Critical third parties to the finance sector: policy statement
Published 8 June 2022
HM Treasury’s proposal for mitigating risks from critical third parties to the finance sector
Background
1.1 Financial services firms and financial market infrastructure firms (‘firms’) are increasingly relying on third parties outside the finance sector for key functions or services (e.g. cloud-based computing services) through outsourcing and other arrangements. These arrangements can come with many benefits but can also create risks. In particular, if many firms rely on the same third party, the failure or disruption of this ‘critical’ third party could threaten the stability of, or confidence in, the financial system of the United Kingdom.
1.2 The potential for such disruption was highlighted in 2019 when the Treasury Select Committee published a report on Information Technology (IT) failures in the financial services sector. [footnote 1] International bodies, including the International Monetary Fund and the Financial Stability Board, have also noted these potential systemic risks.
1.3 Since then, firms have become increasingly reliant on cloud and other third- party providers. This led the Bank of England’s Financial Policy Committee (FPC) to conclude in 2021 that “the increasing reliance on a small number of cloud service providers and other critical third parties could increase financial stability risks without greater direct regulatory oversight of the resilience of the services they provide”.[footnote 2]
1.4 Following the 2021 FPC’s comments, HM Treasury has been working with the Bank of England, including the Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) (‘the financial regulators’) to understand what ‘direct regulatory oversight’ of critical third-party services might involve; and come up with a framework to enable them to manage the risks to financial stability and their statutory objectives.
1.5 HM Treasury has, with the financial regulators, developed a proposal on mitigating risks from critical third parties to the finance sector. A range of industry stakeholders has been engaged on this proposal. Feedback from industry has been positive, and there has been broad recognition that direct oversight of certain key services critical third parties provide to the finance sector could be helpful.
1.6 This policy statement details HM Treasury’s proposal for reducing the risks of systemic disruption to the financial regulators’ objectives, including financial stability and market confidence. Under this proposal, HM Treasury will – in consultation with the financial regulators and other bodies – be able to designate certain third parties which provide services to firms as ‘critical’. The financial regulators will then be able to make rules, gather information, and take enforcement action, in respect of certain services that critical third parties provide to firms of particular relevance to the regulators’ objectives (which the regulators refer to as ‘material’ services).
Objective of the critical third party regime
1.7 If many firms rely on the same third party for material services, the failure or disruption of this ‘critical’ third party could have a systemic impact across the financial sector. Moreover, firms’ dependency on a limited number of critical third parties for key services within the financial services sector has increased in recent years and continues to do so. As of 2020, for example, over 65% of UK firms used the same four cloud providers for cloud infrastructure services.[footnote 3]
1.8 Disruption at third parties and their supply chains also appears to be an increasing risk. The National Cyber Security Centre’s (NCSC) Annual Review 2021 noted that there were a rising number of cyber incidents in 2021, which highlighted the viability, effectiveness and global reach of supply chain operations as a means of compromising comparatively well-defended targets. [footnote 4] This Review warned that “further such operations are almost certain over the next twelve months”. During 2022, the NCSC has also highlighted the heightened risk of cyber threats due to geopolitical issues, and published targeted guidance, including on supply chain risk management. [footnote 5] This guidance reflects the core aim of limiting the UK’s reliance on individual suppliers or technologies which are developed under regimes that do not share our values, which was highlighted in the foreword to the UK Government’s National Cyber Strategy 2022. [footnote 6]
1.9 The financial regulators’ current powers allow them to set requirements and expectations on firms which they have used to develop and implement an operational resilience framework. Firms are required to ensure their contractual arrangements with third parties allow them to comply with this operational resilience framework, which includes requirements on areas such as data security, business continuity and exit planning.[footnote 7]
1.10 However, these powers are not, by themselves, sufficient to tackle the systemic risk that disruption at a third party providing key services to multiple firms could cause. In particular, no single firm can manage risks originating from a concentration in the provision of critical services by one third party to multiple firms – for example, if these services cannot be easily restored or substituted promptly and without undue costs and risks in the event of the third party’s failure or disruption. There may also be significant information and power asymmetries between certain third parties and firms, which may prevent firms from obtaining adequate assurances that their contractual arrangements achieve an appropriate level of operational resilience. Firms are accountable for managing risks to their operational resilience and will remain so under the proposed regime, the purpose of which is to manage potential systemic risks stemming from concentration in the simultaneous provision of material services to multiple firms. The framework will therefore complement but not replace the individual responsibilities of firms.
1.11 The proposed regime will fill this gap in the regulators’ powers, by allowing them to directly oversee services that critical third parties provide to firms. This will enable the regulators to ensure that services critical third parties provide to firms in the finance sector are resilient, thereby reducing the risk of systemic disruption.
