Understanding the UK’s new third party oversight regime

March 2025 | FEATURE | BANKING & FINANCE

Financier Worldwide Magazine

March 2025 Issue

On 12 November 2024, the Bank of England (BoE), the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) published the final critical third parties (CTPs) framework, confirming new rules to strengthen the resilience of technology and other third parties providing essential services to financial firms.

For organisations reliant on these CTPs, any disruption to their services, such as a cyber attack or power outage, could impact many consumers and firms, threatening the stability of the UK financial system. Under the CTP regime, CTPs will be brought directly within the supervisory powers of the financial regulators with the aim of improving the resilience of the UK financial sector.

In 2023, the UK government granted regulators new powers to oversee the operational resilience of critical service providers, with the intent of reducing risks to financial stability. Following extensive consultation with the industry, the new CTP regime outlines how regulators plan to implement these powers.

The CTP regime came into force on 1 January 2025, though the Treasury must designate suppliers as CTPs before obligations can apply. A supplier could be designated if it provides services from anywhere in the world to UK-regulated financial entities. The regime will impose obligations on designated CTPs but will not impose any additional requirements on financial entities.

The government will determine which third-party providers are subject to oversight requirements, based on input from financial regulators. Once designated, CTPs will be required to: (i) provide regular updates and notifications to financial regulators regarding their services; (ii) conduct resilience testing and engage in scenario-based exercises, which in some cases will involve direct collaboration with financial firms and financial market infrastructures; and (iii) report significant incidents, such as cyber attacks, natural disasters or power outages.

“With the new regime now in place, companies should be aware that CTPs may require amendments to their contractual arrangements with firms, which may lead them to revisit and revise the nature of their relationships.”

The CTP regime is comprised of a number of documents. First, supervisory statement SS6/24, issued jointly by the PRA, FCA and BoE, which is “the main source of guidance for a CTP on how to interpret and comply with CTP duties”. Second, policy statement PS16/24, issued jointly by the PRA, FCA and BoE, which provides responses to feedback on consultation paper CP26/23 ‘Operational resilience: Critical third parties to the UK financial sector’. Third, a document issued jointly by the PRA, FCE and BoE setting out their approach to CTP oversight. Fourth, supervisory statement SS7/24 on ‘Reports by skilled persons: Critical third parties’. Fifth, a policy statement issued by the BoE setting out its approach to enforcement in respect of CTPs – the FCA Handbook’s Critical Third Parties Statement of Policy contains what SS6/24 describes as an “equivalent and substantively identical approach to enforcement”. Finally, updated rules in the Bank of England FMI Rulebook, the PRA Rulebook and the FCA handbook.

The CTP regime forms part of the UK government’s focus on sector-wide resilience and stability. The FCA, BoE and PRA designed it to sit alongside and in alignment with other international standards. The framework is perhaps most reminiscent of the EU’s Digital Operational Resilience Act (DORA). Some areas overlap with DORA, which is relevant for suppliers that may be designated as CTPs under the UK CTP Oversight Regime and those that need to engage with DORA compliance, either as a critical third party service provider (CTPSP) under DORA or as a non-CTPSP supplier to EU financial entities. Suppliers in this category may be able to carry across some of their DORA compliance measures to avoid duplicating costs. However, there is no guarantee DORA compliance will be sufficient under the UK regime.

Actions for designated CTPs

Going forward, companies that provide vital services to UK-regulated financial entities and are heavily relied upon across the financial system must consider whether they are likely to be designated as CTPs and, if so, what actions they may need to take for compliance, including, for example, amending contracts with firms and ‘key nth party providers’, such as key subcontractors.

Consequently, third parties should establish a clear view of how financial services firms utilise their services. They must also take stock of the lessons learned from financial services firms and their experiences with the UK’s operational resilience framework. For many CTPs, the most significant uplift to meet the regime’s requirements will be cultural, as the framework requires a step change in their approach to resilience and regulatory engagement.

CTPs with a cross-border footprint should also determine an optimal European legal entity structure, considering EU/UK approaches to location requirements. Among the available options are a centralised EU service which allows CTPs to serve EU and UK clients from the EU entity, separate EU/UK entities which serve each location respectively, or a hybrid approach which serves UK clients from an entity based outside Europe and EU clients from an EU entity.

With the new regime now in place, companies should be aware that CTPs may require amendments to their contractual arrangements with firms, which may lead them to revisit and revise the nature of their relationships.

Richard Summerfield