Series 5 Episode 10: A cultural and perimeter shift: strengthening resilience of critical third parties

In this episode, host Tessa Norman is joined by two PwC Directors: Julia Ramsay, a specialist in Third Party and Supply Chain Risk, and Tom Kohler, a specialist in Financial Services Resilience and Risk Management, to explore the regulation of critical third parties (CTPs).

Our expert guests delve into the details of the incoming regulatory regime for CTPs, sharing insights on the outcomes policymakers are seeking to achieve, and the steps CTPs and financial services firms can take to prepare for the proposed new rules. Our guests also exchange perspectives on broader regulatory measures aimed at boosting resilience in other sectors, as well as how firms can manage overlapping rules and harness the strategic opportunities this presents.

Note: This episode was recorded prior to publication of HMT's CTP policy paper on 21 March 2024, which confirms the timelines and criteria for designation discussed in the podcast.

Listen on: iTunes  Spotify

Transcript

Tessa Norman: Hi everyone and welcome to the latest episode of Risk & Regulation Rundown, the podcast where we share our views and insights on financial services, risk and regulatory topics. I'm Tessa Norman, I'm your regular host, and in today's episode we're focusing on the upcoming regulation of critical third parties, knowns as CTPs, in the UK financial services. I'm delighted to be joined by two of our PwC Directors as our expert guests, Julia Ramsay, who specialises in third party and supply chain risk, and Tom Kohler, who specialises in financial services resilience and risk management. In December, the Bank of England, PRA and FCA set up their proposals for exercising direct oversight over CTPs, with the aim of reducing risk to the UK's financial stability. The consultation on the proposals closed earlier this month in March. So we’ll come onto the details of those proposals shortly, but to kick off today's discussion, Tom, it'd be great to get your thoughts on how we got here. So how has the role of third-party providers in the FS sector been evolving over the last few years, and what are some of the risks that the regulators are re-looking to address?

Tom Kohler: Thank you, Tessa. I suppose over the past ten years, there's been an enormous increase in the extent to which financial services firms are making use of third-party providers to deliver services that are integral to their ability to function and provide their services to their customers. For some time now the financial services regulators in the UK and internationally have been becoming concerned about the possible concentration this creates. If all of the major banks and insurers and asset managers are using the same small group of third-party providers, a failure or disruption of one of those providers could have a knock-on effect for the financial stability of the UK as a whole. This is probably most easily illustrated by thinking about cloud services. Almost every big services firm has embraced the benefits that transferring at least some of their technology into the cloud can bring. The firms are moving more and more volumes of their computing workloads to the cloud providers. But that cloud services market is dominated by just three big cloud providers. The regulators fear that disruption of one of those cloud providers would create a situation in which many, many financial services firms will be impacted by that disruption simultaneously, and that could have potentially catastrophic impacts on the financial system as a whole. It's a concern about that scenario that has driven the regulatory intervention that we are now seeing.

Tessa: Julia, those concerns about concentration risk that Tom's talked about there, are we seeing similar regulatory concerns or proposals in other sectors outside of financial services?

Julia Ramsay: Yes, Tessa. I think the short answer is, yes, we are. At the heart of the CTP regulation is resilience of critical third parties. Strengthening the resilience of critical entities is basically the theme that we're seeing across a number of different sectors outside of financial services. Let me take an example of Critical Entities Resilience Directive, CERD. That came into force in January of last year and is a directive that aims to increase the resilience of critical entities against a whole range of threats from hazards of terrorist attacks, cyber attacks, natural disasters, and sabotage. Now under this directive, EU member states will use a risk-based approach to designate critical entities that are vital for economic, societal functions. So, in chargeable energy, water, health and food. So very much at the heart of looking at resilience entities that we all rely on, which is at the heart of obviously the CTP regulation. I think what's very interesting, though, from a CERD perspective, which is different to the existing regulation that we see outside of FS is that it's going beyond just what is typical cyber threats, it's more about that operational resilience.

