Shoosmiths LLP
  March 19, 2024 - Milton Keynes, England

Bank of England considers industry feedback on proposed regulation for Critical Third Parties
  by Shoosmiths LLP

Those who have been following it will know that the Bank of England / Prudential Regulation Authority’s consultation on proposed new rules for Critical Third Party suppliers (CTPs) closed on 15th March. 

The rules are designed to address concerns over “concentration risk” (in effect, too many FS firms  / institutions having their critical service and IT eggs in too few supplier baskets) and the impact an outage with a CTP could have on  operational resilience across the financial system. In an era where “cloud first” is the mantra of most FS IT departments, the threat of something going seriously wrong at one of the large vendors or hyperscalers is seen as potentially existential. 

The rules represent a bold stretching of the BoE / PRA’s regulatory perimeter. For the first time, non-FS businesses who supply important (enough) services to the industry will come under the direct supervision of the regulators. Obviously there are limits to what is being proposed, and the rules relate mainly to the provision of information by CTPs to the regulator to show that they are resilient and secure. It is a punchy move nonetheless. 

So far, regulated FS businesses have been tasked with making sure that their own operations (including when they are outsourced) are sufficiently resilient. But the buck stops with them – which means that, when dealing with relevant suppliers, they are possibly only as good as the due diligence information, audit rights, and contractual assurances etc which the supplier is willing to give. Cue years of debates in contract negotiations about what is “market” vs what is a “regulatory requirement”!

The new rules at least might provide an overlay to that where, before they can supply to the industry, CTPs at least have to show the regulator that they are stable enough. 

I’m sure that the consultation responses, when they are shared, will show an obvious spectrum of opinion ranging from resistance on the part of suppliers, to support from institutions. For example, exactly how CTPs are identified is a tricky subject  - the proposal being that HM Treasury decides after recommendations.  However, it may be that some vendors can see it as an opportunity to gain approval / endorsement and use the fact that they are compliant as a differentiator.

Based on feedback so far, I would expect to see some interesting questions and themes coming out of the consultation responses including:

We will have to wait and see how those and any other relevant points are addressed by the regulators in response to the consultation.

 

CP26/23 - Operational resilience: Critical third parties to the UK financial sector




Read full article at: https://www.shoosmiths.com/insights/comment/bank-of-england-considers-industry-feedback-on-proposed-regulation-for-critical-third-parties