Regulators around the world are focused on the operational resilience of financial institutions, financial market infrastructures (FMIs) and the financial system as a whole.

One area of significant risk to the financial system is the dependency of financial institutions on critical third parties (CTPs), particularly in relation to the cloud and other information and communication technology (ICT) services.

The EU has a forthcoming new regulatory framework in this area; the UK has advanced proposals for something similar but in some respects quite different. Firms, FMIs and third party service providers to the EU and UK financial services sector that operate cross-border need to consider how they may be impacted by both the upcoming EU and the proposed UK CTP regimes. To help you navigate the regimes, we have put together a comparison table drawing out the differences in key areas, including the scope of the regimes, the process of designation of CTPs, and the obligations on firms and CTPs.

UK and EU CTP regimes

UK

  • The Financial Services and Markets Bill (FSM Bill) sets out a proposed statutory framework for managing systemic risks posed by third parties designated as CTPs by HM Treasury (HMT).
  • The FSM Bill proposes a new Chapter 3C in the Financial Services and Markets Act 2000 (FSMA), which would allow HMT to designate third parties as CTPs and empower UK regulators to make rules for CTPs in connection with their provision of services to authorised UK firms and UK FMIs.
  • In July 2022, the Bank of England (BoE) and the Financial Conduct Authority (FCA) jointly published Discussion Paper 3/22 - Operational Resilience: Critical third parties to the UK financial sector (DP3/22).
  • DP3/22 sets out how the supervisory authorities could use their powers as set out in the FSM Bill to assess and strengthen the resilience of services provided by CTPs to UK authorised firms and FMIs, to reduce the risk of systemic disruption. See our blog post on DP22/3 here.
  • Timing: Depending on the outcome of the FSM Bill - royal assent is expected in spring 2023 - the supervisory authorities plan to consult on their proposed requirements and expectations for CTPs in 2023.

EU

  • In December 2022, Regulation (EU) 2022/2544 on digital operational resilience for the financial sector (DORA), and the related Directive (EU) 2022/2556 (DORA Amending Directive), were published in the Official Journal of the European Union.
  • DORA sets out a new framework with: (i) requirements on financial entities to manage their ICT risks; and (ii) a regulatory oversight regime for ICT CTPs (as defined below) providing services to financial entities.
  • Timing: DORA will take effect on 17 January 2025.

Action points

Financial sector entities (UK and EU):

  • Identify outsourcings and other third party arrangements potentially in scope of the UK and/or EU regimes; and critical enough to be designated
  • Preliminary gap analysis - compare the new requirements (especially those on financial entities under DORA) against the firm's existing ICT risk management practices, operational resilience framework and arrangements with the third-party providers
  • (For DORA especially) identify priority areas for potential action; and begin planning. Such as, for example:
    • Contracts with third party providers - any upgrades required to comply with DORA; areas where the service provider might want more rights or impose additional obligations on the firm; and how/when to engage with service providers
    • Upgrades to third party risk strategies and procedures, including the establishment of any appropriate internal bodies, reporting, systems and processes
    • Identify any major non-EU service providers that do not have an EU subsidiary, so might be off-limits (under DORA) unless they establish one
  • Engage with potential CTPs
  • UK – respond to the UK Discussion Paper; and track the following consultation
  • DORA – monitor for further RTS and other rules/guidance (including any developments on standard contractual clauses)

Potential CTPs

  • Review the materiality of existing and future services to firms; and whether they have potential to trigger designation as CTPs under either/both regimes
  • Identify priority areas for potential action; and begin planning. Such as, for example:
    • Any upgrades required to comply with proposed UK minimum resilience standards, including consideration of the commercial and operational impact of such upgrades – eg contracts with firms; industry risk impact mapping; post-incident communication procedures; and resilience scenario testing
    • Reviewing standard customer terms and conditions for any potential adjustments
    • Financial sector continuity playbook (UK)
    • Any other general organisational changes to ensure compliance with requirements, including potentially enhanced regulatory and reporting functions
  • Implementing changes to business to ensure ability to comply with regulatory framework
  • (If no EU subsidiary) consider the potential need to set up a new EU subsidiary to be able to continue services to EU firms (DORA)
  • Engage with firms
  • UK – respond to the UK Discussion Paper; and track the following consultation
  • DORA – monitor for further RTS and other rules/guidance (including standard contractual clauses)

Glossary

  • "Firm" or "financial entity" means the relevant regulated bank, investment firm or other in-scope regulated entity.
  • "ICT services" means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.
  • "ICT CTP" means an ICT third-party service provider, i.e. an undertaking that provides "ICT Services", that has been designated as critical under Article 31 of DORA.

