Member Article

Those who have been following it will know that the Bank of England / Prudential Regulation Authority’s consultation on proposed new rules for Critical Third Party suppliers (CTPs) closed on 15th March. 

The rules are designed to address concerns over “concentration risk” (in effect, too many FS firms  / institutions having their critical service and IT eggs in too few supplier baskets) and the impact an outage with a CTP could have on  operational resilience across the financial system. In an era where “cloud first” is the mantra of most FS IT departments, the threat of something going seriously wrong at one of the large vendors or hyperscalers is seen as potentially existential. 

The rules represent a bold stretching of the BoE / PRA’s regulatory perimeter. For the first time, non-FS businesses who supply important (enough) services to the industry will come under the direct supervision of the regulators. Obviously there are limits to what is being proposed, and the rules relate mainly to the provision of information by CTPs to the regulator to show that they are resilient and secure. It is a punchy move nonetheless. 

So far, regulated FS businesses have been tasked with making sure that their own operations (including when they are outsourced) are sufficiently resilient. But the buck stops with them – which means that, when dealing with relevant suppliers, they are possibly only as good as the due diligence information, audit rights, and contractual assurances etc which the supplier is willing to give. Cue years of debates in contract negotiations about what is “market” vs what is a “regulatory requirement”!

The new rules at least might provide an overlay to that where, before they can supply to the industry, CTPs at least have to show the regulator that they are stable enough. 

I’m sure that the consultation responses, when they are shared, will show an obvious spectrum of opinion ranging from resistance on the part of suppliers, to support from institutions. For example, exactly how CTPs are identified is a tricky subject  - the proposal being that HM Treasury decides after recommendations.  However, it may be that some vendors can see it as an opportunity to gain approval / endorsement and use the fact that they are compliant as a differentiator.

Based on feedback so far, I would expect to see some interesting questions and themes coming out of the consultation responses including:

• Whether the industry / customers should have a say in which suppliers are designated as CTPs and how often the list should be reviewed – especially given how fast developments in AI and FinTech are moving
• What enforcement action would be taken if a designated CTP did not comply with the requirements? Would the regulators be able to force a supplier out of the UK market, and what about the impact on their existing customers?
• Should individual officers of CTPs have similar responsibilities as senior managers of FS regulated  businesses?
• Whether CTPs should be required to share with their FS customers the supporting evidence of their operational resilience which they have provided to the regulators and to otherwise deal openly with them (subject possibly to redactions).
• Should contract terms be mandated for use between CTPs and firms - possibly in a similar way to the “model clauses” used to aid protection of personal data when it is transferred overseas. 
• How costs will be managed. Whilst compliance may be welcomed, firms may be wary of the potential impact on suppliers’ prices for their relevant services.

We will have to wait and see how those and any other relevant points are addressed by the regulators in response to the consultation.

 

CP26/23 - Operational resilience: Critical third parties to the UK financial sector

 

Link to article