1.12 It is important to the government that the finance sector and its supply chain remain competitive and innovative. This is why the proposed regime aims to be flexible and proportionate, ensuring that the UK is able to harness the benefits of outsourcing, whilst combatting the systemic risk it poses.
The critical third party regime
1.13 Under the proposed regime, HM Treasury will – in consultation with the financial regulators and other bodies – be able to designate certain third parties to firms as ‘critical’.
1.14 Before designating a critical third party, HM Treasury will need to consult the financial regulators and other relevant bodies. The financial regulators might proactively recommend the designation of certain third parties as ‘critical’ to HM Treasury, based on their analysis of data and information from firms. HM Treasury will also need to have regard to representations made by potential critical third parties. Finance sector firms could also make representations to HM Treasury in relation to their own third parties.
1.15 Designation will then be made by secondary legislation taking into account high-level criteria such as the number and type of services a third party provides to firms; and the materiality of these services. This designation framework will be set out in primary legislation.
1.16 Once a third party has been designated as ‘critical’, the financial regulators will be able to exercise a range of powers in respect of any material services that the third party provides to the finance sector. In particular, the financial regulators will be able to make rules relating to the provision of these material services, gather relevant information from critical third parties, and take formal action (including enforcement) where needed. The financial regulators will be obliged to coordinate with each other when exercising these powers.
1.17 A rule-making power will allow the financial regulators to set minimum resilience standards that critical third parties will be directly required to meet in respect of any material services that they provide to the UK finance sector. It will also allow the financial regulators to require critical third parties to take part in a range of targeted forms of resilience testing, to assess whether these standards were being complied with.
1.18 The financial regulators will be granted powers to assess whether the resilience standards were being met. These will include powers for the financial regulators to:
- request information directly from critical third parties on the resilience of their material services to firms, or their compliance with applicable requirements;
- commission an independent ‘skilled person’ to report on certain aspects of a critical third party’s services;
- appoint an investigator to look into potential breaches of requirements under the legislation;
- interview a representative of a critical third party and require the production of documents;
- enter a critical third party’s premises under warrant as part of an investigation.[footnote 8]
1.19 The financial regulators will have a suite of statutory powers, including the power to direct critical third parties from taking or refraining from taking specific actions; and enforcement powers including a power to publicise failings, and (as a last resort) to prohibit a critical third party from providing future services, or continuing to provide services to firms. The financial regulators’ powers in relation to CTPs will be set out in primary legislation.
1.20 The financial regulators will be publishing a joint Discussion Paper, setting out in detail how any powers granted to them in legislation might be exercised, and seeking views from industry on the most effective and proportionate way to do so. This will also explore the role of the financial regulators during designation, including how they might make recommendations to HM Treasury during consultation. The Discussion Paper will also explore potential specific ways for the financial regulators to coordinate the exercise of their powers with overseas financial regulators, and UK authorities and regulators from outside the financial services sector.
Next steps
1.21 The government intends to legislate for this regime when parliamentary time allows.
1.22 The financial regulators’ joint Discussion Paper will be published shortly after such legislation is introduced. Following Royal Assent, the financial regulators anticipate publishing a further Consultation Paper on their proposed rules, building on feedback to their Discussion Paper and based on their proposed, new statutory powers.
1.23 Following the finalisation of the regulators’ rules, HM Treasury will then expect to begin designating the first critical third parties under this new regime.
-
https://publications.parliament.uk/pa/cm201919/cmselect/cmtreasy/224/224.pdf (PDF, 844KB) ↩
-
https://www.bankofengland.co.uk/financial-policy-summary-and-record/2021/july-2021 ↩
-
https://www.bankofengland.co.uk/bank-overground/2020/how-reliant-are-banks-and-insurers-on-cloud-outsourcing. ↩
-
https://www.ncsc.gov.uk/collection/ncsc-annual-review-2021 ↩
-
https://www.ncsc.gov.uk/blog-post/use-of-russian-technology-products-services-following-invasion-ukraine ↩
-
https://www.gov.uk/government/publications/national-cyber-strategy-2022/national-cyber-security-strategy-2022 ↩
-
https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss. ↩
-
The financial regulators already have the power to commission a ‘skilled persons review’ in respect of firms, and the power to appoint an investigator, with all the powers that attach to that person, in respect of firms; but not the other powers referenced. For more information, see: https://www.bankofengland.co.uk/prudential-regulation/supervision and https://www.fca.org.uk/publication/corporate/our-approach-supervision-final-report-feedback-statement.pdf. ↩