HM Treasury to publish a critical third party regime
Following a new package published by regulators last year on operation resilience and outsourcing, HM Treasury published its proposal for mitigating risks from critical third parties to the finance sector.
The regulators’ approach to resilience
The Prudential Regulation Authority (PRA) issued outsourcing requirements which relate to operational resilience, cloud, data, data locations, data security, data classification and business continuity, together with a range of other matters relevant to technology providers. The Supervisory Statements SS1/21, pertaining to operational resilience, and SS2/21, pertaining to outsourcing and third-party management, have set the tone to what the regulators expect from financial services firms and the expected increased scrutiny.
From identifying their important business services that could cause intolerable harm to consumers to testing their ability within their impact tolerances, financial services firms have been required to perform a significant number of tasks to complete on all aspects of operational resilience by 31 March 2025.
Whilst regulators have adopted a principles-based approach, financial services firms are facing several operational challenges. As firms have had to change their operating models during the pandemic, with hybrid working and ambitious digital transformation programmes, adding further requirements in terms of resilience and third-party management is increasing the task of the financial services sector.
In this process firms have outsourced a lot more services and automated many manual processes. Companies have to reconsider their operating models and supply chains as regulators will require more accountability to financial services firms.
This could prove difficult, as many services are not run on the premises of financial services institutions. It also means a reconsideration of many contracts with IT providers. In this new digital world, the expectation from regulators could alter some existing developments and operating models, if firms must perform and maintain their due diligence of their suppliers and perform risk and materiality assessments in relation to the provision of core services.
Beyond operational resilience there is now a much stronger requirement for enterprise-wide supply chain management capabilities that map and manage third party risks to core business processes.
Whilst regulators have established a dialogue with industry, these new regulatory developments are impacting firms’ IT deployments and risk management, as they use innovative technologies to compete in a more competitive market.
Critical third parties brought in within the regulatory perimeter Following on these development, earlier this month HM Treasury published a policy statement announcing that it will designate certain third parties which provide services to financial services firms as ‘critical’. The financial regulators will then be able to make rules, gather information, and take enforcement action, in respect of certain services that critical third parties provide to firms of particular relevance to the regulators’ objectives.
HM Treasury considers that whilst financial regulators’ current powers allow them to set requirements and expectations on financial services firms, these powers are not, by themselves, sufficient to tackle the systemic risk that disruption at a third party providing key services to multiple
firms could cause. In particular, HM Treasury highlights the risk stemming from concentration and the information and power asymmetries between firms and some services providers, which may prevent firms from obtaining adequate assurances that their contractual arrangements achieve an appropriate level of operational resilience.
HM Treasury therefore considers that there is a ‘gap’ in the current regulatory framework, whereby the individual responsibilities of financial services firms are not deemed enough to achieve operational resilience and guarantee systemic financial stability.
Under the proposed regime the financial regulators will be granted powers to assess whether the resilience standards are being met. These will include powers for the financial regulators to:
- request information directly from critical third parties on the resilience of their material services to firms, or their compliance with applicable requirements;
- commission an independent ‘skilled person’ to report on certain aspects of a critical third party’s services;
- appoint an investigator to look into potential breaches of requirements under the legislation;
- interview a representative of a critical third-party and require the production of documents;
- enter a critical third party’s premises under warrant as part of an investigation.
The financial regulators will be publishing a joint Discussion Paper, setting out in detail how any powers granted to them in legislation might be exercised, and seeking views from industry on the most effective and proportionate way to do so. This will also explore the role of the financial regulators during designation, including how they might make recommendations to HM Treasury during consultation. The Discussion Paper will also explore potential specific ways for the financial regulators to coordinate the exercise of their powers with overseas financial regulators, and UK authorities and regulators from outside the financial services sector.
Join the Financial Services Programme
Now more than ever, financial services providers embark on new digital transformation journeys to improve processes, resilience, and services. We bring together and connect firms from across the ecosystem to ensure innovation and technology can be fully harnessed and embraced by industry and regulators.
Latest News from
techUK members recognised in national health tech ranking18/08/2022 16:25:00
Several techUK member organisations have made BusinessCloud’s annual HealthTech 50 ranking of the UK’s most innovative health technology creators.
Letter to the next Prime Minister from techUK CEO Julian David16/08/2022 16:25:00
techUK's CEO Julian David has written to the final two candidates for the Conservative Party Leader and next Prime Minister. In the letter techUK sets out how the next Prime Minister can work with the UK tech sector to address the key challenges they and the country will face.
techUK joins other UK trade organisations to urge the Government to hold out for a comprehensive UK-India deal12/08/2022 13:05:00
The UK-India FTA talks began in January this year. The fifth round of negotiations was finalised last week, and both countries are working towards the October 24 deadline that Prime Ministers Johnson and Modi set a few months ago.
techUK responds to Parliamentary inquiry on the UK semiconductor industry11/08/2022 14:05:00
techUK welcomes the confirmation in the recent Digital Strategy that the Government will bring forward a Semiconductor Strategy.
MWC Barcelona, February 27th-March 2nd, 202311/08/2022 09:10:00
We would like to invite our members to join a trade show to Barcelona between February 27th-March 2nd, 2023
A healthy start to the year: Review of the techUK H&SC Programme10/08/2022 14:15:00
The first half of 2022 has been full of activities for the techUK Health and Social Care programme and the members working closely with the team. This August, we therefore wanted to provide an overview of key areas of focus and the work done for the past six months. None of this would be possible without the involvement and support of our members, therefore we'd like to take this opportunity to say thank you!
NPCC led review: operational productivity of policing10/08/2022 13:15:00
The Home Office has announced plans for an operational efficiency review of policing including a focus on further uses of technology.
NATO Innovation Challenge?10/08/2022 12:10:00
This Challenge is co-organized by NATO Allied Command Transformation (ACT), the NATO Communications and Information Agency (NCIA) and the Ministry of Defense of Romania, who will host the finale. Participants can submit their Solution by September 19th, 2022 (12:00 a.m.).