Critical Third-Party Resilience Regulation

UK regulators finalise new rules, broadening the Operational Resilience scope to critical third parties to the UK financial services sector.

On the 12^th November 2024, the Bank of England (BoE), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) jointly issued a supervisory statement, policy statement, and associated documents, setting out their final regulatory oversight regime for the Operational Resilience of critical third parties (CTPs).

The purpose of the new regulatory rules is to manage potential risks to the stability of, or confidence in, the UK financial system that may arise due to disruption to the services that a CTP provides to financial services (FS) firms and/or financial market infrastructures (FMIs). The regulations define a systemic third-party service as a “service (wherever carried out) provided by a CTP to one or more firms, a failure in, or disruption to, the provision of which (either individually or, where more than one service is provided, taken together) could threaten the stability of, or confidence in, the UK financial system.”

Features of the New CTP Regulations

• Designation: While only Her Majesty’s Treasury (HMT) can designate a CTP, the regulators can recommend to HMT which third parties they consider meet the statutory test for designation. The list of the CTPs will be continually reviewed and updated to monitor for any third parties that may satisfy the statutory test in the future, as well as identify any suppliers where the CTP designation should be removed.
• Granular Resource Mapping Approach: A more granular set of mapping requirements has been outlined for CTPs. The critical processes and underlying assets across the five pillars (technology, data, third parties, people, and facilities) will need to be mapped; however, consideration must also be given to energy suppliers and public communications operators. This will need to be completed within 12 months of designation. This is a shorter timeframe for completion and beyond the mapping requirements set out in the FS Operational Resilience regulations.
• Enhanced Risk Processes: CTPs will need to establish/enhance their current risk processes so that there is a comprehensive and well-documented risk management system to monitor and address risks on an ongoing basis. Specific risk pillars include third party, cyber, technology, data, insider, facilities, energy supply, and natural disasters.
• Focus on Supply Chain Resilience: CTPs will need to have a greater understanding of their extended supply chain (including key nth-party providers) and have the ability to identify and manage risks to the extended supply chain. Additionally, there must be appropriate measures to respond to a termination of any of its systemic services. This includes orderly termination and the return of assets to the customer.
• Incident Management Playbook Development and Testing: CTPs will need to develop incident management playbooks for each of their system services which clearly articulate how the CTP will respond to and recover from incidents within the maximum tolerance for disruption for each systemic service. This will need to be tested in collaborative incident management playbook exercises with a representative sample of the customer firms.
• Increased External Incident Reporting: An increased level of incident reporting will be required by CTPs. Firms in scope must be able to identify, monitor, and report on material incidents impacting systemic services in an accurate, consistent, and timely manner, including specific requirements for both interim and final incident reports.
• Independent/Board-Level Assessments: An interim self-assessment must be developed by CTPs within the first six months of designation. Following that, ongoing annual assessments must be developed outlining the resilience activities by the CTP’s board and/or supervisory authorities. These assessments should also be shared with service recipients (i.e. regulated firms).

What does this mean for the third parties supporting the FS industry?

• This policy is an attempt to introduce some element of alignment in resilience standards between regulated firms and their CTPs. CTPs will now need to meet resilience and risk management standards equivalent to the FS industry, and prepare for regulatory scrutiny.
• Given designation may change, there is likely to be a ‘ripple’ effect across the sectors in which third parties designated as critical operate (e.g. cloud services, data services, etc.). Other third parties may look to proactively implement and embed some of these requirements within their own organisation.
• There is a clear focus through this policy on introducing enhanced risk management standards more broadly across the CTP’s organisation. This suggests that regulatory authorities have some fundamental concerns over the way non-regulated CTPs currently manage and monitor broader operational risk.
• A natural extension of these resilience standards across the broader supply chain is expected over time, thereby further enhancing the resilience of the extended supply chain.
• The level of detail and transparency of information shared between CTPs and regulated firms through the self-assessment will need to become clearer, along with what the long-term impact is (if any) for both service pricing and performance-related pricing.

Tooling

The granular resource mapping requirements of PS16/24 – mapping services, critical processes, and the underlying assets across technology, data, third parties, people, and facilities – is a complex data mapping exercise that requires a detailed understanding of the many-to-many relationships that exist across an enterprise. Leveraging tooling to support this exercise ensures that mapping is delivered robustly and can be relied upon when it matters most. Tooling enables firms to accurately map the risks and controls for each asset to the processes and services that they support, highlighting where critical dependencies and vulnerabilities exist and which remedial measures are required. It provides a contextualised, business-informed view of those assets and the risks they pose to the firm as well as enhances the ability to allocate resilience investment to the assets that need it most.

This business-informed understanding of risk applies across risk domains – third party, cyber, technology, data, insider, facilities, energy supply, and natural disasters. By contextualising data from each of those risk domains using tooling, specialist teams can collaborate more effectively because they share common metrics and objectives: reducing risk and building resilience across the firm’s most critical services and products. It articulates risk in terms that senior management can comprehend and, armed with the correct tooling, enables leaders to make defendable, data-informed decisions that stand up to scrutiny when it matters most.

When an incident materialises, quick access to quality data is vital – and so is the ability to interrogate it, exploit it, and surface insights about the firm that will enable it to recover with minimal impact. The correct tooling enables firms to act dynamically during incidents as they unfold, to equip the right people with the data they need to make informed decisions, and to automate burdensome, time-consuming activities so practitioners can focus on strategic, forward-looking activities that will protect the firm, its customers, and the wider market.

By leveraging the power of software, resilience leaders can identify vulnerabilities proactively, mitigate emerging threats early, mitigate risk before it materialises, and stay ahead of incidents as they unfold. The correct tooling elevates the profile of the resilience function and puts it at the centre of organisational decision-making. Tooling should provide a robust data model that acts the nerve centre of the enterprise – informing firms where they may break, showing which vulnerabilities need prioritisation, and which remedial measures will build resilience where it matters most.

For more information, please get in contact with Georgia Hunter (KPMG) or Tom Henshaw (Fusion).