Legal development

UK regulators provide further details on framework for oversight of critical third parties UK DORA

Insight Hero Image

    On 21 July 2022, the PRA, FCA and the Bank of England (together, the UK regulators) issued a discussion paper on the oversight of third parties critical to the UK financial sector. This follows a Policy Statement issued by HM Treasury in relation to oversight of critical third parties ("CTPs") (see our briefing here). It also follows the publication of the Financial Services and Markets Bill 2022-23 ("FSM Bill"), which set out the proposed powers for regulators in terms of critical third parties.

    At both EU level and UK level there are concerted efforts to give financial services regulators oversight and powers in respect of unregulated third parties that provide critically important services to regulated entities. Cloud providers in particular are the focus of the proposed rules, however other key players that provide the core infrastructure of the functioning markets may also be captured.

    While the proposed rules under the FSM Bill are precisely drafted, there are still a number of outstanding uncertainties regarding the regime, such as how the UK proposals will interact with similar proposals in other jurisdictions and their steps to have similar oversight regimes (such as EU DORA). It is likely that the same group of firms will be subject to overlapping and in some cases contradictory rules.

    Moreover, the framework will need to find a way to deal with unregulated entities operating with a global presence and complicated group structures. Many of the entities that are intended to be captured by this regime will undoubtedly be headquartered outside the UK.

    Finally, it remains to be seen how the UK regulators will manage these new powers and deliver on these new expectations. Whilst operational resilience and outsourcing experts exist within the supervisory authorities, this framework will substantially increase their workload and a require certain level of upskilling – particularly in respect of cloud computing. As an example, one key cloud provider has noted that independent third-party auditors evaluate its infrastructure against more than 2,600 standards and requirements throughout the year. How will the UK regulators adequately supervise this?

    Interested parties have until 23 December 2022 to provide feedback. Interestingly, while the statutory framework for the proposal has already been put forward as part of the FSM Bill, the underlying details of the regime (including the criteria for designating a third-party as critical) are still very much in their early stages. The fact that the UK regulators have opted for a high level 'discussion paper' over a 'consultation paper' accompanied by draft rules indicates that timelines and planning for this regime may be slightly mismatched.

    Our briefing below sets out the key takeaways from the discussion paper.


    The discussion paper sets out:

    • a framework for identifying potential CTPs and recommending their designation to HM Treasury, based on the proposed designation criteria in the Bill;
    • minimum resilience standards that CTPs could be required to meet when providing certain services (referred to as "material" services);
    • resilience testing of CTPs set by the regulators using a range of tools, and focused on the "material" services they provide to firms and FMIs. Central to the framework is the provision of information by CTPs to regulators.

    The proposed framework is designed to complement existing regulatory framework that applies to regulated firms concerning outsourcing and operational resilience, owing to common features in both frameworks, such as focus on services and the assumption that disruption will occur.

    Who is in scope?

    Current outsourcing and operational resilience rules only apply to firms regulated by the UK Regulators. By contrast, the focus of the proposed framework is on unregulated 'third parties' who provide services to one or more firms or financial market infrastructures ("FMI"). The proposed rules will apply to those third parties that have been designated by HM Treasury as CTPs.

    HM Treasury may designate a third-party as a CTP when in HM Treasury's opinion a failure in, or disruption to, the provision of the services the third party provides to firms and FMIs could threaten the stability of, or confidence in, the financial system of the UK.

    Crucially, the proposed measures limit the UK regulators' oversight to material services that CTPs provide to the financial sector. Accordingly, the UK regulatory authorities would not have any responsibility or powers for wider regulation and supervision of CTPs or for the resilience of the services they provide to other sectors (although the paper does discuss the options for cross-sectoral cooperation and inter-authority engagement in respect of CTPs).

    Financial services firms that are served by third parties include all firms authorised by the PRA and/or the FCA including UK-authorised branches of third country firms. FMIs include central securities depositories; central counterparties; UK recognised investment exchanges; recognised payment systems operators; and specified service providers to recognised payment systems operators.

    Why the need for the new regulatory framework?

    For some time, UK regulators and other regulators have noted the increasing potential threat posed by the reliance of regulated firms on a small number of third party service providers. A major disruption at one of these third parties could create a single point of failure with the potential for catastrophic consequences for financial stability.

