What risks can arise from third party arrangements?
As the regulators acknowledge, outsourcing and other arrangements with third parties can greatly benefit firms and FMIs in the sector, through efficiency gains, reduced costs, scalability, faster innovation, better customer outcomes, and improved operational resilience. However, these arrangements can pose risks to individual firms and FMIs, to the regulators' objectives and even to the wider financial system. For example, depending on its size and connectedness, a cyber-attack on a single service provider or an outage of that provider's own infrastructure could act as a single point of failure, simultaneously impacting multiple firms in the sector, as well as their counterparties and customers or participants. Risk can arise in a number of ways:
- Reliance may be on third parties for material services whose failure or disruption could have a systemic impact.
- Services may be concentrated, either via direct contractual arrangements or indirectly through third parties’ supply chains and other forms of interconnectedness.
- Factors such as the ability to recover or substitute a third party’s services following disruption can in turn influence the potential impact that their failure or disruption could have.
How will risks from CTPs be addressed?
Many third-party service providers to the financial sector are outside the financial services regulatory perimeter. As such, the regulators have previously only had limited powers to intervene in their activities. FSMA 2023 introduces new powers enabling the regulators to monitor and manage CTP-related risks and so reduce the risk of systemic disruption to the sector.
Under the new CTP regime, HM Treasury can designate certain third party service providers as CTPs. The regulators have rule-making powers, information-gathering and investigation powers and disciplinary powers over CTPs, as well as power to direct a CTP in writing to do or refrain from doing a certain activity.
Anticipating their forthcoming FSMA 2023 powers, the regulators' initial discussion paper (DP3/22) in 2022 proposed minimum resilience standards and resilience testing requirements for CTPs. Responses to DP3/22 broadly agreed with greater direct regulatory oversight of third parties that are systemically important. However, industry was keen that that minimum resilience standards for designated CTPs should align with the industry's existing operational resilience requirements and with international regulatory and supervisory frameworks, and that CTP oversight does not impose new obligations on firms and FMIs themselves. Others stressed that the scope of the regime should be framed suitably widely to cover the full supply chain that underpins provision of relevant services.
The responses to DP3/22 have informed the regulators' joint consultation launched on 7 December 2023 which sets out a comprehensive set of proposals including on:
- Identifying and designating CTPs;
- High level fundamental rules that will apply to all CTP services;
- Eight operational risk and resilience requirements for material services provided by CTPs;
- Expectations of CTPs in relation to information-gathering, testing, self-assessment, information-sharing and notifications; and
- Requirements on CTPs without a UK head office.
The most detailed requirements and expectations will apply only to CTPs' provision of 'material services' to firms and FMIs, defined in the draft rules as:
‘services provided by a CTP to one or more firms a failure in, or disruption to, the provision of which (either individually or, where more than one service is provided, taken together) could threaten the stability of, or confidence in, the UK financial system.’
Which firms are likely to be designated as CTPs?
FSMA 2023 has introduced a new statutory test which a third party provider must meet to be designated as a CTP. The test requires that the failure in or disruption to the relevant third party service provider’s services would pose a risk to the stability of, or confidence in, the UK financial system. A third party may be providing a single service or a collection of several services and failure or disruption may occur in one service or in the collection of services taken together.
To make the CTP designation, HM Treasury must have regard to both: (i) materiality of the services that the third party provides; and (ii) concentration, i.e., the number and type of firms and FMIs to which the third party provides services.
Other factors will also influence the decision to designate, such as substitutability of the relevant services, and whether the third party has direct access to the resources that support delivery of firms' or FMIs' important business services.
In practice, HM Treasury will make CTP designations following recommendation from regulators, based on their analysis of relevant data and information and in certain cases they will exercise judgement.
The regulators propose to use a range data and information to identify potential CTPs to recommend for designation. Over the past few years, the regulators have undertaken ad-hoc data collections relating to firms’ and FMIs’ outsourcing and third-party (OATP) arrangements and plan to consult in 2024 on a proposed new policy for OATP data collection. They will also consider other information from relevant supervisory engagement, such as cyber resilience and stress testing, and data provided by firms and FMIs under the existing regulatory framework.
Only a limited number of third party providers are expected to meet the statutory test for designation as a CTP. Where a firm is already subject to regulation and supervision by one or more of the regulators, it would be unlikely to be designated as a CTP even if it objectively meets the statutory test. This could include FMIs, group service companies, or firms providing services to other firms outside their group, such as correspondent banking or custody services.
Similarly, third parties in other sectors (e.g. public telecommunications providers, energy suppliers) will be unlikely to be designated as CTPs so long as they are already subject to an appropriate level of regulation, supervision and oversight.
How would the CTP regime apply to non-UK firms?
The proposed CTP framework acknowledges that many CTPs provide global services to clients and customers in a range of jurisdictions. The rules are drafted so as to be agnostic to a CTP's location, so that CTPs will not need to set up a branch or subsidiary in the UK where one does not already exist.
However, where a CTP is headquartered outside the UK, it must nominate a legal person in the UK to perform certain functions, such as receiving statutory notices under FSMA and other documents from the regulators. The nominated legal person should be the CTP's UK subsidiary if it has one. Where it does not, it should nominate a suitable UK-based corporate body, partnership or limited liability partnership (e.g., a law firm).
