Evolving oversight of the UK’s CTP regime

After extensive consultation with UK firms and financial market infrastructure (FMI) entities, the Bank of England (BOE), the Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA), have published requirements for the critical third parties (CTPs) regime.   

This finalised regime reflects feedback shared during the consultations and aligns with the UK’s Financial Services and Markets Act 2023, which will come into effect from 1 January 2025. However, the statutory obligations of the CTP regime under the Financial Services and Markets Act 2023 will only apply on the date the designation order is published by HM Treasury in the coming months.   

This is a summary view of the CTP regime, highlighting the key considerations for financial services firms.   

The purpose of the regime is to set expectations for CTPs to:  

• Provide a set of fundamental rules and obligations that will apply to the ‘systemic services’ that CTPs provide to UK firms and FMIs. 

• Provide granular operational risk and resilience requirements, covering areas such as dependency and supply chain risk management, technology and cyber resilience, change management and incident management.  

• Periodically provide updates to regulators, including an initial self-assessment and annual self-assessments.  

• Provide clear requirements where regular scenario tests are conducted, to assess the ability of CTPs to continue services despite disruption.  

• Notify regulators, firms and FMIs of incidents.  

The CTP regime sets out four key requirements: 

1. Criteria for designation of CTP by regulatory bodies 

• Concentration and materiality of a third party, where regulators will assess the services provided by third parties and their impact on the industry. 
• Systemic importance of each third party, where regulators will assess disruption in services provided by CTPs could threaten financial stability or confidence. 
• Existing oversight, where regulators will assess services that are already subjected to other forms of regulation or oversight requirements. 

2. Implementation and oversight for regulatory bodies 

• Judgement-based and evidence-led, where the regulators will use a combination of judgement and evidence to execute their oversight role. 
• Integrated and coordinated approach, where regulators will streamline the process for coordination and sharing information among themselves i.e. BOE, PRA, and FCA. 

• Regulators will define channels for CTPs to report and share required information with regulators.  

3. Risk assessment framework for CTPs 

• External and internal risk identification and management, where CTPs will be required to define process to identify, assess, manage and monitor risks from both external and internal environments.  

• Operational resilience such as impact tolerances, recovery and resolutions, where CTPs must have a robust resilience framework to withstand and recover from disruptions. 

4. Oversight activities for CTPs 

• Annual oversight requirements, where CTPs must have a defined framework for both internal governance and regulatory oversight. 

• Annual self-assessment requirements shared with regulators to demonstrate compliance with the CTP regime.  

• Scenario testing requirements, where CTPs have both mandated and ad-hoc testing requirements built into testing framework i.e. approach, type, scope, frequency, participation, etc.   

• Fines and enforcement, where the regulator has the power to impose fines or notices that arise during oversight. 

Why is the CTP regime important? 

With technology rapidly evolving and the reliance on IT systems increasing, the UK financial services industry’s networks, processes and complex supply chains can become vulnerable.   

The financial services sector is regarded as having a lower level of maturity in terms of resilience, and as a result, IT incidents can cost on average two-to-three times more than other sectors. 

The new CTP regime will address potential vulnerabilities and risks that could impact the UK financial industry, by strengthening the resilience of the services that CTPs provide to UK-regulated financial services firms and FMI entities. However, the regime doesn’t replace the responsibility these firms and entities have in meeting their own operational resilience requirements and managing their third-party risks. 

Supporting documents: 

• Supervisory Statement ‘Operational resilience: Critical third parties to the UK financial sector’ - which sets out the regulators’ expectations of how CTPs should interpret and comply with the rules  

• The regulators’ approach to the oversight of CTPs - which sets out how the regulators will carry out their oversight, and helps CTPs understand the oversight approach  

• Memorandum of Understanding - explains how the FCA will work together with the BOE and PRA to oversee CTPs 

The views reflected in this article are the views of the authors and do not necessarily reflect the views of the global EY organisation or its member firms.