Tessa: That gives us some really helpful context in terms of where the regulators are coming from and some of the risks that they're looking to mitigate. Let's turn now to the proposals themselves in a bit more detail. First off Tom, can you talk us through which providers are set to be in scope of these new rules?

Tom: Of course. Before I get into that, I think it's important to be clear that the notion that third-party service providers in financial services need to be subject to oversight is not new. And to date that has been achieved by the requirements that the regulators put on the financial services firms themselves to oversee their third parties. So, if you're a bank, consuming services from third parties, you need to be demonstrating to the regulators how you are adequately controlling and overseeing those third parties. So that's not new. The shift that has happened is the regulators are concerned that for some of the providers, they are so large and so systemic, that individual financial services firms cannot expect to be able to exert the influence over them to be able to control them. That's where this notion of designation as a critical third party comes in. The regulators will look at the third parties that are out there in the market, the providers, and ask, 'Well, which of these are the most critical ones?' Designation will be done by the Treasury, and it will be on the recommendation of the financial services regulators, so the PRA and the FCA. The criterion that they're using for designation is quite a high-bar, actually. You'll be designated as a CTP if the Treasury is satisfied that a failure in, or disruption to, the provision of the services that you provide, could threaten the stability of, or confidence in the UK financial system as a whole. It's not about being critical to one bank or even one group of banks, it's really saying, 'Disruption to this service provider would threaten UK financial stability.' So that's a high-bar and it means we expect it to be quite a small number of providers that are designated as CTPs upfront. The other thing I'd say on that is that it's not a one-off exercise, these are the CTPs, and then that's set-in stone. It's going to be quite a dynamic exercise, and then we may see the Treasury start with a small number of designations, and then gradually expand those designations over time. Equally, as the landscape changes, providers may drop out of designation or new ones will be brought in in due course.

Tessa: For those larger providers which are designated, can you give us a sense of what the proposals look like and what expectations are they going to facing under the new rules?

Tom: It'll be quite a big change for those providers because we're talking about extending the scope of the regulatory perimeter in the UK. The regulators have got the powers under legislation that's already been passed now, to regulate these providers directly for the first time. Their draft requirements are really in two parts. They've proposed what they've called a set of six fundamental rules that the providers will have to follow. These are principal-based regulations, like the critical third party needs to conduct its business with integrity, it needs to act in a prudent manner, it needs to have effective risk-management systems in place. So some prudential fundamental rules that the critical third party has to follow - six of those. Then also, eight more practical, what they call, operational resilience and risk management requirements, that the CTPs will need to demonstrate that they are following. So, that's more on things such as instant management, management of third parties in the supply chain - a series of requirements - anyone who's familiar with financial services regulation in the UK will recognise a lot of those, they mimic the requirements that the regulators currently place on banks.

Tessa: Quite a big step change there and a broad range of issues covered, as you've talked through. Julia, how do these proposals compare to the approaches that a lot of firms are taking already, and are there any particular areas that you'd really draw out where you think designated CTPs are likely to face more of a challenge in complying?

Julia: I think from the conversations that we've had with some of our clients, and certainly those that are anticipating that they will be designated, they're already thinking about how to prepare for this new regulation. The timeline is quite short, really, in when this will be coming to effect and when self-assessments will be required. Honestly, a lot of these organisations are already, given the nature of what they are from a technology perspective, already undertaking key activities that meet some of those operational risk resilience requirements. You know, incident reporting and testing and what-have-you. There's already a base on which I think there's activities going on. What I think will be the challenge, though, is probably in a couple of areas. I think one will be more a cultural challenge than a technical one. If you haven't been regulated, and you certainly haven't been regulated by a financial regulator, the level of transparency and access to information that the financial regulators may request and ask for is something that the organisations may not be used to and that will probably take a little bit of getting used to, certainly early on. A second area to think about, and I would think about this is how to facilitate the activity that the CTP will have with a number of their customers, is how do you demonstrate the compliance potentially against things that you're already doing? But in a way that A, the regulator wants to see, and then, B, your customers will also want to see. Obviously having a common way of doing that, from very early on will drive the efficiency and make this a process of, 'We're doing things once,' rather than having to do it multiple times for multiple customers.