    Equally, regulators are cognisant that the current supervisory framework provides very limited tools to manage the systemic risks posed by the failure or disruption of critical third parties. Therefore, they consider additional legislative measures and regulatory powers are needed to address this gap.

    How would the framework fit in with existing requirements on regulated firms?

    At this stage the proposed framework does not apply to regulated firms nor does it impose additional obligations on regulated firms. Such firms are already subject to a number of existing requirements in relation to outsourcing and operational resilience.

    The reason for this proposal is that policy makers consider risks arising from the provision of services to multiple firms and FMIs by the same third party cannot be contained by a single firm or FMI. The measures outlined in the discussion paper are therefore intended to complement, and not replace, firms and FMIs' own responsibilities in relation to operational resilience.

    In our view, designation of certain third-party providers as CTPs may help regulated firms in their dealings and negotiations with such third-parties – particularly when it comes to outsourcing agreements. For example, discussions over contractual rights to audit, access and testing etc. may become easier to negotiate. In particular, the ability of CTPs to argue that they are not the regulated party in the relationship and therefore do not need to comply with certain standards will be diminished.

    Which entities could be a designated a CTP?

    The obvious focus of the regulators are cloud providers, which have been referenced multiple times in previous papers published on third parties.

    Under the FSM Bill, HM Treasury would need to take into account two criteria when deciding whether a third party will be deemed a CTP:

    • materiality of the services the third party provides to the delivery by firms and FMIs (and, if applicable other persons on their behalf) of activities, services or operations (wherever carried out) that are essential to the economy of, or financial stability in, the UK (materiality); and
    • the number and type of firms and FMIs to which the third party provides services (concentration).

    The discussion paper states that the process of designation would be evidence-based, noting that certain ICT third party service providers (such as the major cloud service providers) would most likely be designated as CTPs due to firms’ and FMIs’ increasing reliance on their services. The discussion papers states that certain third party providers of non-ICT services, e.g. claims management services to insurers or cash distribution, could also be considered for designation as CTPs if they were deemed to meet the proposed statutory designation criteria. The discussion paper also states that certain third parties providing data and artificial intelligence or machine learning models could emerge as future potential CTPs as a result of the increasing use of these data and models in trading systems.

    In our view, it is also possible that other ICT based providers, such as those providing software to support derivatives transactions and core banking platforms could also fall under the regulators' notice for potential designation.

    What is clear is that regulators are currently collecting the evidence they need to make recommendations to HM Treasury over the designation of CTPs. We are aware that numerous firms and CTPs are being asked for details of their outsourced and non-outsourced service providers through regular and ad hoc reporting and supervisory work. The UK regulators are also planning to consult in 2023 on a new centralised process for collecting information on firms’ outsourcing and third party arrangements and as well as an operational incident reporting framework. No doubt this data will be the starting point for further consideration of which firms should be designated as CTPs.

    What factors will HM Treasury consider when assessing whether to designate a CTP?

    The discussion paper sets out a number of potential factors that HM Treasury would have regard to when deciding whether to designate a third party as a CTP. Notably, these are all potential factors on which the UK regulators are seeking feedback – the language in the discussion paper very much suggests that these are far from final and are up for discussion.

    The table below summaries the key factors:

    MateriallyConcentrationPotential Impact
    Economic functions listed in SS 19/13Number and types of firms/FMIs that use the third partyAggregation risk
    Critical services / Critical functionsDirect and indirect dependenciesSubstitutability
     Certain Important Business services Market share in 'material' services Survivability

    The discussion paper proposes 'materiality' as a key factor HM Treasury could consider in its decision making process, on the basis that the a third party is more likely to be designated as a CTP where one or more of its service offerings its deemed to be 'material'.

    The discussion paper does not propose a definition of materiality, but rather suggests that the UK regulators could take into account whether the third party's services are critical to the delivery by firms and FMIs of:

    • any of the economic functions listed in PRA Supervisory Statement 19/13 'Resolution Planning' (this includes deposit taking functions, lending and loan servicing, capital market and investment activities, wholesale funding, payments, clearing, and custody & settlement),
    • 'critical services' and 'critical functions' as defined in sections 3(1) and (2) of the Banking Act 2009;
    • certain 'important business services' as defined in the UK regulators' operational resilience frameworks for firms and FMIs.

