The Bank of England, Financial Conduct Authority (FCA) , and the Prudential Regulation Authority (PRA) – the key UK financial markets supervisors – have set out proposals for ensuring the resilience of critical third parties (CTPs) to the British financial industry, following four years of discussion papers and consultation.
Their proposals are contained in the government’s Financial Services and Markets Bill which was put before the UK Parliament on the 20th of July – and they appear to follow the lead set by the European Union’s draft Digital Operational Resilience Act in which supervisors are setting out to develop powers to limit the systematic risk posed by third parties, through a series of frameworks and standards, alongside formal powers for enforcement.
Discussing the Bill and it’s related PRA discussion paper, Sam Woods, Deputy Governor of Prudential Regulation and the CEO of the PRA said: “It is vital that the firms we regulate can rely on services provided to them by third parties, particularly where those third parties have become critical parts of the system. Today’s paper sets out our thinking on how we can ensure the right levels of resilience for those services.”
The proposed new powers include:
A framework for identifying CTPs to the government Treasury. Essentially CTPs will be defined by the likelihood that their failure or the disruption of their services to financial firms could threaten the stability of the greater UK financial system.
Minimum standards for resilience of services to the financial industry, with information gathered directly from the CTPs in the form of self-assessments alongside organised exercises and tests.
A framework for testing the resilience of the services provided by CTPs through scenario testing; participation in sector-wide exercises (the Quantum Dawn series organised by financial trade association SIFMA and last run in November 2021, for example), cyber resilience testing, and “skilled persons reviews” of CTPs
Jon Cunliffe, Deputy Governor for Financial Stability at the Bank of England said: “Financial market infrastructure firms are becoming increasingly dependent on third-party technology providers for services that could impact the financial stability of the UK if they were to fail or experience disruption. The potential measures examined in this [discussion paper] provide an initial, but important step … to manage these systemic risks.”
The supervisory authorities note the need to avoid international regulatory fragmentation, and instead outline cross-sectoral and global coordination, making specific reference to the EU’s Digital Operational Resilience Act (DORA), which reached the stage of a provisional agreement in May.
While the UK framework targets the systemic risk from the services rendered by CTPs, the paper describes that it does not replace financial services firms’ and financial market infrastructure firms‘ responsibilities to manage risks from third parties.
Subject to the outcome of Parliamentary debate on the Financial Services and Market Bill, and responses to the discussion paper, the supervisory authorities plan to consult on their proposed requirements in 2023.