Later this year UK regulators are expected to publish details of their proposed regime to oversee critical third party (CTP) service providers to the UK financial services (FS) sector, following the publication of the joint Bank of England/ PRA/ FCA Discussion Paper (DP3/22) in 2022. Having previously explored the implications for potential CTPs, it would be timely to consider this proposal from the perspective of the Financial Services industry.
“Therefore 2023 should also be a focal year for FS organisations, as they consider the implications of the CTP proposal for their own approach to operational and outsourcing resilience.”
The proposed CTP regime should be considered alongside operational resilience
Regulated firms are already subject to UK oversight of their approach to operational resilience, and those operating in the EU will be subject to a similar regime as provided through the Digital Operational Resilience Act. The Prudential Regulation Authority (PRA) requires firms to be able to demonstrate by 2025 that they can remain within self-defined impact tolerances towards their Important Business Services (IBS). As this will involve mapping and testing to help establish remediation plans, firms should think how they might integrate this work with their consideration of the proposed CTP regime.
In particular, firms will need to consider the dependency of their IBS on the services provided by potential CTPs; the implications of regulatory oversight of CTP services for how client firms establish their own impact tolerances and remediation plans; and the dynamic impacts of the proposed CTP regime on market structure and pricing.
Firms will need to review their approach to IBS mapping and testing
FS firms will need to consider the dependency of their IBS on CTP services, which may lead to an evolution in the contractual demands placed on CTPs and subsequent service and pricing levels. FS firms may also need to adopt a more collaborative and coordinated approach with CTPs, in relation to their mapping and testing of impact tolerances, as well as their development of business continuity and remediation plans. As proposed in DP3/22, designated CTPs could be required to develop ‘financial sector continuity playbooks’, implying close coordination with client firms and regulators in relation to their development, testing and implementation.
FS firms might also push for stronger levels of assurance from CTPs across the five pillars of operational resilience and related capabilities, and for increased clarity on CTP prioritisation in the event of a service incident (across CTP services and client base). As part of this, FS firms will need to consider data resilience measures and protections, in situations where data loss and/or corruption might impact the achievement of firms’ impact tolerances.
The CTP proposal may impact on service substitutability and pricing
An increased regulatory focus on CTPs might in turn drive a stronger focus on service substitutability (above recoverability). As a potential lack of substitutability may be a potential driver of financial instability (in the event of material service disruption), future regulatory focus may in turn encourage client firms to develop multi-vendor strategies and associated contractual terms as a way of improving their operational resilience.
Additionally, the proposed CTP regime may have dynamic impacts on market structure and pricing. Given that minimum resilience standards would be attached to CTP designated services, the potential emergence of a preferential supplier hierarchy might not only have the unintended consequence of increasing service concentration risk, but could also influence pricing and market competition.
Therefore 2023 should also be a focal year for FS firms, as they consider the implications of the CTP proposal for their own approach to operational and outsourcing resilience.
