The UK’s financial sector and markets supervisory authorities have released a new Discussion Paper exploring ways to bring critical third parties (CTPs) into operational resilience regulation.
‘DP22/3: Operational resilience: critical third parties to the UK financial sector’, jointly published by the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), sets out potential measures to oversee and strengthen the resilience of services provided by CTPs to the UK financial sector.
What are critical third parties?
Critical third parties are defined as companies that provide services, via outsourcing or other arrangements, to regulated financial services firms and financial market infrastructure firms (FMIs) that could affect financial stability and cause harm to consumers if they fail or are disrupted. The potential measures included in the new discussion paper aim to mitigate this risk.
What does DP22/3 include?
The DP22/3 discussion paper sets out potential measures for how the supervisory authorities could use their proposed powers, which include:
- A framework for identifying potential CTPs, which would inform the supervisory authorities’ recommendations for formal designation by HM Treasury.
- Minimum resilience standards, which would apply to the services that designated CTPs provide to firms and FMIs.
- A framework for testing the resilience of material services that CTPs provide to firms and FMIs using a range of tools, including but not limited to scenario testing, participation in sector-wide exercises, cyber resilience testing, and skilled persons reviews of CTPs.
These measures would complement, not replace, firms and FMIs’ existing responsibilities to manage risks from contracts with third parties. The supervisory authorities would only oversee the systemic risks arising from the services CTPs provide to firms and FMIs.
Comments on DP22/3 are open until 23rd December 2022.