Mirroring earlier proposals by the European Commission, in a move anticipated by the industry, HM Treasury has confirmed that it will implement a regime whereby third-party firms designated as “critical” will be subject to direct regulatory oversight by the financial regulators. The Treasury published a policy statement on 8 June 2022, setting out its framework for mitigating the risks caused by financial services firms outsourcing important functions to third-party service providers.
The forthcoming regime seeks to plug the systemic risk gaps left open by the UK’s current operational resilience framework when a third party provides critical functions to multiple firms in the financial services sector. Under the existing requirements, firms must ensure that their contractual arrangements with third parties allow them to comply with the regulators’ operational resilience framework; but these requirements do not extend to the third party firms themselves. If several firms rely on the same third party for material services, the failure or disruption of this third party could have a systemic impact across the financial sector.
The CTP framework
The framework, to be set out in primary legislation, will enable the Treasury, along with the Bank of England, FCA and PRA (the financial regulators), to directly oversee third-party service providers. Under the regime, the Treasury will consult with the financial regulators before designating certain third parties which provide services to firms as “critical” (CTPs); it will also be possible for the financial regulators to proactively recommend CTP designation. The Treasury will also need to have regard to representations made by potential CTPs as well as financial services firms. CTP designation is expected to take into account factors such as the number and type of services a third party provides to firms and the materiality of these services and will be formalised in secondary legislation.
Once a third party is designated as a CTP, the financial regulators will be empowered to make rules, gather information, and take enforcement action in respect of material services that CTPs provide to firms. These powers will include the ability to set minimum resilience standards that CTPs will be directly required to meet in respect of any material services that they provide to the UK finance sector, together with additional information-gathering and investigatory powers to assess whether resilience standards were being met, the power to direct CTPs from taking (or refraining from taking) specific actions, and enforcement powers to remedy breaches.
Comparison to DORA
The Treasury’s CTP framework is similar to the oversight regime for critical ICT third-party service providers set out by the EU Commission in its proposed Regulation on digital operational resilience for the financial sector (DORA), although the two regimes take different approaches. Under DORA, the European Supervisory Authorities (ESAs) will designate the ICT third-party service providers that are critical for financial entities, which will then become subject to oversight in relation to their resilience from the EBA, ESMA or EIOPA as lead overseers.
The approach to designation set out in DORA is much more granular and harmonised than that to be expected under the Treasury’s CTP framework. At a high level, DORA requires the ESAs to consider designation criteria, including the systemic impact of the services, the systemic importance of the financial institutions relying on the services, critical or important functions provided, substitutability and number of member states involved – and the Commission is further empowered to adopt delegated acts supplementing these criteria. By contrast, the approach adopted by the Treasury is much more discretionary, in keeping with its general post-Brexit approach to financial services regulatory reform.
After designation, the lead overseer must assess whether the critical ICT third-party service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which the provider may pose to financial entities and adopt an individual oversight plan for the provider based on this assessment. The lead overseer is also granted similar information-gathering and investigation powers as those granted to the UK financial regulators under the Treasury’s CTP framework, as well as the powers to issue recommendations and impose financial penalties. However, whether DORA and the Treasury’s CTP framework will significantly diverge in practice remains to be seen, with much of the detail forthcoming in technical regulatory standards from the ESAs and in detailed rule proposals from the UK financial regulators.
HM Treasury has indicated that primary legislation to implement the proposal will be introduced “when parliamentary time allows”. After this legislation is introduced, the financial regulators will issue a joint discussion paper setting out how they intend to use the powers that they have been granted. Following Royal Assent and feedback from the discussion paper, the regulators will publish a consultation paper setting out the proposed rules. Once the regulatory rules are finalised, the Treasury will begin designating CTPs. It will be interesting to see whether efforts will be made to finalise the CTP framework legislation sooner rather than later, given that provisional political agreement on DORA was reached in May 2022 and adoption is expected to follow shortly.
Although the introduction of the new framework will place significant new regulatory burdens on designated CTPs, the population of affected third-party service providers is expected to remain small, at least in the short term, as the market for these services tends to be highly concentrated. In particular, analysis from the Bank of England highlighted that, as of 2020, over 65% of UK firms used the same four cloud providers for cloud infrastructure services.
Third-party service providers should keep a watching brief as legislation is introduced and more information becomes available about the criteria to be used for designation to assess whether they could be caught by the new framework. Although financial institutions will not be directly affected by the new CTP framework, they will remain accountable for managing risks to their operational resilience and should begin to consider how the CTP framework should be integrated into their own operational resilience policies and processes (for example, whether contractual terms might need to be modified).