It is no surprise that there continues to be greater regulatory focus on third party risk management and resilience. This time, the Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA), and Bank of England (BoE) issued a consultation paper on critical third parties on 7 December 2023. Responses are requested by 15 March 2024.
A Critical Third Party (CTP) in the context of the UK financial sector is defined based on its role and impact on the financial system. The key characteristics of a CTP include:
Materiality of Services: CTPs are identified by the materiality of the services they provide to financial services (FS) firms and/or Financial Market Infrastructures (FMIs). A service is considered 'material' if its failure or disruption could threaten the stability of, or confidence in, the UK financial system.
Concentration of Services: The extent to which services provided by a third party are concentrated within the financial sector is also a factor. This looks at how many firms and FMIs rely on the services of the third party.
Systemic Impact Factors: Other factors like the substitutability of the material services, and access to firms' or FMIs' critical resources, are considered to assess the potential systemic impact of a CTP.
The consultation paper introduces a set of 6 Fundamental Rules for Critical Third Parties (CTPs). These high-level rules express the regulators' objective of managing risks to the stability of, or confidence in, the UK financial system posed by CTPs. These rules include requirements for CTPs to conduct their business with integrity, skill, care, diligence, and in a prudent manner, among others.
Additionally, the paper proposes 8 Operational Risk and Resilience Requirements for CTPs. These requirements aim to ensure that CTPs can effectively manage and mitigate risks associated with their services to the financial sector.
6 Fundamental Rules:
-
A CTP must conduct its business with integrity.
-
A CTP must conduct its business with due skill, care and diligence.
-
A CTP must act in a prudent manner.
-
A CTP must have effective risk strategies and risk management systems.
-
A CTP must organise and control its affairs responsibly and effectively.
-
A CTP must deal with the regulators in an open and co-operative way, and disclose to the regulators anything of which they would reasonably expect notice.
8 Operational Risk & Resilience Requirements:
1. Governance
Regulators propose that every critical third party (CTP) ensures governance that promotes the resilience of its material services by appointing a qualified point of contact with oversight authorities, defining roles and responsibilities with effective communication channels, implementing a comprehensive approach for preventing, responding to, and recovering from disruptions, and ensuring thorough review and approval of information shared with regulators.
2. Risk Management
Regulators are proposing that each critical third party (CTP) effectively manage risks by identifying and monitoring internal and external factors, maintaining efficient risk management processes, and consistently updating them based on lessons learned from disruptions, engagement with regulators, emerging risks, and associated testing.
3. Dependency and Supply Chain Risk Management
Regulators propose that each critical third party (CTP) identifies and manages risks within its supply chain to safeguard the delivery of material services. CTPs are required to ensure that everyone in their supply chain understands and complies with the applicable regulations, facilitates the fulfilment of CTP duties, and grants regulators access to relevant information for oversight purposes.
4. Technology and Cyber Resilience
Regulators propose that a critical third party (CTP) must ensure the resilience of its technology supporting material services by implementing technology and cyber risk management and operational resilience measures, conducting regular testing of those measures, incorporating lessons learned from testing, and establishing processes to provide timely and relevant information for risk management and decision-making.
5. Change Management
Regulators propose that a critical third party (CTP) must establish a systematic approach to managing changes to material services, including the implementation of policies, procedures, and controls for resilience, minimising disruption risks during implementation, and conducting thorough risk assessment, recording, testing, verification, and approval processes prior to any change.
6. Mapping
Regulators propose that a critical third party (CTP) must, within 12 months of being designated by HMT, identify and document the resources, including assets and technology used to deliver, support and maintain each material service and the internal and external interconnections between them. The CTP is required to maintain and update this documentation continuously thereafter.
7. Incident Management
Regulators propose that a critical third party (CTP) effectively manages incidents impacting the delivery of material services by implementing measures for response and recovery from incidents that minimises the impact, setting a maximum tolerable disruption level, maintaining and operating a Financial Sector Incident Management Playbook, and coordinating with relevant arrangements for responding to incidents in the UK's financial sector.
8. Termination of Services
Regulators propose that a critical third party (CTP) must establish measures to respond to the termination of its material services, including effective, orderly and timely termination arrangements and provisions for ensuring the access, recovery, and return of relevant assets to the firms or FMIs it provides the material service to (and where applicable, in an easily accessibly format).