CTP Fundamental Rules for all services
For all services, whether material or not, CTPs must comply with six high level rules, known as CTP Fundamental Rules. A CTP must:
- Conduct its business with integrity.
- Conduct its business with due skill, care and diligence.
- Act in a prudent manner.
- Have effective risk strategies and risk management systems.
- Organise and control its affairs responsibly and effectively.
- Deal with the regulators in an open and co-operative way and disclose to the regulators appropriately anything relating to the CTP of which they would reasonably expect notice.
Operational risk and resilience requirements for material services
Where CTPs are providing material services they will also need to comply with eight principles-based and outcomes-focused operational risk and resilience requirements. These requirements are not prescriptive and CTPs will have the freedom to consider how they will adapt or enhance their current internal arrangements and processes to meet the objectives.
The regulators have created a draft joint supervisory statement which is intended to be the key source of guidance for CTPs on how to comply with the CTP regime. This includes guidance on the eight operational risk and resilience requirements. In summary, these are:
- Governance –a range of requirements designed to ensure that a CTPs' governance promotes the resilience of its material services.
- Risk Management – identify and monitor all relevant external and internal risks to delivery of a CTP's material services (including financial risks), and have in place effective risk management processes updated as necessary to reflect issues such as emerging risks or lessons learned from disruptions or testing.
- Dependency and supply chain risk management – identify and manage any risks to its supply chain that could affect a CTP's ability to deliver material services. Take all reasonable steps to ensure that each person in its supply chain understands the requirements that apply to the CTP and acts to facilitate the CTP in meeting them.
- Technology and cyber resilience – take adequate measures to ensure the resilience of any technology that delivers, maintains or supports a material service.
- Change management – adopt a systematic approach (comprising policies, procedures and controls) to dealing with changes to a material service, including changes to supporting processes or technologies.
- Mapping – identify and document the resources (including assets and technology) used to deliver, support and maintain material services, including the internal and external interconnections and interdependencies between those resources. Use this mapping exercise is to identify vulnerabilities and dependences which can then be scenario-tested.
- Incident management –put in place response and recovery measures for incidents (including those with a potential cross-border and cross-sectoral impact ). This includes establishing, and then maintaining, a Financial Sector Incident Management Playbook setting out the maximum tolerable level of disruption to a material service and appropriate measures to respond to and recover from incidents in a way that minimises the impact.
- Termination of services – have in place appropriate measures to respond to a termination of any of a CTP's material services.
Information-gathering, self-assessment, testing, Skilled Person Review, information sharing, and notification requirements.
CTPs will have general evidence and information requirements, requiring them to demonstrate to the regulators their ability to comply with their rules through providing evidence to the regulators on request or annually.
CTPs must submit an annual, written self-assessment to the regulators evidencing compliance with the CTP framework over the past year (and keep a copy for at least three years). In the draft Supervisory Statement, the regulators have highlighted the range of compliance areas to be addressed. Newly designated CTPs should deliver this self-assessment within three months of designation and then annually.
Each CTP must carry out regular scenario testing of its ability to continue providing each of its material services within its maximum tolerable level of disruption in the event of a severe but plausible disruption to its operations. Such testing must be of a level of sophistication consistent with the CTP's systemic significance. CTPs must also to test their financial sector incident management playbook annually (or as otherwise directed by the regulators) and share with the regulators a report on the outcome.
Under the new rules, any of the regulators may require a CTP (or any person connected with it) to appoint, or the regulators may appoint, a skilled person to provide the regulators with a report or to collect or update information. The CTP (or connected person) would be required to pay the costs of appointing the skilled person, or the expenses of the regulator where the regulator has made the appointment.
CTPs must develop an appropriate method for sharing with their firm and FMI customers information such as the results of scenario or financial sector incident management playbook testing, or summaries of the annual self-assessment.
Finally, CTPs must notify the regulators and affected customers of certain incidents, and comply with a range of other notification requirements.
What are the consequences of non-compliance?
FSMA 2023 has provided the regulators with a range of disciplinary powers in the event a CTP breaches a requirement. These are:
- Power to publish a public censure.
- Power to prohibit: (i) the CTP from entering into arrangements, or continuing, to provide services to firms; (ii) firms who receive services from the CTP from continuing to receive those services; or (iii) firms from entering into arrangements to receive services from the CTP.
- Power to Impose conditions or limitations on: (i) the CTP's provision of any services to firms; or (ii) the services firms receive from the CTP.
The regulators expect to consult separately later in 2024 on how they will exercise these powers.
Next steps
Responses to the consultation are invited by 15 March 2024. The CTP regime is expected to enter into effect in late 2024. In the meantime, we can expect a series of further consultations on aspects of the regime. The regulators expect to publish several further papers in the second half of 2024:
- Finalised policy proposals in a joint policy statement taking into account the responses to the consultation.
- A joint a CTP approach document setting out how the regulators will perform their oversight roles.
- A related consultation on incident and outsourcing and third-party reporting.
Authors: Monica Sah, Sara Evans, Caroline Dawson, Rob Donell, Simon Persoff