Search for:

In brief

Mirroring earlier proposals by the European Commission, in a move anticipated by the industry, HM Treasury has confirmed that it will implement a regime whereby third-party firms designated as “critical” will be subject to direct regulatory oversight by the financial regulators. The Treasury published a policy statement on 8 June 2022, setting out its framework for mitigating the risks caused by financial services firms outsourcing important functions to third-party service providers. 


Contents

  1. The CTP framework
  2. Comparison to DORA
  3. Next steps

The forthcoming regime seeks to plug the systemic risk gaps left open by the UK’s current operational resilience framework when a third party provides critical functions to multiple firms in the financial services sector. Under the existing requirements, firms must ensure that their contractual arrangements with third parties allow them to comply with the regulators’ operational resilience framework; but these requirements do not extend to the third party firms themselves. If several firms rely on the same third party for material services, the failure or disruption of this third party could have a systemic impact across the financial sector.

The CTP framework

The framework, to be set out in primary legislation, will enable the Treasury, along with the Bank of England, FCA and PRA (the financial regulators), to directly oversee third-party service providers. Under the regime, the Treasury will consult with the financial regulators before designating certain third parties which provide services to firms as “critical” (CTPs); it will also be possible for the financial regulators to proactively recommend CTP designation. The Treasury will also need to have regard to representations made by potential CTPs as well as financial services firms. CTP designation is expected to take into account factors such as the number and type of services a third party provides to firms and the materiality of these services and will be formalised in secondary legislation.

Once a third party is designated as a CTP, the financial regulators will be empowered to make rules, gather information, and take enforcement action in respect of material services that CTPs provide to firms. These powers will include the ability to set minimum resilience standards that CTPs will be directly required to meet in respect of any material services that they provide to the UK finance sector, together with additional information-gathering and investigatory powers to assess whether resilience standards were being met, the power to direct CTPs from taking (or refraining from taking) specific actions, and enforcement powers to remedy breaches.

Comparison to DORA

The Treasury’s CTP framework is similar to the oversight regime for critical ICT third-party service providers set out by the EU Commission in its proposed Regulation on digital operational resilience for the financial sector (DORA), although the two regimes take different approaches. Under DORA, the European Supervisory Authorities (ESAs) will designate the ICT third-party service providers that are critical for financial entities, which will then become subject to oversight in relation to their resilience from the EBA, ESMA or EIOPA as lead overseers.

The approach to designation set out in DORA is much more granular and harmonised than that to be expected under the Treasury’s CTP framework. At a high level, DORA requires the ESAs to consider designation criteria, including the systemic impact of the services, the systemic importance of the financial institutions relying on the services, critical or important functions provided, substitutability and number of member states involved – and the Commission is further empowered to adopt delegated acts supplementing these criteria. By contrast, the approach adopted by the Treasury is much more discretionary, in keeping with its general post-Brexit approach to financial services regulatory reform.

After designation, the lead overseer must assess whether the critical ICT third-party service provider has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risks which the provider may pose to financial entities and adopt an individual oversight plan for the provider based on this assessment. The lead overseer is also granted similar information-gathering and investigation powers as those granted to the UK financial regulators under the Treasury’s CTP framework, as well as the powers to issue recommendations and impose financial penalties. However, whether DORA and the Treasury’s CTP framework will significantly diverge in practice remains to be seen, with much of the detail forthcoming in technical regulatory standards from the ESAs and in detailed rule proposals from the UK financial regulators.

Next steps

HM Treasury has indicated that primary legislation to implement the proposal will be introduced “when parliamentary time allows”. After this legislation is introduced, the financial regulators will issue a joint discussion paper setting out how they intend to use the powers that they have been granted. Following Royal Assent and feedback from the discussion paper, the regulators will publish a consultation paper setting out the proposed rules. Once the regulatory rules are finalised, the Treasury will begin designating CTPs. It will be interesting to see whether efforts will be made to finalise the CTP framework legislation sooner rather than later, given that provisional political agreement on DORA was reached in May 2022 and adoption is expected to follow shortly.

Although the introduction of the new framework will place significant new regulatory burdens on designated CTPs, the population of affected third-party service providers is expected to remain small, at least in the short term, as the market for these services tends to be highly concentrated. In particular, analysis from the Bank of England highlighted that, as of 2020, over 65% of UK firms used the same four cloud providers for cloud infrastructure services.

Third-party service providers should keep a watching brief as legislation is introduced and more information becomes available about the criteria to be used for designation to assess whether they could be caught by the new framework. Although financial institutions will not be directly affected by the new CTP framework, they will remain accountable for managing risks to their operational resilience and should begin to consider how the CTP framework should be integrated into their own operational resilience policies and processes (for example, whether contractual terms might need to be modified).

Author

Mark heads the Financial Services & Regulatory (FSR) practice group in London and co-leads the FinTech group. He also acts as Chair of the FSR practice for the EMEA region and sits on the Global FSR Steering Committee. Mark is ranked as a Leading Individual in Legal 500 2022 for Financial Services (Non-Contentious Regulatory) and is individually ranked in Chambers 2022 for FinTech. He is described in these publications as being "very knowledgeable" and "very approachable" with "a wonderful range of FinTech experience" and as someone who is "clear, commercial and pragmatic and understands all the issues in detail." He has authored a number of articles and contributions for leading journals and other publications, most notably the Journal of International Banking and Financial Law, the International Guide to Money Laundering Law and Practice, and A Practitioner's Guide to the Law and Regulation of Financial Crime.

Author

Sue is a partner in Baker McKenzie's IP, Data and Technology team based in London. Sue specialises in major technology deals including cloud, outsourcing, digital transformation and development and licensing. She also advises on a range of legal and regulatory issues relating to the development and roll-out of new technologies including AI, blockchain/DLT, metaverse and crypto-assets. Her IP and commercial experience includes drafting, advising on and negotiating a wide range of intellectual property and commercial agreements including IP licences and assignment agreements, long-term supply and distribution agreements. She also assists clients in preparing terms of business and related documentation for new business processes and offerings and coordinating global roll-outs. Sue is also a key member of our transactional practice, providing strategic support on the commercial, technology and intellectual property aspects of M&A transactions and joint ventures, including advising on transitional services agreements and other key ancillary IP and commercial agreements. Sue is ranked as a leading lawyer in Chambers for Information Technology & Outsourcing and Fintech Legal and in Legal500 for Commercial Contracts, IT & Telecoms, TMT and Fintech. Clients say of Sue "Sue is outstanding", "She is a really good and very committed lawyer", "Excellent…. Very capable, wouldn’t hesitate to use on IT/TMT/Outsourcing matters." Sue was named in the Standout 35 of the Women in FinTech Powerlist 2020.

Author

Kimberly Everitt is Baker McKenzie's knowledge lawyer for Financial Services Regulation & Enforcement, covering the EMEA region, and brings over a decade of experience to the team in both knowledge and fee-earning roles. Prior to joining Baker McKenzie, Kim held roles specializing in contentious financial services regulation knowledge, and her fee-earning roles covered non-contentious regulation in the private equity and general financial services sectors.

Author

Lorraine Dindi is a Trainee in Baker McKenzie, London office.

Write A Comment