HM Treasury (HMT) has unveiled plans to introduce a new framework that would provide the UK financial regulators - the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Regulation Authority (FCA) - with powers of direct oversight over tech firms that provide critical services to the finance sector. The proposal responds to concerns about financial institutions' ‘increasing reliance on a small number of cloud service providers and other critical third parties' and the possibility that the failure or disruption of one of those third parties could threaten the stability of, or confidence in, the UK financial system.
As it stands, regulated financial services firms are accountable on their own operational resilience as well as being subject to specific requirements on third party risk management and outsourcing. The FCA also has specific guidance in place for firms outsourcing to the ‘cloud’ and other third party IT services, which has applied since 2016. But 'no single firm can manage risks originating from a concentration in the provision of critical services by one third party to multiple firms' - and so, the proposed new regime will fill that gap by enabling the regulators to ensure that those services are resilient, thereby reducing the risk of systemic disruption.
HMT will ‘designate’ third parties as ‘critical’ in consultation with the PRA and the FCA. Designation might be based on a recommendation from the regulators or representations by potential critical third parties or financial sector firms. High-level criteria such as the number and type of services a third party provides to firms and the materiality of these services will also be taken into account. The designation framework itself will be set out in primary legislation.
(There are parallels to be drawn with the EU’s proposed Regulation on digital operational resilience for the financial sector (DORA) (provisional agreement for which was reached on 11 May 2022) which, similarly to the UK proposal, will make critical third parties providing ICT-related services to financial entities subject to a new EU oversight framework.)
The PRA and FCA will be given rule-making powers to set minimum resilience standards in respect of material services provided by third parties so designated. They will be able to require them to take part in a range of targeted forms of resilience testing, to assess whether the standards are being complied with, and exercise various information gathering and enforcement powers, to be set out in primary legislation.
The government intends to legislate for this new regime ‘when parliamentary time allows’. The PRA and the FCA will publish a joint discussion paper shortly after the new legislation is introduced, setting out how they might use their new powers.
We can expect these developments to inform the evolving cross-sectoral and international initiatives addressing the operational resilience of big tech firms.