UK Critical Third Parties Oversight Regime rules published

The regime will enter into force on 1 January 2025 but the Treasury must designate suppliers as CTPs before obligations can apply. A supplier could be designated if it provides services from anywhere in the world to UK-regulated financial entities. The regime will impose obligations on designated CTPs, which we summarise below, but will not impose any additional requirements on financial entities.

UK and global context on “Critical Third Parties”

The CTP Oversight Regime is the latest addition to the UK’s operational resilience framework. Operational resilience is a growing area of focus for financial services regulators. Operational resilience refers to the ability of firms and the financial sector as a whole to prevent, adapt to, respond to, recover from, and learn from operational disruptions. Under the CTP Oversight Regime, “firms” comprise various regulated entities under the UK financial services regulations. Firms are are already subject to operational resilience rules published by the Financial Conduct Authority (“FCA”), the Prudential Regulation Authority (the “PRA”) and the Bank of England (the “BoE”) in March 2021 (the “March 2021 Regulations”), under which firms are expected to have completed key activities by 31 March 2025. High-profile IT outages this year will only have increased the level of concern and heightened the level of scrutiny by regulators – the FCA recently published its observations on firms’ responses to the global IT incident in July 2024, which we analysed here.

Under the CTP Oversight Regime, certain third-party suppliers to firms will become subject to direct supervision of the financial regulators. Only the most important suppliers to the financial services sector, referred to as critical third parties (“CTPs”) will be affected by the new rules. The CTP Oversight Regime is distinct from the operational resilience rules in the March 2021 Regulations, which impose direct obligations only on firms. The UK has followed a broadly similar trajectory to the EU, where the new Digital Operational Resilience Act (“DORA”) imposes operational resilience regulations on certain “critical ICT third party service providers”  - for an overview of DORA, see here. It is notable, however, that unlike DORA the UK CTP Oversight Regime covers any critical third parties and not just those providing ICT services. The CTP Oversight Regime is also unlike DORA in that it does not mandate particular contractual conditions in the contracts between suppliers and firms.

The CTP Oversight Regime is comprised of the documents set out below, which were published on 12 November 2024:

• Supervisory Statement SS6/24 issued jointly by the PRA, FCA and BoE, which is “the main source of guidance for a CTP on how to interpret and comply with CTP duties”.

• Policy Statement PS16/24 issued jointly by the PRA, FCA and BoE which provides responses to feedback on consultation paper (CP) 26/23 – Operational resilience: Critical third parties to the UK financial sector.

• A document issued jointly by the PRA, FCE and BoE setting out their Approach to CTP Oversight (see page 3 of that document for an overview of the ways in which the regulators’ oversight powers will be used).

• Supervisory Statement SS7/24 on Reports by skilled persons: Critical third parties (see Overview of obligations on CTPs: Self-assessments, Scenario-testing, Incident Management Playbook Exercises, and other assurance below).

• Policy statement issued by the BoE setting out its approach to enforcement in respect of CTPs (the FCA Handbook: Critical third parties (Statement of Policy) contains what SS6/24 describes as an “equivalent and substantively identical approach to enforcement”).

• Updated rules in the Bank of England FMI Rulebook, the PRA Rulebook and the FCA handbook.

The CTP Oversight Regime will come into force from 1 January 2025.

Scope of UK CTP Oversight Regime

Key aspects of the CTP Oversight Regime are as follows:

• The Treasury may designate a supplier as a CTP. Under FSMA the Treasury can designate a supplier as a CTP if it is satisfied that “a failure in, or disruption to, the provision of [its] services … could threaten the stability of, or confidence in, the UK financial system”. The Treasury’s guidance on its approach to CTP designation published in March 2024 stated that “HM Treasury expects that CTPs will represent only a small number of the overall number of third parties to the financial services sector”. The Consultation Paper on the CTP Oversight Regime, published in December 2023, contained an estimated population of 20 CTPs.

• The regime’s obligations will apply primarily to CTPs’ “systemic third party services”. SS6/24 defines a “systemic third party service” as “a service (wherever carried out) provided by a CTP to one or more firms, a failure in, or disruption to, the provision of which (either individually or, where more than one service is provided, taken together) could threaten the stability of, or confidence in, the UK financial system.”

• The regime could cover suppliers anywhere in the world. SS6/24 clarifies that a supplier could be in-scope of the regime if it provides a “systemic third party service” to one or more firms “irrespective of the jurisdiction(s) from which it is provided”.

• Firms are not in scope of the CTP Oversight Regime – they have separate obligations under the March 2021 Regulations. SS6/24 confirms that “[t]he CTP oversight regime does not impose additional requirements on firms”. However, it also notes that the regime “may, in practice, require amendments to [CTPs’] contractual arrangements with firms”. This is an indirect impact for firms to consider.

