On the critical list

HM Treasury’s (HMT) policy statement on critical third parties (CTPs) to the finance sector e.g. cloud services providers, contains proposals to mitigate the risk that a key third party could pose to UK financial stability. The proposal is felt necessary due to the limited number of key third party providers for certain services and the subsequent concentration of risk where several financial services entities use the same provider. As an example, HMT notes that in 2020 over 65% of UK firms used the same four cloud providers for cloud infrastructure services.

Under the current operational resilience framework, regulated firms are required to ensure their contractual arrangements with third parties allow the firm to comply with the operational resilience framework (with requirements on areas such as data security, business continuity and exit planning). However, a single firm cannot manage the risk concentration at the level of the third party service provider from the provision of services to multiple regulated entities.

The proposal is for primary legislation to set out the framework for a regime for CTPs including how a party may be designated as critical. Under this framework it is proposed to give financial regulators a suite of statutory powers. HMT (after consulting with the financial regulators and other relevant bodies plus hearing any representations from the third party) will be able to designate such a third party entity as “critical” using secondary legislation.

Being designated as a CTP will permit the UK financial regulators to be able to exercise a range of powers in respect of any material services that the CTP provides to the finance sector. The financial regulators will be obliged to coordinate with each other when exercising these powers. It is proposed that the regulators will be able to:

  • make rules relating to the provision of the material services;
  • direct CTPs from taking or refraining from taking specific actions;
  • set minimum resilience standards that CTPs will be required to meet in respect of any material services provided to UK regulated entities;
  • gather relevant information, commission a skilled person’s report, appoint an investigator to investigate potential breaches, interview representatives of CTPs and enter the CTP’s premises under warrant as part of an investigation;
  • require CTPs to take part in resilience testing to assess whether the resilience standards are being complied with;
  • take formal action (including enforcement) together with a power to publicise failings; and
  • prohibit a CTP from providing future services or continuing to provide services to firms.

Therefore, designation of a third party as critical will enable the UK financial services regulators to have very wide-reaching powers over non-regulated entities, creating a quasi-regulatory relationship with respect to these unregulated entities.

A joint discussion paper from the financial regulators is to be published once the primary legislation is in place setting out how the regulators will use such powers. With respect to overseas entities, it is noted that the discussion paper will explore potential specific ways for the financial regulators to coordinate the exercise of their powers with overseas financial regulators.

However, the timing of the new regime remains unclear, with the primary legislation being proposed “when time allows”.