techUK
Printable version

What’s confirmed for the regulation of Critical Third Party Services in the Financial Services Sector?

The Bank of England (BoE), Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) stand as the collective regulators to oversee the activities of critical third parties, and they issued a policy statement 12 November 2024 confirming the rules set to strengthen their use and that of other technologies within Financial Services. 

You can read the policy statement here. 

Critical third party (CTP) service providers provide technological infrastructure and cloud-based services that Financial Services organisations, such as payment systems, rely on for their data storage and to manage their operations. However, their increasing use comes with risks. As if the CTP experiences a cyber-attack, data breaches, or other serious disruption, it will also expose the FS firms and their customers. This can potentially affect their ability to process functions such as transactions and customer access. 

Under the CTP regime, third parties will become subject to the monitoring and management of the regulators to minimise these risks, increasing the operational resilience of the UK’s FS Sector and ultimately build customer confidence in its stability. In creating the new rules, regulators have worked closely with industry, including techUK, and have aligned their rules closely with international standards such as the EU’s Digital Operational Resilience Act. 

Under the CTP regime, regulators will be allowed to: 

  • Hold rulemaking powers imposing duties over third parties 
  • Direct instructions on a CTP to do or refrain from an action specified in the direction 
  • Investigatory powers- regulators can gather information from a CTP and Persons Connected to a CTP, direct the appointment of a skilled persons. 
  • Take enforcement action against a CTP 

The new rules for CTP are set to take effect January 2025. The HM Treasury will designate which third parties are subject to the regime upon the advice of regulators, but FS firms are able to make their suggestions.  

While this takes affect, techUK will continue to monitor its implementation and continue to engage with regulators so that our members are up to date throughout the process.  

You can catch up on our CTP explainer and event held in March here. 

Financial Services Programme activities

The techUK Financial Services programme connects tech firms, the FS industry, and regulators to ensure innovation and technology can be fully embraced. Through market engagement activities and events, we help to empower decision makers and aid collaboration.

Channel website: http://www.techuk.org/

Original article link: https://www.techuk.org/resource/ps24-16-what-s-confirmed-for-the-regulation-of-critical-third-party-services-in-the-financial-services-sector.html

Share this article

Latest News from
techUK

7-Step Guide Inspired by the UK Management of Risk in Government Framework