    The benefit of this approach is that it leverages existing frameworks and does not create a new concept for firms or the UK regulators. However, as the final two points are determined by firms, for these factors to work effectively, firms and FMIs must take a consistent approach to identifying critical functions and their 'important business services', which may not currently be the case.


    Consideration of this criterion will involve assessing not just the number, but the type and significance of the firms and FMIs that rely on a given third party for material services. The failure of a third party, or a disruption to its services, could have a systemic impact on the supervisory authorities’ objectives if it affected either: one or more significant firms or FMIs; or a large number of firms or FMIs even if they are not significant. The discussion paper states that these firms or FMIs could be of a specific type, or spread across the financial services sector. Assessment of whether an entity met the concentration criteria would involve looking at: direct dependencies arising from contractual arrangements between firms and FMIs and third parties; and indirect dependencies which could arise through supply chains and other forms of interconnectedness. A possible approach for determining concentration raised in the discussion paper would be looking at the combined market share of the firms and FMIs that rely on the third party service provider for functions and services meeting the materiality criterion and seeing whether the combined market share exceeded a threshold set by the regulators.

    Potential impact on regulators' objectives

    This aspect focuses on features of the CTP and/or its services that could influence their potential to cause systemic risks to the objectives of the regulators if they failed or were disrupted. The discussion paper proposed the following factors which could be considered by the UK regulators as part of this assessment:

    • the full range of services that the third party provides to firms or FMIs (i.e. the aggregation risk);
    • the substitutability of the services;
    • potential ways for firms and FMIs to ensure the continuity or prompt recovery of these services if disrupted; and
    • other relevant considerations, such as whether the third party (and other entities in its supply chain) have privileged access to firms’ and FMIs’ critical systems.

    This assessment would be based on firms' assessments including the results of their testing of

    • business continuity and exit plans for material outsourcing and third party arrangements; and
    • severe but plausible scenarios (extreme but plausible scenarios in the case of FMIs) under the supervisory authorities’ operational resilience framework for firms and FMIs.

    What is the process for recommendation of designation as a CTP?

    Designation decisions would often involve the regulators consulting with one another. In the case of dual-regulated firms and FMIs, the regulators could either issue joint recommendations for designation or obtain the other authority’s agreement before making recommendations to HM Treasury individually. Engagement with UK competent authorities and public bodies outside of the financial service sector is also foreseen in this process and would include bodies such as the National Cyber Security Centre and the Department of Digital, Culture, Media and Sport.

    Are there any exemptions from designation?

    The discussion paper states that it would be unlikely that firms and FMIs (and entities in their groups) already subject to oversight, regulation or supervision where existing authorisations would be designated as CTPs so long as their existing authorisation, supervisory or oversight arrangements allow regulators to impose equivalent requirements on the resilience of any services provided to other firms and FMIs. These firms include: group service companies, whether regulated or unregulated on a solo basis; firms providing services to other firms outside their group, e.g. correspondent banking or custody; and FMIs. Any systemic payments-related firms that may become subject to direct regulation and supervision by the Bank would also not be recommended for designation as CTP.

    What are the proposed minimum resilience standards for CTPs?

    The table below outlines what the UK regulators have set out as their initial thinking on a potential set of minimum resilience standards, which could be applied to CTPs. The paper confirms that any such standards on CTPs would need to be made through the rule making powers under the FSM Bill and be consulted on formally before implementation.