Tessa: Tom, is there anything you'd add to that in terms of other potential challenges for designated CTPs?

Tom: I think Julia's spot-on that some of the biggest challenges will be cultural and adjusting to what it's like to be regulated by the financial services regulators and the quite high level of information that the regulators expect that level of transparency will be new. There are some areas of the regulation that are being finalised currently that will be potentially challenging. The draft regulation has quite a bit around testing and the need for critical third parties to participate in industry-wide testing of the recovery capabilities, potential scenarios that could go wrong. There's further clarity expected from the regulators on those requirements, and it's been one of the areas that there's been a lot of feedback on. But what those tests look like, what those scenario plans look like, how the critical third parties will participate in those tests, is going to be a big area of focus, and again could be quite challenging, depending on what the final requirements look like.

Tessa: What do the next steps look like from here? The consultation recently closed earlier this month, Tom it'd be great to get your thoughts on the forward-looking timeline and then some of the actions firms need to be taking.

Tom: In the immediate future we're expecting very soon a paper from the Treasury giving more detail on their approach to designation. Hopefully that will give some clarity for some of the potential CTPs out there to understand more about whether they're likely to be designated. Beyond that, the timelines are not yet clear, but we expect later this year, or at the latest early next year, the final regulation to come from the regulators. Once that has come out and the first CTPs are designated, there is a little bit more clarity about what the timelines look like. So, following designation, a CTP will have three months to produce an initial self-assessment against the requirements, and provide that self-assessment to the regulators. One thing I would say on that is it is an initial self-assessment, and the regulator has been quite clear that they don't necessarily expect CTPs to be fully compliant by the time of that self-assessment. But if I were a CTP giving that self-assessment to the regulator, I would want to be pretty certain I'm as compliant as possible when I do that. Beyond that, the three months self-assessment, there's then an annual self-assessment process that the CTPs need to produce and provide both to the regulators and also to their financial services customers. The next major milestone will be their fifteen months after designation when that first annual self-assessment happens. I think the regulators will be expecting CTPs to be fully compliant by the time they submit that further annual self-assessment.

Tessa: Bearing in mind that timeframe that Tom's outlined, what would you add to that, Julia, in terms of the areas of focus that firms should be thinking about?

Julia: I think, as Tom mentioned, three months is not a long time for that first assessment, and I think, there'd be probably a couple of areas for me that would be more tricky and ones to start thinking about now. The first one is supply chain and dependency mapping. This is in fact being singled out because it is probably one of the more tricky areas. For services that are likely to be in scope for CTPs, I would be talking about thinking about how you map the components and the nth parties that make up the supply chain to deliver that service. Certainly, in my experience, mapping those services takes inevitably longer than you expect because of the collaboration and corroboration you need across an organisation to get to the right answers. I think another area would be, thinking about how you integrate some of those critical dependencies into day-to-day business activities. If there are incidences in the supply chain, how is that being captured in your day-to-day reporting and from the supply chain up? Because actually now we need to be on top of the visibility of that and be quicker to respond to that, certainly if we need to notify anyone and any regulators. I think another area that is a little bit tricky is some of the firms that will be designated might not quite think like a regulator thinks, they might think more like products and bundles. It's a different way of thinking about how you're actually running your business to what the regulator is going to ask you questions over. So, just perhaps thinking about that. It will be all about material services, so I think it's again just thinking where to draw that line. To add some complexity onto that, for some of our clients they operate in what's called a multi-tenancy model. So when you're actually using shared resources for multiple customers who may be outside of the FS industry.

I think when Tom talked about some of the finer details coming out, it'll be interesting to see how that plays out for clients where there is that multi-tenancy model. I think a third and final area to think about around the self-assessment would be to think about, it's never too early to start. The learnings will be beneficial, even if a firm doesn't end up being designated as a CTP. So certainly, think about what you can take on now as activities to think about meeting those requirements articulated by Tom.

