HM Treasury (HMT) has published a policy statement on the design of an oversight framework for critical third parties, a year after the Financial Policy Committee announced the UK financial regulators were working to address concerns linked to the increasing reliance on non-regulated third parties. The current model, whereby regulated financial services firms are responsible for their outsourcing arrangements, has been strengthened recently with the introduction of further operational resilience rules. However, regulators continue to have concerns over providers operating in concentrated markets. The PRA, Bank of England and FCA have been working in tandem with HMT to design a new oversight framework that would help address concerns with systemic risks to financial stability and resilience as more and more core financial services are outsourced to third parties, such as cloud services providers.

The proposed framework will empower the regulators to oversee third parties that have been designated as ‘critical’ by HMT. How designation works will be outlined in further detail in the upcoming discussion paper from the regulators. Criteria, such as materiality and the number of services provided will be laid out in the primary legislation. Cloud service providers are likely to be a core target, but the criteria could encompass a range of other third parties. The framework will bring a range of firms previously sitting outside of the financial regulators’ remit into the regulatory perimeter.

Designation will, in any case, require consultation with the regulators. They may recommend a certain third party to be designated as critical to HMT – and so could members of the industry with regards to their own third parties. The designation process will require secondary legislation to be passed. Among the measures that could be implemented as part of the regime are minimum resilience standards for critical third parties, combined with resilience testing. Regulators will be able to use supervisory and enforcement powers, from commissioning skilled persons review to requesting information and production of documents. They will also be able to direct critical third parties to refrain from specific actions, publicise failings or breaches, and, if required, suspend their services.

International collaboration is a core part of the UK’s approach to critical third parties. Testing with overseas regulators for example is something they are keen on exploring, given the global nature of some of the third parties that could be expected to be designated - in particular cloud services providers.

In terms of next steps, the primary legislation enabling this new framework will be set out in the Financial Services and Markets Bill, expected shortly this summer. The regulators’ discussion paper will be published around the same time the Bill is introduced. A consultation on detailed proposed rules will follow after Royal Assent is given. At this stage, this could take beyond 9 months after the introduction of the Bill – sometime around this time next year. HMT will start designating critical third parties after the rules are finalised.

If you have any questions, please contact James Delaney ([email protected]).