The joint Bank of England/ PRA/ FCA Discussion Paper (DP3/22) on critical third party service providers (CTPs) published earlier this year represents a new perimeter in financial regulation (the DP defines third party service providers as critical if a failure in their service provision to financial institutions could threaten UK financial stability). As the paper’s close date approaches, I wanted to explore the implications of the proposal, particularly for firms that provide material business services to the UK financial services sector and might be designated as CTPs.
“As we move into 2023 this new regulatory perimeter will come into sharper focus in the UK, so the time for critical attention is now.”
The UK proposal is mirrored by similar initiatives in the EU and US, which are at various stages of being likely to come into force. Regardless, potential candidates should consider the regulatory implications sooner rather than later.
How outsourcing is creating a new perimeter for regulators
UK regulators recognise the benefits of outsourcing - such as improved operational resilience. But these are balanced against concerns over concentration risk, systemic dependencies and what this could mean for wider financial stability (in the event of material service failure). DP3/22 proposes a regulatory framework to identify potential CTPs, along with minimum resilience standards and a range of test tools.
This will be a fundamental shift in focus for UK financial regulators, as they will be potentially overseeing business services provided by non-financial firms. In parallel, non-financial firms designated as CTPs will come under formal regulatory oversight for the first time. While such firms are already focused on operational resilience, they will now be formally scrutinised against explicitly defined regulatory standards, which should merit their consideration.
What firms may fall under the scope of these proposals
DP3/22 outlines a proposed identification regime, centring on the materiality of provided services and the client concentration (by number and type). Based on these high-level criteria, there are some clear upfront candidates. For example, 63% of total global expenditure on cloud services in Q2 2022 is shared by Amazon Web Services, Microsoft Azure and Google Cloud.
However, other service lines may also qualify. For example, insurance claims services offer management software to help providers sort and analyse claims. The global market structure is dominated by less than 20 companies, varying across regional markets. The regulators themselves acknowledge that new potential CTPs may emerge, for example through the increasing third party provision of AI or machine learning models, and quantum computing provided as a service.
CTPs need to understand how their services support clients’ important business services (IBS)
To ensure their services are appropriately resilient by design and operation, designated CTPs will need to better understand the criticality of client important business services (IBS) that they support. There will clearly be lessons for CTPs to learn from the experience of financial services firms, as the latter continue to engage with UK supervisors on their implementation of operational resilience rules. And financial services client firms will also need to consider how they might establish greater assurance around CTP services.
As we move into 2023 this new regulatory perimeter will come into sharper focus in the UK, so the time for critical attention is now.
