The UK Government is proposing greater regulatory oversight of financial services outsourcings involving "Critical Third Parties" (CTPs). If implemented, these changes will result in CTPs – some of which may not regard themselves as part of the finance sector - being regulated directly by financial services supervisory authorities. This would represent a major shift in approach.
Financial services outsourcing: UK plans to regulate service providers as well as their customers
Financial services firms (including payment service providers and e-money providers) (Firms) and financial market infrastructure firms (FMIs) are increasingly relying on third parties outside the finance sector – such as cloud-based computing and communications technology service providers – to support their operations through outsourcing arrangements. The failure or disruption of these "critical" third parties could ultimately threaten the stability of, or confidence in, the UK financial system. Whilst the current outsourcing rules impose requirements on Firms and FMIs outsourcing services, they do not apply directly to third-party providers in their own right. The increased dependency of Firms and FMIs on these third-party providers has led the Bank of England's Financial Policy Committee to conclude that this "could increase financial stability risks without greater direct regulatory oversight of the resilience of the services they provide".
The current outsourcing regime for financial services firms
The existing rules are complex, but, broadly, in relation to certain outsourcings which are deemed to be material, Firms and FMIs may have to notify the relevant supervisory authorities and ensure that appropriate practical and contractual safeguards are in place. This is with a view to ensuring that the relevant outsourcing does not compromise firms' ability to comply with their conditions of authorisation and regulatory obligations. However, the focus is on regulating Firms and FMIs and there is currently no direct regulation of outsourced service providers.
The UK Government's proposed statutory framework would enable the FCA, the PRA and the Bank of England (together the "Supervisory Authorities") to oversee services that CTPs provide to Firms and FMIs directly (as opposed to indirectly by imposing obligations on Firms and FMIs when they engage in outsourcing). The proposed regime aims to ensure that these services are resilient (thereby limiting the risk of systemic disruption in the event of their failure). The Government's proposed statutory regime is supplemented by a Joint Discussion Paper published by the Supervisory Authorities. These proposals form part of the reforms contained in the Financial Services and Markets Bill (FSM Bill) which is currently before Parliament.
"A large IT services business with a significant number of financial services customers could find itself subject to direct oversight by financial services regulators – even though historically, it has always regarded itself as being part of the tech sector."
HM Treasury would – following consultation with the Supervisory Authorities and other bodies – be able to designate certain third parties as "critical" under secondary legislation. Designation of a third party will generally follow a recommendation by one or more of the Supervisory Authorities and will be made where, in HM Treasury's opinion, "a failure in, or disruption to, the provision of those services (either individually or, where more than one service is provided, taken together) could threaten the stability of, or confidence in, the UK financial system". In forming such an opinion, HM Treasury must have regard to: (a) the "materiality" of the services provided by the third party to the delivery of "essential" activities, services or operations; and (b) the number and type of Firms or FMIs to which the third party provides services (i.e., its "concentration"). Activities, services or operations are "essential" if they are essential to (a) the economy of the UK; or (b) the stability of, or confidence in, the UK financial system. The Supervisory Authorities may also consider the potential impact of any disruption or failure of the third party when considering whether to recommend designation as a CTP. However, firms which are already subject to regulation by the supervisory authorities would not be recommended to be designated as a CTP, so long as their existing authorisations give the supervisory bodies the ability to impose equivalent requirements on the resilience of any services they provide to firms.
The materiality assessment
The "materiality" assessment will consider whether the services are critical to the delivery by Firms and FMIs of:
- Any of the functions listed in PRA SS19/13 'Resolution Planning': these include deposit taking and savings, lending and loan servicing, capital markets and investment, wholesale funding markets, and payments, clearing, custody and settlement.
- 'Critical functions', as defined in sections 3(1) and (2) of the Banking Act 2009: these are functions whose interruption could lead to the disruption of services essential to the UK economy or disrupt financial stability in the UK.