    1. IdentificationThe CTP has identified and documented all services that it provides to firms and FMIs, which, if disrupted, could have a systemic impact on the supervisory authorities’ objectives (material services).
    2. MappingThe CTP has identified and documented the people processes, technology, facilities and information (collectively the resources) required for delivering its material services to firms and FMIs, including key nth parties and other key parts of its supply chain.
    3. Risk Management The CTP has identified risks to its material services across its supply chain, and implemented appropriate controls.
     4. Testing

     The CTP regularly tests the resilience of its material services by

    • participating in tests and sector-wide exercises convened by the supervisory authorities; and
    • performing its own tests.
      5. Engagement with the supervisory authorities The CTP proactively and promptly discloses to the supervisory authorities any information of which they would reasonably expect notice. In particular, information relating to incidents or threats that could have a systemic impact on the supervisory authorities’ objectives.
     6. Financial sector continuity playbookThe CTP has developed and, to the extent appropriate, tested specific measures to address potential systemic risks to the supervisory authorities’ objectives that could arise from its failure, or a severe but plausible disruption to its material services to firms and FMIs. The CTP has documented these measures in a ‘Financial sector continuity playbook’, which it regularly updates and submits to the supervisory authorities.
     7. Post-incident communicationThe CTP has developed a tailored communication plan to engage with firms, FMIs, the supervisory authorities and other relevant stakeholders in the event of its failure, or a severe disruption to its material services. The communication plan should include proposed steps to manage the risk of a loss of confidence in the financial system linked to the CTP’s failure or disruption. For instance, by including appropriate information about any measures that the CTP would take to recover or restore the material services, and the estimated timeframes for doing do.
    8. Learning and evolving

     The CTP learns from any:

    • severe disruption it experiences;
    • known severe disruption at other relevant third parties;
    • disruption at the firms and FMIs to which it provides services; and
    • resilience tests and sector exercises that it performs or participates in.

    The CTP applies lessons learnt to the remediation of vulnerabilities, updates to existing services, and the development new services.
    The CTP regularly shares these lessons with firms and FMIs and the supervisory authorities.

    How would the resilience of services provided by CTPs be tested?

    The discussion paper avoids prescribing a one-size-fits-all approach to testing CTP resilience, instead promoting the use of number of resilience testing tools and sector wide exercises and then deciding which is the most appropriate for CTP, taking into account:

    • the number of material functions and services that the CTP’s services support;
    • type of services that the CTPs provides (as some testing tools, such as cyber resilience testing, may not be suitable for certain services);
    • regulators’ prior engagement with the CTP and knowledge about the resilience of the services it provides to firms and FMIs;
    • regulators’ confidence about the resilience of the CTP’s services (taking into consideration whether the CTP with a history of disruption more frequently or rigorously);
    • potential risk of disruption to the CTP’s services as a result of testing; and
    • cost, resource and time implications of the different testing tools on all parties involved.

    The discussion paper also suggests that the UK regulators could also consider the results of tests conducted by the CTPs internally or those conducted by or on behalf of both UK and non-UK financial supervisory authorities, provided these tests give appropriate assurance about the resilience of their services to UK firms or FMIs.

    What powers would the UK regulators have over CTPs?

    Under the FSM Bill, UK regulators will be granted a number of powers in respect of CTPs.

    The proposed powers include:

    • issuing a direction requiring a CTP to do, or refrain from doing, anything specified therein, eg:
    • implementing the recommendations of a review conducted by a skilled person or other independent party;
    • remediating issues or vulnerabilities identified in resilience tests, sector-wide exercises, or actual disruption; or
    • suspending or imposing conditions or restrictions on the CTP’s ability to provide services to firms and FMIs;
    • appointing a skilled person to provide a report on the CTP’s compliance with relevant requirements. Such a report could be used, among other purposes, to assess the CTP’s implementation of actions set out in a direction;
    • investigatory powers in order to establish whether a CTP has breached an applicable requirement;
    • if a CTP breaches an applicable requirement:
    • publishing a statement (censure) with details of the CTP’s breach;
    • imposing conditions or limitations on the ability of the CTP to provide services to firms and FMIs;
    • issuing a disqualification notice to the CTP:
    • prohibiting it from entering into future agreements with firms and FMIs for the provision services, and prohibiting firms and/or FMIs from such an agreement with a CTP;
    • prohibiting it from continuing to provide some or all services to firms and/or FMIs, and prohibiting firms and/or FMIs from receiving such services; or
    • imposing conditions or limitations on the ability of the CTP to provide services to firms and FMIs, and/or firms and FMIs receiving these services.

    What next?

    The regulators plan to consult on their proposed requirements and expectations for CTPs in 2023 subject to progress made on the FSM Bill.