What are the existing powers for achieving operational resilience in financial services?
The UK financial regulators (i.e. the PRA and FCA) require Firms to be resilient to operational disruption when contracting with service providers. The PRA Supervisory Statement on 'Outsourcing and third-party risk management’ and the FCA Handbook set out requirements which Firms must follow, such as data security, business continuity and exit planning requirements. These obligations, quite critically, do not extend to the third party service providers who contract with these Firms (the “Third Parties”).
The Problem and the Proposed Solution
The UK proposal therefore highlights the concerns over Firms’ dependency on a limited number of critical Third Parties (over whom the financial regulators have no oversight) for key services within the financial services sector. “As of 2020, for example, over 65% of UK Firms used the same four cloud providers for cloud infrastructure services.” Therefore, the failure or disruption of a critical Third Party could have a systemic impact across the financial sector.
The proposal therefore aims to allow UK regulators to directly oversee services provided by critical Third Parties, to ensure the resilience of financial services, and reduce the risk of systemic disruption, and proposes to do this by enacting a primary legislation. The proposed regime also aims to be flexible and proportionate.
Key Aspects of the Proposal
Designating a Third Party as ‘Critical’
Third Parties will be designated as critical by HM Treasury via secondary legislation. HM Treasury would make the designation in accordance with a ‘designation framework’ which will be laid out in the primary legislation. HM Treasury would also consult the following parties when making such designation (and potentially other bodies):
The financial regulators (who may recommend that HM Treasury designate certain Third Parties as critical, based on their analysis of data and information from Firms);
Third Parties (who may make representations to HM Treasury, perhaps to avoid a designation as critical where they do not consider themselves to be such); and
Firms (who may make representations in relation to their own Third Parties, to HM Treasury).
In order to assess whether the resilience standards are being met, the financial regulators would be granted powers to:
- request information directly from critical Third Parties on their resilience and compliance with the legislation;
- commission an independent ‘skilled person’ to report on certain aspects of a critical Third Party’s services;
- appoint an investigator to investigate potential breaches;
- interview a representative of a critical Third Party and require the production of documents;
- enter a critical Third Party’s premises under warrant as part of an investigation.
The financial regulators would have the power to direct critical Third Parties to:
- take or refrain from taking specific actions;
- publicise failings; and/or
- prohibit a critical Third Party from providing services
- On 11 May 2022, the EU reached a provisional agreement on DORA, a piece of legislation which, similarly to the UK proposal, aims to regulate critical third parties which provide ICT-related services (such as cloud platforms or data analytics) to financial entities (see our Engage article for further details).
- The objective to strengthen the operational resilience of the financial sector against ICT-related disruptions and incidents is therefore a shared objective across the UK and EU, with the EU slightly ahead in its regulatory implementation.
- Comparisons can be drawn between the EU and UK proposed approaches for designating Third Parties as critical. DORA suggests certain test criteria, as set out in the legislation text, will need to be met, in order for a Third Party to be deemed as critical. The UK Treasury, on the other hand, has proposed a more discretionary approach as described in the section above titled Designating a Third Party as ‘Critical’. Both approaches may produce similar outcomes albeit by very different means.
Interaction with the UK NIS Regulations 2018
The question of how the proposed regulation will interact with the existing UK NIS Regulations; is certainly something to consider. The NIS Regulations currently regulates relevant digital service providers (“RDSPs”) (which would include cloud computing service providers) and aims to boost the resilience of network and information systems that are critical for the provision of digital services and other services in specified ‘relevant sectors’ such as the energy, transport and health sectors. Whilst this regulation is not overseen and enforced by the financial regulators in relation to financial services, but rather by the ICO more broadly, at this stage, we can determine that cloud computing service providers will now fall within the scope of regulation by the UK financial regulators, in addition to their existing current regulator; the ICO. Firms can as a result, take comfort in knowing that Third Parties will now be subject to oversight and enforcement by the same regulators by which they too are regulated. This may prove beneficial for the efficiency and understanding between parties, in contractual negotiations between Firms and Third Parties.
Next steps and Timeline
- The government intends to introduce the primary legislation for this proposed regime “when parliamentary time allows”. Given the near final stage of implementation of DORA in the EU, we might expect a prioritisation of the passing of this legislation but nevertheless expect that it might be a long haul.
- After such legislation is introduced, the financial regulators will publish a joint Discussion Paper which would set out how they propose to use their powers and would invite responses from the public.
- Once the legislation is passed, the financial regulators will likely publish a further Consultation Paper on their proposed rules, building on feedback to their Discussion Paper and based on their proposed, new statutory powers.
- Once the financial regulators have finalised their own rules, HM Treasury will expect to begin designating the first critical Third Parties under this new regime.
In the meantime, Firms should maintain compliance with the existing operational resilience requirements applicable to them whilst taking an active interest in these new proposals.
Authored by John Salmon and Bianca Okoye.