The table below is a high-level overview showing the key differences between the proposed UK regime and forthcoming EU regime.

OPERATIONAL RESILIENCE: PROPOSED CTP REGIMES – UK / EU COMPARISON

UK  (FSM Bill + DP3/22)

EU  (DORA)

1. Scope of Regime
  • Applies to CTPs only. Firms remain subject to existing rules (and regulator expectations) on operational resilience, outsourcing and third party risk management.
  • Wide category of CTP services:  CTPs are not limited to digital / data service providers.
  • Cloud Services Providers (CSPs) are likely to be considered for designation. But DP3/22 contemplates non-ICT services (e.g. claims management services to insurers or cash distribution) possibly being designated.
  • Criteria for being a CTP: FSM Bill proposes two criteria for CTPs:
    1. materiality – the materiality of the services to the delivery by UK firms and FMIs (only) of activities, services or operations that are essential to the economy or financial stability of the UK; and
    2. concentration  – number and type of UK firms and FMIs to which the third party provides its services.
  • The CTP regime may, in the future, extend to artificial intelligencequantum computingmachine learning etc.
  • Applies to both:

a. Firms: 20 categories (listed in Article 2(1) of DORA) of in-scope EU "financial entities", including:

  •  
    •  
      • Banking sector: Credit institutions, payment institutions, electronic money institutions, investment firms and cryptoasset service providers;
      • Markets infrastructure: Central securities depositories, central counterparties (CCPs), trading venues, trade repositories and data reporting service providers;
      • Funds sector: Alternative investment fund managers (AIFMs) and Undertakings for Collective Investment in Transferable Securities (UCITS) management companies;
      • Insurance sector: Insurance and reinsurance undertakings, and insurance, reinsurance and ancillary insurance intermediaries; and
      • Other financial entities: Credit rating agencies, administrators of critical benchmarks, crowdfunding service providers and securitisation repositories.

The term "financial entities" does not include insurance intermediaries or other exempt entities.

b.  ICT third-party service providers:  Digital / data service providers only.

2. Designation of CTPs
  • Under FSM Bill, designation is by HMT  via secondary legislation, following consultation with supervisory authorities.
  • Designation is evidence-based. It is expected that only a very small percentage  of the total number of third parties providing services to firms will be designated as CTPs.
  • Supervisory authorities may recommend designation of a particular third party to HMT. In doing so, supervisory authorities would look at:
    1. materiality – economic functions, critical services / functions, certain important business services;
    2. concentration – number / type of firms / FMIs that use the third party, (in)direct dependencies, market share in material services; and
    3. potential impact – aggregation risk, substitutability, survivability.
  • Designation is by the European Supervisory Authorities (the ESAs  – the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA)).
  • The ESAs will designate through a Joint Committee  and upon recommendation from an Oversight Forum.
  • EBA, ESMA or EIOPA will be appointed as Lead Overseer  for each ICT CTP, depending on the total value of assets of financial entities making use of the services of that provider.
  • The ESAs will, through the Joint Committee, establish, publish and update yearly the list of the ICT CTPs at the EU level.
  • ICT third-party service providers who are not designated as ICT CTPs may request to be designated and included in this list.
  • Criteria for designating ICT third-party service provider as ICT CTPs: Article 31(2) of DORA outlines the following criteria for ICT CTPs:
    1. systemic impact on the stability, continuity or quality of the provision of financial services in the event of the ICT CTP facing a large scale operational failure to provide its services;
    2. systemic character  or importance of the financial entities that rely on the relevant ICT CTP;
    3. reliance of financial entities on the services of the ICT CTP in relation to critical or important functions of the financial entities; and
    4. degree of substitutability of the ICT CTP (including lack of real alternatives and difficulties to partially / fully migrate across to an alternative third-party provider).

