The UK financial sector depends on many third-party providers for key services and functions, such as data storage, AI-powered tools and cyber security. As numerous firms become reliant on the same third parties, these providers pose a significant risk to the sector’s operational resilience; any failure or disruption could impact the stability of the UK financial system.
This is why the UK government and the financial regulators; the Bank of England (BOE), the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) have proposed a new regulatory framework to oversee and strengthen these Critical Third Parties (CTPs).
The journey to regulatory oversight
This comes after a series of enhanced oversight on third parties in 2023. To recap, third party providers came under legislative scope with the Financial Services and Markets Act (FSMA) 2023, which gave statutory powers to the financial regulators. The three regulators released a joint discussion paper on the 21st July 2022 regarding potential policy measures.
The proposed framework, which has been outlined in the joint consultation paper CP26/23 published on the 7th December 2023, gives the regulators the power to designate some third parties as ‘critical’ and subject them to regulatory rules and oversight. The consultation paper invites feedback on the proposed measures by Friday 15th March 2024.
What are the regulators saying?
Third party providers will not automatically become categorised as Critical Third Parties. The Regulators will trigger this power if they consider that a failure or a disruption to the services that a third party provides to a financial firm could threaten the stability of the UK financial system.
Critical Third Parties will have to meet eight minimum resilience standards, provide information to the relevant authority, and undergo resilience testing. They will also face enforcement actions if they fail to comply.
These minimum resilience standards include:
- Identification
- Mapping
- Risk management
- Testing
- Engagement with the supervisory authorities
- Financial sector continuity playbook
- Post-incident communication
- Learning and evolving
The proposed framework aims to address the growing reliance and vulnerability of the UK financial sector on a limited number of third parties, as well as the gaps in the current regulatory powers to reduce the systemic risk that a third-party disruption could cause.
UK firm and its customers victims of the largest data leak in 2023
In September 2023, digital risk protection firm DarkBeam suffered a leak of over 3.8 billion records because they had left their two interfaces, Elasticsearch and Kibana, unprotected. This exposed their customers’ emails and passwords, leaving them vulnerable to phishing, scams, and other cyberattacks. DarkBeam’s leak represents the biggest data breach in the UK and in 2023 so far. With significant operational failures at the root cause, DarkBeam’s failures demonstrate how important it is for firms to have a robust framework and digital resilience when using third party services.
What should firms do now?
The Regulators stress that firms cannot delegate their accountability and responsibility to a Critical Third Party. Firms that use third party providers must have strong oversight procedures in place to mitigate the risk of operational disruption and consumer harm. Regulatory expectations and standards for firms remain high, which means implementing robust policies and procedures to safeguard their clients.
With more of the UK financial sector using third parties, it is crucial that firms understand the operational risks, implement these tools safely and prepare for the proposed framework accordingly.
Firms also need to make sure that their own operational resilience obligations, such as developing contingency plans, are not compromised by a reliance on third parties.
How Complyport Can Help
Our team of experts can assess your current use of third parties and their impact on your operational resilience. We can provide tailored advice on how to comply with the regulatory requirements and conduct audits on your third-party tools. Here’s how we can assist you:
- Operational Resilience Programme Support
- Initiation and implementation of advanced operational resilience strategies regarding outsourced IT services
- Operational Resilience Impact Assessment to identify potential gaps
- Expert guidance in defining risk scenarios and optimising continuity strategies
Effective management of outsourcing and third-party risk
- Ongoing Operational Resilience Support
- Ensuring compliance with regulators’ requirements
- Health-check and progress assessment for sustainable resilience methodologies
- IT and Cybersecurity Audit
- IT systems audit
- Audit Report and establish an Annual IT Audit Plan
- Address IT challenges and improve IT governance
- Supporting in development of a cybersecurity risk management methodology
- Detailed risk assessment and development of a risk register
- Risk mitigation assistance
- SOC 2 compliance
- Operational Resilience Impact Assessment
- Demonstrating to stakeholders the effectiveness of your operational resilience framework
- Support during testing of operational resilience plans
- Independent assurance report with a granular view on control effectiveness
- REP018 Report
- A risk assessment on operational resilience and information security
- An analysis of the risk assessment findings
For tailor-made services that align with your company’s needs, get in touch with Complyport. Let us be your trusted partner in achieving operational resilience excellence and meeting your regulatory expectations. Contact us today
Contact Us
Contact in our Regulatory Business Solutions department to learn how we can help you fortify your digital and operational resilience.
