HM Treasury recently published a policy statement outlining its intention to regulate certain third party providers to the financial services sector. The policy statement notes that financial services firms and financial market infrastructure firms are increasingly outsourcing to third parties outside the finance sector in respect of key functions and services (such as cloud-based computing services). Although it states that there are benefits to outsourcing of this nature, risks can also arise – especially where many firms rely on the same third party provider (i.e. concentration risk).
Firms’ dependency on a limited number of critical third parties for key services within the financial services sector has increased in recent years and continues to do so. As of 2020, over 65% of UK firms used the same four cloud providers for cloud infrastructure services.
As a result of this increased reliance, the Treasury has been working alongside other regulators to understand what ‘direct regulatory oversight’ of critical third-party services might involve; and to come up with a framework to enable them to manage the risks such outsourcing presents to financial stability.
Under the proposals, Treasury intends to (in consultation with other financial regulators) designate certain third parties that provide services to firms as ‘critical’. Regulators will then be able to make rules, gather information, and take enforcement action, in respect of certain services that critical third parties provide to financial services firms of particular relevance to the regulators’ objectives (“material services”).
Regulators will be able to set minimum resilience standards that critical third parties will be directly required to meet in respect of any material services that they provide to the UK finance sector. Regulators can also require critical third parties to take part in a range of targeted forms of resilience testing, to assess whether these standards are being complied with. Additional powers include imposing information and reporting obligations on critical third parties and the ability to appoint an investigator to look into potential breaches of the requirements.
These new powers build on regulators’ existing operational resilience framework, where firms are required to ensure their contractual arrangements with third parties allow them to comply with their own operational resilience requirements (including in respect of data security, business continuity and exit planning).
These new powers aim to tackle the risks arising from a critical third party’s failure or disruption such that services cannot be easily restored or substituted promptly without undue costs and risks. The policy statement also recognises that there may be significant information and power asymmetries between certain third parties and firms, which may prevent firms from obtaining adequate assurances that their contractual arrangements achieve an appropriate level of operational resilience. However, under the new regime, firms will still remain responsible for their own operational resilience compliance.
In terms of designating critical third parties, Treasury will consult with financial regulators and other relevant bodies. Financial regulators might proactively recommend the designation of certain third parties as ‘critical’, based on their own analysis. Treasury also notes that it will need to have regard to representations made by potential critical third parties.
Designation will then be made by way of secondary legislation taking into account high-level criteria such as the number and type of services a third party provides to firms; and the materiality of these services. This designation framework will be set out in primary legislation.
The Government will legislate for this new regime when parliamentary time allows. Regulators will then publish a joint Discussion Paper, setting out in detail how any powers granted to them in legislation might be exercised, and seeking views from industry on the most effective and proportionate way to do so, followed by a further Consultation Paper on their proposed rules. Following the finalisation of the regulators’ rules, Treasury will begin designating the first critical third parties under the new regime.
“… the increasing reliance on a small number of cloud service providers and other critical third parties could increase financial stability risks without greater direct regulatory oversight of the resilience of the services they provide.” – Bank of England’s Financial Policy Committee