3. Type of regulation / oversight
  • Regulators:
    • BoE;
    • FCA; and
    • Prudential Regulation Authority (PRA).
  • Nature of regulation:
    • Services (not entity) based oversight. Supervisory authorities would focus on the services that CTPs provide to UK firms and FMIs, where the failure or disruption of those services could have a systemic impact on the supervisory authorities' objectives (material services).
    • Regulators would not oversee, regulate or supervise CTP entities in their entirety, nor the services they provide to other sectors of the economy.
    • Supervisory authorities may consult with public bodies and other regulators on designation, including National Cyber Security Centre, Centre for the Protection of National Infrastructure, Digital Regulation Cooperative Forum (includes the Competition and Markets Authority (CMA) and the Information Commissioner's Office (ICO)), UK Regulators Network and / or the Department of Digital, Culture, Media and Sport.
  • Regulators:
    • Financial entities:  Financial entities will be subject directly to extra requirements under DORA (and through amendments to existing EU legislation made under the DORA Amending Directive).
    • ICT CTPs:  For each ICT CTP, the regulator will either be EBA, ESMA or EIOPA (whichever is Lead Overseer).
  • Nature of regulation:  The Lead Overseer:
    • Conducts the oversight of the assigned ICT CTP and is, for all matters related to oversight, the primary point of contacts for those ICT CTPs.
    • Assesses whether each ICT CTP has comprehensive, sound and effective rules, procedures, mechanisms  and arrangements to manage the ICT risk which it may pose to financial entities.
    • Has powers to:
      • request information;
      • conduct investigations and inspections;
      • make recommendations;  and
      • request reports and require recommendations to be addressed.
  • Oversight Forum
    • An ESA Joint Committee will establish a sub-committee (the Oversight Forum), which shall discuss relevant developments and annually undertake a collective assessment of the results and findings of the oversight activities conducted for all ICT CTPs and promote coordination measures.
    • The ESAs, through the Joint Committee and based on the work of the Oversight Forum, will present yearly to the European Parliament, Council and Commission a report on designation and supervision.

4. Obligations on Firms
  • No specific extra obligations proposed.
  • UK regulated firms and FMIs will retain primary responsibility (and accountability to their regulators) for managing risks to their resilience (including operational resilience) arising from arrangements with third parties, including those designated as CTPs.  
  • Financial entities:
    • In summary, financial entities must comply with the 'general principles', put in place key contractual provisions and undertake assessments of ICT concentration risks for all ICT third-party service providers including those designated as ICT CTPs.
    • Note:  'General principles' include:
      1. contractual arrangements;
      2. proportional  management based on the scale, complexity and importance of ICT-related dependencies and risks arising from contractual arrangements on the use of ICT services;
      3. putting in place a strategy on ICT third party risk;
      4. maintaining at an entity level and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers;
      5. reporting to competent authorities;
      6. exercising accessinspection and  audit rights over ICT third-party service providers;
      7. putting in place exit strategies; and
      8. identifying alternative solutions and develop transition plans to enable them to remove or transfer the ICT services.
    • Must review concentration risk before entering into a contractual arrangement for the use of ICT services (Article 28(4)(c) and Article 29).
    • Must put in place key contractual provisions with any ICT third-party service provider (e.g. on locations, accessibility, notice periods, SLAs, right to monitor, etc.) (Article 30). Standard contractual clauses are to be considered but not as yet mandated (Article 30(4)).
    • May only enter into contractual arrangements with ICT third-party service providers that comply with appropriate security standards (Article 28(5)).
    • Must take into account or sufficiently address all specific risks identified in a Lead Overseer's recommendations (addressed to the ICT CTP – see below) (Article 42(3)).
    • May only use the services of an ICT third-party provider established in a third (non-EU) country  and which has been designated as critical by the ESAs if that third country ICT CTP has established a subsidiary in the EU within 12 months of its designation (Article 31(12)).
  •  

5. Obligations of CTPs
  • CTPs would have to comply with proposed minimum resilience standards to be set by the regulators (which could be tailored to CTPs but built on CPMI-IOSCO Principles for FMIs).
  • The minimum resilience standards (DP3/22, chapter 5) would apply to material services; build on existing operational resilience framework for firms / FMIs; avoid duplication of existing standards; impose common / minimum obligations on CTPs; and be outcomes-focused and principles-based.
  • Elements of potential minimum resilience standards:
    • identification of relevant services;
    • mapping resources required to deliver those services, including nth parties;
    • risk identification  and  management;
    • resilience testing including participating in sector-wide testing;
    • engagement with supervisory authorities including providing reasonable notice of information on incidents or threats;
    • developing a financial sector continuity playbook i.e. measures to test failure or severe but plausible disruption to material services;
    • post-incident communication, including communication plans (e.g. bank runs); and
    • learning and evolving from actual disruption and testing.
  • Compliance with existing government and industry-recognised certifications and standards may give partial assurance about compliance with minimum resilience standards.
  • No one-size fits all approach to CTP resilience. But expectation is that resilience testing may be performed jointly for CTPs.
  • Testing would include scenario testing (perhaps in collaboration with the Cross Market Operational Resilience Group), sector-wide exercises (such as in conjunction with SIMEX) and cyber-resilience testing (such as testing by CBEST).
  • The obligations of designated ICT CTPs are largely based on  compliance with the exercise of the authority of their Lead Overseer  on security, risks, reporting, testing, access etc.
  • DORA otherwise does not impose specific obligations on ICT CTPs.
  • Generally, the proposed UK regime will put more obligations on CTPs; whereas DORA puts more obligations on financial entities than CTPs.