Tessa: Thanks Julia, some really great practical steps there for firms to be thinking about, and some really helpful pointers for things that they can do now even before we get the final rules. So that's great. You mentioned earlier that we're seeing some sectors outside of financial services also looking to strengthen regulation on resilience, and you touched on some of the EU legislation in this space. I think taking that broader view in context is really important and helpful. The fact that many designated CTPs are going to be operating both in multiple sectors and potentially in multiple jurisdictions as well, and so having to comply with lots of overlapping rules and standards. So, how do you think firms should be approaching that challenge?

Julia: I think it's a good question because I think it's an understandable concern organisations have. You know, 'How do I navigate all these different regulations?' Concerning how does CTP overlap with CERD and also DORA, which we haven't mentioned. But I think for me the safest way to answer that is to perhaps think about this as responding to it not from purely just a regulatory compliance perspective but to think about taking more strategic approach to resilience and thinking about, 'How can I create some operational efficiencies? How can I think about how I can capitalise on disruption to create some competitive advantage?' Because at the end of the day, by thinking about how we deal with operational resilience and endeavouring to follow some activities and develop from methodology, it'll be very helpful as almost, like, a handrail for other regulations as they continue to evolve and grow.

Tom: I think that point is critical. Julia mentioned DORA. DORA in the EU introduces a lot of new requirements for some of the same service providers, and so trying to build resilient services which will then meet multiple regulatory requirements rather than narrowly focusing on one national regulation and trying to tick that compliance box will be really important. I think it's fair to say that, the potential critical third parties that we are talking to are taking that approach. We want to be resilient; we want to build reliable services for our customers, and if we do that we will become compliant.'

Tessa: Absolutely. I think, taking that strategic view and looking beyond this is absolutely crucial to so many of the topics that we discuss on this podcast. We've covered a lot of ground; it's been a fascinating discussion. As a final question, Tom, it'd be great your thoughts on how do you see the broader market impact of these proposals? Is there an impact on financial services firms that we need to be thinking about as well as the impact on CTPs?

Tom: I'm conscious that many of our listeners will be financial services professionals and maybe asking, 'What does this mean for the financial services firms?' The regulators have been quite insistent that in the short term at least there'll be no change in the expectation placed on the banks, the insurers, the asset managers, as a result of the CTPs becoming regulated. It's not going to be the case that somehow because your cloud provider is suddenly regulated there'll be a reduction in the regulatory expectation around third-party risk management or around operational resilience. All of those things that already exist. In fact the regulators have gone as far as to specify in the draft regulation that this should be in no way seen as, they used the term regulatory kite-mark, this is not a regulatory kite-mark that the CTPs can use as a marketing tool to say, 'Look, we're regulated, therefore we're safer.' I think the regulators are especially concerned about the potential competition implications that could come from that. For FS firms in the first instance, there won't be any change in the regulations that they need to comply with in relation to their CTPs. But what they will potentially have, is some new information coming in. So part of the requirement requires the CTPs to provide more information to their customers about their services and their resilience posture. Those self-assessments I mentioned that the CTPs have to give to the regulator, it's also looking likely that they will need to give some form of that self-assessment to their customer. It will be a positive thing for the financial services firms that are the customers because they will have yet more information than they have already about the critical third parties that they rely upon.

Tessa: Great, thank you both so much for joining me. It's been interesting to hear about the journey that both regulators and firms have been on so far, and what the road looks like both for the CTPs and for the financial services industry-, as you've touched on at the end there, Tom. I'm looking forward to see how those final rules take shape, how firms respond, and how related regulatory framework evolve in other jurisdictions and across other sectors. To our listeners, I really hope you've enjoyed this conversation, and thank you very much for listening. As always, please subscribe to future episodes, and please rate and review this series as it helps other listeners to find this. If you'd like to hear more from us and risk and regulation, please look out for our regular publications on our website, which we'll link to in the show notes. We'll be back next month with our next episode.

Follow us