There has been a key development in the planned expansion of the UK’s financial services regulatory perimeter, in order to give UK regulators direct powers over designated third party providers critical to the financial services sector.
Following on from the 6 June 2022 HM Treasury announcement that UK government would be looking to directly regulate critical third party providers to the finance sector, new powers were proposed in the Financial Services and Markets Bill (FSM Bill) which was put before the UK Parliament on 20 July 2022. On 21 July 2022 the Bank of England, Financial Conduct Authority (FCA) and the Prudential Regulatory Authority (PRA) published a joint discussion paper on the supervision of critical third party providers to the financial services industry (Discussion Paper), setting out proposals and consulting on how the new powers in the FSM Bill should be exercised by the regulators.
The rationale behind the new powers ultimately arises from the significant moves within financial services away from self-owned-infrastructure and towards shared platforms, often with a small number of suppliers providing market participants with the same services to enable the operation of their business. Whilst financial services companies can be and are held accountable for their own operational resilience, the regulators believe that no single firm can adequately manage the systemic risks that these third parties may pose to multiple financial services providers and therefore to the supervisory authorities’ objectives. This includes risks to UK financial stability, market integrity and consumer protections.
In this article we have briefly summarised the key critical third party features of the FSM Bill and the Discussion Paper.
Financial Services and Markets Bill
The version of the FSM Bill published on 20 July proposes to give HM Treasury the ability to designate a service provider as a “critical third party”, in consultation with the FCA, PRA and Bank of England. The three regulators are also empowered by the bill to make rules imposing duties on critical third parties in connection with the provision of services to regulated financial services companies and to other service providers, as the regulators see fit to advance the objectives of the regulators.
Regulators will also be given a “power of direction”, allowing them to direct a critical third party to do or refrain from doing anything specified, again where necessary to advance their objectives, and powers to gather information in relation to critical third parties. This means the regulators could compel certain information and documents to be disclosed.
If a critical third party does not comply with these requirements, the regulators can prohibit the critical third party from entering into arrangements with, or continuing to provide services to, financial services companies or other relevant service providers. The regulators can also impose limitations or prohibitions on such a supply of services.
The purpose of the discussion paper is to set out how the supervisory authorities could use the proposed powers in the FSM Bill in relation to critical third parties to reduce the risk of systemic disruption to the financial services industry. The potential measures being consulted on fall into three broad “building blocks”:
- a framework for identifying potential critical third parties and recommending their designation to HM Treasury based on the draft designation criteria in the FSM Bill;
- minimum resilience standards that critical third parties could be required to meet in respect of certain services they provide to financial services firms; and
- resilience testing of critical third parties.
The discussion paper also outlines how the regulators would anticipate using their investigatory powers and powers of enforcement, and how the regulators envisage co-ordinating and engaging internationally and domestically.
Although these new requirements are driven in particular by concerns around the provision of critical services to the finance sector by a small number of ICT suppliers, and the Discussion Paper gives cloud service providers as an example of third parties who might be impacted, the paper emphasises that the measures are intended to be technology-neutral and based on an assessment of the risks posed to the regulators’ objectives. Services such as claims management and cash distribution are flagged as needing to be considered, though the Discussion Paper also states that critical third parties are “likely to comprise a very small percentage of the total number of third parties providing services” to financial services firms.
Organisations focused on providing data, artificial intelligence or machine learning models to the financial services industry should be aware that the Discussion Paper specifically identifies providers in those areas as potentially being critical third parties, as a result of the increasing use of data and models in trading systems. Quantum computing also gets a mention, as a resource which is likely to deepen the concentrated role of large technology companies as providers to the financial services sector due to relatively few companies being able offer access to such systems.
Non-UK based service providers should also be aware that the proposed measures are location agnostic, as they are focused on the services provided to UK financial services firms. The Discussion Paper does provide assurance that there is no intention to require service providers to localise entities, infrastructure or personnel in the UK, but international service providers could be designated as critical third parties and required to comply with any requirements the regulators impose.
Responses to the Discussion Paper are requested by Friday 23 December 2022.
The publication of the FSM Bill and the consultation set out in the Discussion Paper are key steps towards the expansion of the FCA, PRA and Bank of England regulatory perimeters to encompass certain third parties.
Service providers and regulated organisations may wish to engage with the Discussion Paper to ensure any concerns or comments can be taken account of as the regulators develop their proposed measures. The Discussion Paper envisages that there would be consultation on the specifics of those measures in the future, once the FSM Bill has received Royal Assent.
If you would like to discuss the implications to your business please contact the Deloitte Legal team.