On 12th November 2024, the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and Bank of England (BoE) jointly published a Policy Statement introducing final rules, expectations, and guidance for critical third parties to the UK financial sector.
The FCA has also started a consultation on their proposed new rules for reporting incidents and third parties for financial services firms that are regulated. This is called CP24/28: Operational Incident and Third-Party Reporting.The consultation ends on 13 March 2025.
This marks a significant step in enhancing the resilience of the UK financial system against risks posed by disruptions in third-party services.
In this blog, we’ll unpack the details of the new rules, explore their broader impact, and outline how firms can prepare to stay compliant.
Context to Policy Statement (PS24/16)
The financial services sector has become more reliant on third-party providers for technology and infrastructure services. As a result, the risks these third parties present to the operational resilience of the UK financial sector have grown. Because many firms often depend on the same external provider for critical services, a disruption or failure in one place could send shockwaves through the financial systems on which we all depend.
The regulators have acted to address this concern, creating a regime that ensures these key providers adopt stronger risk management and operational resilience standards.
The Policy Statement sets out clear expectations for how designated critical third parties (CTPs) should manage their systemic services. It also formalises the regulators’ powers to oversee and enforce these rules.
It’s important to note that while CTPs will face direct requirements, financial firms remain responsible for managing their outsourcing and third-party risks. As regulators begin the process of designating providers, firms should stay informed and be ready to adapt their oversight processes.
Key Features of the New Regime
Let’s take a closer look at the core components of this new framework and what they mean for critical third parties and firms.
Designation of Critical Third Parties
Under the new regime, HM Treasury will be responsible for designating critical third parties whose services are essential to the stability of the financial system.
This designation process will be based on recommendations from regulators, who will assess the systemic importance of potential CTPs. Only those providers whose failure could cause significant disruption to financial services or consumer confidence will be subject to the rules.
Fundamental Rules for CTPs
The regulators have introduced a set of high-level Fundamental Rules that act as overarching principles for critical third parties.
These rules require CTPs to take a proactive approach to operational risk management and resilience. The rules apply specifically to the systemic services provided by CTPs to firms and are designed to ensure these services remain robust even during severe disruptions.
Operational Risk and Resilience Requirements
In addition to the Fundamental Rules, the regime sets out detailed operational risk and resilience requirements. These focus on areas such as supply chain management, technology, and cyber resilience, change management, and incident response.
By addressing these specific risks, the regulators aim to ensure that critical third parties can maintain their services even in challenging conditions. CTPs will also need to conduct scenario testing to evaluate their ability to recover from severe but plausible disruptions. Some of these tests will require close collaboration with firms and financial market infrastructures (FMIs) that rely on their services.
Self-Assessments and Reporting Obligations
The new regime introduces regular reporting requirements for CTPs.
Designated providers must submit an initial self-assessment to regulators, outlining how they meet the resilience and risk management standards. This will be followed by annual updates to ensure continued compliance.
Incident Notification
CTPs will also need to notify regulators, as well as the firms they serve, of any incidents that affect the availability or quality of their systemic services. Clear communication between CTPs, firms, and regulators is essential for minimising harm and maintaining confidence during periods of instability.
Regulatory Oversight and Enforcement
The FCA, PRA, and Bank of England will jointly oversee compliance with the regime. Regulators will have the authority to request data, direct remedial actions, and take enforcement measures if a CTP fails to meet the required standards.
Final Thoughts
The introduction of the new oversight regime for critical third parties is an important milestone for the resilience of the UK financial system.
For firms, this is a reminder that while the focus is on CTPs, the responsibility for managing outsourcing risks remains firmly with them. Now is the time to review existing third-party relationships, ensure operational resilience frameworks are robust, and prepare to work closely with critical service providers as the new regime takes effect.
If your firm needs support in managing third-party risks or understanding the implications of the new rules, API Compliance Ltd. is here to help. Contact us using the form below to speak with a consultant.
