and firms and FMIs. These could be applied to the CTP, the client(s), or both. 

One of the Regulators' other powers which is more potent than it could first appear is requiring a self-assessment of compliance. Somewhat buried in the middle of the new draft rulebooks is a requirement that CTPs prepare and submit to the Regulators an annual written self-assessment of compliance with the rules. The first version must be supplied within three months of designation, and further versions are then due each year. These should be clear and concise, but also balanced, thorough and transparent – in particular, the Regulators expect these self-assessments to be open about issues identified and proposed improvements or remediations. CTPs should not give unduly positive reports, and indeed we expect that this could be taken as a red flag by Regulators.  Any underlying data or outputs (such as audit reports) must be given to the Regulators on request.

There are two specific areas covered by the Operational Risk and Resilience Requirements that are worth drawing out, as the detail of what CTPs will need to do is not apparent on the face of the CTP Fundamental Rules or the Operational Risk and Resilience Requirements.

Dealing with material incidents

The Regulators mandate that CTPs prepare to deal with incidents in advance, and that (as well as implementing measures to prevent or minimise incidents) they must assume that incidents will happen.

As well as setting a maximum tolerable level of disruption, CTPs must maintain a Financial Sector Incident Management Playbook ("Playbook"). While the Regulators accept that each incident will be unique, the Playbook (which must sit alongside previously planned steps to be taken to deal with the incident itself) is actually intended to cover the crisis and ongoing communications with firms, FMIs and the Regulators. The Regulators can request to see the Playbook at any time.

CTPs are also expected to engage with industry-wide exercises on resilience and incident management. Regulated firms and FMIs will be used to such exercises, but this may be a new practice for CTPs.

Managing the CTP's own supply chain

The previous regime sought to deal with technology risks by forcing firms and FMIs to use their purchasing power to regulate their suppliers by contract. The CTP regime takes this at least one stage further by making CTPs do the same along their own supply chain (defined as meaning "the network of persons that provide infrastructure, goods, services or other inputs directly or indirectly utilised by a CTP to deliver, support or maintain a material service"). In particular, CTPs will be required to carry out due diligence on their suppliers (including any intra-group arrangements or dependencies – not all intra-group arrangements are always documented as contracts), and will have to take all reasonable steps to ensure that each link in its supply chain:

·       understands the requirements that apply to the CTP;

·       takes appropriate action to facilitate the CTP meeting those requirements; and

·       provides the Regulators with access to any information relevant to their oversight functions.

These requirements will apply globally. This means that, as well as reviewing and potentially re-engineering governance and risk management tools, CTPs will need to carry out detailed analysis of their supply chain management to ensure compliance. 

The consultation period closes on 15 March 2024. Following Royal Assent to FSMA 2023 and the commencement of HM Treasury's new powers, the CTP regime will become a reality. However, now is the opportunity to shape the granular rules that will drive the structures, processes and risk appetites of CTPs for some time to come. Where impacted businesses have specific feedback and challenge to the detailed draft rules and supervisory statement, this should be put to the Regulators now, and supported by reasoned and evidence-based arguments. Opposition based purely on increased costs is unlikely to be compelling by itself, if history is any judge, but that should not stop those responding to the consultation from challenging any flaws they see in the Cost-Benefit Analysis. This has been based on an assumed population of 20 CTPs. Among other figures, this puts forward an expected mean cost of implementation of roughly £600,000-£900,000 per CTP, with ongoing mean annual costs of £500,000 per CTP.  

The Regulators also plan to consult on the use of their disciplinary powers under the regime, as well as publishing an additional document outlining their approach to overseeing CTPs. Both of these publications are promised "in due course".  

There is no committed timeline. However, given the level of consideration that HM Treasury and the Regulators have already given this policy, it seems to us highly likely that at least some candidates for designation will already have been identified. HM Treasury are required by the legislation to give potential CTPs the chance to make representations about whether they should be designated – we expect that process to be underway quite soon, possibly by mid-2024.