Overview of obligations on CTPs

The obligations on CTPs break down as follows from most high-level to most detailed:

• Overall objective: This is the overarching principle CTPs are to ingrain in their “culture and processes”. The overall objective is: “to manage risks to the stability of, or confidence in, the UK financial system that may arise due to a failure in, or disruption to, the services (either individually or, where more than one service is provided, taken together) that a CTP provides to ‘firms’”.

• Fundamental Rules 1-6: These are “high level rules that collectively act as an expression of the overall objective”. These Fundamental Rules state that a CTP must:

  • 1: “conduct its business with integrity”;

  • 2: “conduct its business with due skill and care”;

  • 3: “act in a prudent manner”;

  • 4: “have effective risk strategies and risk management systems”;

  • 5: “organise and control its affairs responsibly and effectively”; and

  • 6: “deal with each regulator in an open and cooperative way …”.

Rules 1-5 apply only to systemic third party services. Rule 6 applies to all services provided by a CTP and is wider to ensure regulators receive all the information they may need to assess both current and future risks.

• Detailed rules, comprising three major categories:

  • Operational Risk and Resilience Requirements (covered in section 6 of SS6/24): These comprise rules on:

    • (1) governance;

    • (2) risk management;

    • (3) dependency and supply chain management, including “Key Nth party providers” i.e. key subcontractors (SS6/24 indicates that contracts with Key Nth party providers may need amending);

    • (4) technology and cyber resilience;

    • (5) change management;

    • (6) mapping i.e. identifying resources used to deliver systemic third party services and the connections between them;

    • (7) incident management; and

    • (8) termination of services, including exit assistance.

  • Self-assessments, Scenario-testing, Incident Management Playbook Exercises, and other assurance (covered in section 7 of SS6/24). This covers CTPs testing their own resilience, documenting lessons learned and sharing the test results with regulators and firms. There are also requirements related to skilled person reports, whereby the PRA and/or the BoE may appoint a skilled person to provide it with a report – or to require a CTP or a person connected with a CTP to provide a skilled persons report. The PRA or the Bank may also require a CTP to appoint, or itself appoint, a skilled person to collect or update information.

  • Incident Reporting and Notifications (covered in section 8 of SS6/24): This includes incident reporting obligations to firms as well as to regulators.

• There are other obligations on CTPs. For example, they are not permitted to imply that designation means it has a regulator’s approval (chapter 9 of SS6/24). They must provide an address for service in the UK (chapter 10 of SS6/24) and they must maintain records (chapter 11 of SS6/24).

Timeline

The CTP Oversight Regime comes into force on 1 January 2025.

However, the Treasury needs to designate CTPs before any obligations can apply. The Treasury specifies a date from which designation takes effect in its designation order (we refer to this below as the “Designation Date”).

From the Designation Date, the regulators’ rules apply except for the following which are subject to “transitional arrangements”:

• Initial self-assessment: CTPs must submit this to regulators within three months of the Designation Date.

• Initial mapping: CTPs are to do this within twelve months of the Designation Date.

• First round of scenario testing: CTPs should do this within twelve months of the Designation Date.

• Incident management playbook: CTPs are to maintain and operate this within twelve months of the Designation Date.

• Incident management playbook exercise: CTPs must do this no later than twelve months from the Designation Date.

Overlap with DORA

Overlap with DORA is particularly relevant to suppliers who:

• may be designated as CTPs under the UK CTP Oversight Regime; and

• need to engage with DORA compliance, either as a critical third-party service provider (“CTPSP”) under DORA or as a non-CTPSP supplier to EU financial entities (for more information on CTPSPs, see here).

Suppliers in this category may be able to carry across some of their DORA compliance measures to avoid duplicating costs. However, there is no guarantee DORA compliance will suffice under the UK regime.

SS6/24’s overall position on this is: “[t]he UK oversight regime for CTPs is designed to be interoperable with similar non-UK regimes, such as [DORA] … but only to the extent that such interoperability does not conflict with or undermine the Overall Objective”. This gives no indication that DORA compliance would be sufficient in itself.

However, suppliers should still note there will be areas of overlap – for example:

• The UK regime’s requirement on termination of services states that CTPs must ensure they can return “any relevant firm assets … in an easily accessible format”. This overlaps with the DORA requirement on EU financial entities to ensure their contracts with suppliers require suppliers to return data “in an easily accessible format”.

• As part of their reporting requirements to UK regulators, CTPs who are also CTPSPs under DORA should share reports they provide to the lead overseer under DORA (the regulator responsible for oversight of the CTPSP).