6. Regulators' Powers
  • The FSM Bill proposes to grant supervisory authorities with powers to:
    • make compulsory information requests of CTPs;
    • commission skilled persons reviews  of CTPs (akin to section 166 of the Financial Services and Markets Act 2000 (FSMA)). CTPs would be under a statutory obligation to give skilled persons all such assistance as they may reasonably require;
    • issue a direction requiring CTPs to do (or refrain from doing) anything specified. This could involve implementing the recommendations of a skilled persons review, remediating issues or suspending or imposing conditions on the CTP's ability to provide services to UK firms and FMIs; and
    • if a CTP breaches an applicable requirement: (a) publish a statement (censure); (b) impose conditions or limitations on the ability of the CTP to provide services to UK firms and FMIs; and (c) issue a disqualification notice prohibiting it from entering into future agreements with UK firms and FMIs, prohibiting it from providing (some of its) services or imposing conditions / limitations on its ability to provide services.
  • Supervisory authorities would only be able to use certain powers where it undertakes an investigation that concludes the CTP breached a requirement.
  • No financial penalties listed in DP3/22.
  • After the FSM Bill receives Royal Assent, the supervisory authorities would publish a Statement of Policy setting out how they would exercise their statutory powers over CTPs.
  • Lead Overseer is to assess whether ICT CTPs have in place sound rules, procedures, mechanisms  and arrangements  to manage ICT risks which it may pose to financial entities (Article 33). This assessment will include:
    • physical security;
    • risk of management processes;
    • governance arrangements;
    • ICT-related incidents;
    • mechanisms for data portability and interoperability;
    • testing;
    • ICT audits; and
    • use of relevant national and international standards.
  • Based on this assessment, the Lead Overseer will adopt an Oversight Plan for each ICT CTP which will be communicated to the provider each year.
  • Lead Overseer has a range of powers over ICT CTPs (Article 35), including to:
    • request all relevant  information and documentation;
    • conduct general investigations  and  inspections;
    • request  reports  specifying remedies to be taken;
    • issue recommendations (for example on ICT security or refraining from subcontracting);
    • impose financial penalties.
  • Before exercising its powers, the Lead Overseer must consult  the  Oversight Forum.
  • General investigations  (Article 38): includes examining records, summoning representatives for oral / written explanations, interviews etc. An investigation may only be exercised in accordance with a written authorisation  specifying the subject matter and purpose of the investigation.
  • On-site inspections  (Article 39): inspections to cover the full range of ICT systems, networks, devices, information and data used for or contributing to the provision of services to financial entities. Reasonable notice must be given to the ICT CTPs unless such notice is not possible due to an emergency or crisis situation or if it would lead to a situation in which the inspection would no longer be effective.
  • Post-investigation / inspection recommendations  (Article 40(3)): within 3 months after the completion of an investigation or inspection, the Lead Overseer must, after consulting the Oversight Forum, adopt recommendations to be addressed to the ICT CTP  and those recommendations should be immediately communicated to the ICT CTP  and competent authorities of the financial entities to which it provides services.
  • Periodic penalties (Article 35(6)): to compel the ICT CTP to comply with its obligation to respond to information requests, comply with an investigation or provide requested reports. Payable daily until compliance is achieved, for maximum 6 months. Up to 1% of the average daily worldwide turnover of the ICT CTP in the preceding business year.
  • ESAs will publish a range of joint Implementing Technical Standards (ITS), Regulatory Technical Standards (RTS) and Guidelines under DORA.

7. International Coordination & Harmonisation
  • DP3/22 highlights that a global methodology to identifying CTPs would be challenging  (but notes that there is such a methodology for identifying systematically significant financial institutions).
  • Global resilience standards for CTPs could be developed based on Annex F of the CPMI-IOSCO Principles for FMIs and the  High Level Expectations for the Oversight of SWIFT.
  • Sector-wide testing and cross-border resilience testing may be employed.
  • DP3/22 asks respondents about UK supervisory authorities  taking into account resilience tests, sector-wide exercises and other oversight activities undertaken by or on behalf of non-UK financial supervisory authorities on CTPs. "Taking into account" is not defined; this could fall short of recognition / validation for the purposes of the UK regime.
  • Article 44 provides that the ESAs may conclude administrative arrangements with third country regulatory and supervisory authorities to foster international cooperation on ICT third-party risk across different financial sectors.
  • The ESAs must report every 5 years in a confidential report to the European Parliament, Council and Commission summarising relevant discussions with such third country authorities.

 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.