(12 November 2024 – United Kingdom) The UK financial regulators have introduced new rules to strengthen oversight of critical technology and third-party providers essential to the operation of financial services firms.
The Financial Conduct Authority (FCA) and Bank of England will partially oversee these critical third-party (CTP) providers, given the growing reliance on a limited number of tech suppliers for critical functions across the financial sector. While these partnerships can enhance competitiveness, the FCA cautions that disruptions, such as cyber-attacks or power outages, could potentially undermine the stability of the UK financial system.
Under this new framework, HM Treasury will have the authority to designate a third-party provider as a CTP if it determines that service disruptions could threaten the stability or confidence in the UK’s financial system. Once designated, CTPs will be required to work with regulators, sharing regular assurances and incident reports, including any cyber-attacks, natural disasters, or significant outages. These CTPs will also need to perform resilience testing and participate in scenario-based exercises, sometimes in coordination with financial market infrastructures (FMIs) and client firms.
The FCA has clarified that the new rules do not diminish the responsibility of financial firms and FMIs to manage their own operational resilience. Financial institutions will continue to bear the duty of ensuring their systems and third-party relationships remain resilient to potential disruptions, in line with existing operational resilience and outsourcing requirements.