- Certain 'important business services' as defined in the Supervisory Authorities' operational resilience framework for firms and FMIs: this encompasses services that, if disrupted, would impact the Supervisory Authorities' objectives and thereby the public interest, as represented by those objectives.
The concentration assessment
The "concentration" assessment will be largely determined by reference to a centralised framework as well as information provided by Firms and FMIs in their regulatory filings. The Supervisory Authorities should also consider the type and significance, and not merely the number, of Firms and FMIs that rely on a particular CTP.
See Section 5 for further discussion of businesses which might be designated as CTPs in practice.
Minimum Resilience Standards
Once a third party is designated as "critical", the Supervisory Authorities would be able to exercise a rule-making power to set minimum resilience standards that CTPs will be required to meet in respect of the material services they provide.
The Supervisory Authorities have set out proposed resilience standards in their Joint Discussion Paper. These comprise: (i) identification; (ii) mapping; (iii) risk management; (iv) testing; (v) engagement with the Supervisory Authorities: (vi) financial sector continuity playbook; (vii) post-incident communication; and (viii) learning and evolving.
The Supervisory Authorities will also engage in resilience testing of the services using a number of tools - see below. The exact tools to be used will differ depending on the CTP.
Tools which Supervisory Authorities may use as part of their resilience testing include:
- scenario testing;
- sector wide exercises;
- cyber resilience testing;
- requesting information directly from CTPs; and
commissioning a skilled persons' review of a CTP.
The Supervisory Authorities will also have a number of statutory powers in respect of CTPs including powers to (i) direct CTPs to take or refrain from taking specific actions; and (ii) enforcement powers, including a power to publicise failings. As a last resort, Supervisory Authorities will be entitled to prohibit a CTP from providing future services or continuing to provide services.
In due course, the Supervisory Authorities will issue a statement of policy setting out how they would exercise their statutory powers over CTPs.
The Supervisory Authorities' Joint Discussion Paper closes on 23 December 2022. Subject to the outcome of Parliamentary debate relating to the FSM Bill, and following consideration of the responses to the Joint Discussion Paper, the Supervisory Authorities intend to consult on their proposed requirements and expectations for CTPs in 2023.
Businesses which are likely to be designated as CTPs should make preparations to ensure that they maintain robust governance arrangements, IT systems and risk-management frameworks to limit the systemic risk they pose to the financial services sector. The Supervisory Authorities have envisaged cloud-based computing and IT infrastructure firms as being the focus of the proposed regime, given the market dominance that certain third parties enjoy. For example, Amazon, Google and Microsoft have a collective market share of 65% of the worldwide cloud infrastructure market. However, the legislative framework contained in the FSM Bill is not limited in scope and, accordingly, businesses providing critical services (whether tech-based or not) should make relevant preparations (even if, in practice, only a small number of providers are likely to be caught).
CTPs based wholly or largely outside the UK should not assume that they will be outside the scope of the new regime; from a policy perspective, it seems to us that the UK supervisory authorities would not want a situation where they were unable to regulate a non-UK CTP effectively, where it was providing critical services to UK firms or FMIs. However, at this stage, it is unclear precisely which legal mechanisms might be used to achieve this policy objective.
The UK Government's proposals are not expected to have any immediate impact on the outsourcing obligations currently applicable to Firms and FMIs (as the proposed rules will apply directly to CTPs). However, they may want to consider how existing or future outsourcing service providers could react if designated as CTPs. In particular, the prospect of direct regulation by the Supervisory Authorities could prompt some service providers to make changes to their arrangements with financial sector customers to reflect increased compliance costs and a perceived increase in regulatory risk.
The wider picture
More widely, the proposals are part of a broader trend for Governments and regulators to adopt a more interventionist approach to markets generally with a view to mitigating perceived risks to critical aspects of the economy. This is reflected, for example, in the UK's National Security and Investment Act, which allows Government to intervene in relation to proposed acquisitions of businesses deemed to be critical to the national interest.