The Time is Now: Operational Resilience and Critical Third Parties
-
December 17, 2024
-
Whilst use of third parties across financial institutions has enabled organisations to improve customer experience, given access to specialised expertise, as well as enabled them focus more on their core capabilities, this increasing reliance does not come without risk. From cyber attacks exposing unauthorised access to sensitive data to power outages, these disruptions can be substantial and far reaching – threatening operational resilience, financial stability and consumer confidence.
In response to this, the Bank of England (“BoE”), the Prudential Regulation Authority (“PRA”) and the Financial Conduct Authority (“FCA”) have introduced a policy framework to posed by critical third parties (“CTPs”) to the UK financial system – the CTP Oversight Regime.
Effective 1 January 2025, the policy aims to strengthen operational resilience by addressing financial institutions’ reliance on external service providers, including technology platforms and cloud computing. Though the intention is in the right place, the policy’s implementation brings both opportunities and challenges that require careful navigation.
Key Features
A Hazy Picture: The Designation of CTPs
HM Treasury will designate certain third parties as CTPs based on their critical role in the financial system, granting regulators authority to enforce rules and ensure service continuity. However, the criteria for designation isn’t clear and lacks full transparency, raising concerns that some critical entities could be excluded from scope — or that too many could be included, overwhelming both regulators and firms. A clear and balanced designation process is critical to ensure fairness and effectiveness.
Unintended Side Effects: Heightened Accountability and Risk Management
Financial firms continue to remain responsible for managing risks from outsourcing arrangements and must maintain robust governance frameworks. CTPs themselves must look to adhere to enhanced standards, including incident management, regular testing and transparent reporting. These measures aim to improve accountability but may impose additional burdens – particularly on smaller firms with limited resources to meet the obligations. Larger institutions are better positioned to comply. As smaller firms exit the market or are unable to compete effectively, the sector becomes increasingly consolidated, reducing competition.
The reduction in competition can lead to situation where poor customer experience.
- The Rise of Red Tape: Increased Regulatory Oversight
Oversight will be jointly conducted by the BoE, the PRA and the FCA under a Memorandum of Understanding. Annual reviews will assess CTPs’ resilience and will outline improvement strategies. While this approach ensures consistency, it risks duplicative or overly complex regulatory processes, potentially slowing decision-making and creating inefficiencies. Effectiveness will depend on regulators’ ability to balance thorough oversight with timely responses to emerging risks. - The Race Against Time: A Short Implementation Period
CTPs will have one year after designation to achieve compliance. This timeline offers some flexibility, yet the extensive upgrades required for governance, resilience testing and operational improvements may be difficult to accomplish in such a short period. Smaller CTPs in particular may struggle with resource constraints, making it vital for regulators to provide clear guidance and support to ease the transition. - Creating Consistency Within Inconsistency: International Cooperation
The policy seeks alignment with global efforts to manage operational risks, promoting consistency across jurisdictions. However, variations in regulations, such as the EU’s Digital Operational Resilience Act (“DORA”), could complicate compliance for multinational firms. Navigating these differences may increase costs and operational challenges, potentially hindering cross-border collaboration.
The Opportunities and Challenges Ahead
For financial institutions, the policy provides opportunity for enhanced operational resilience by reducing vulnerabilities and mitigating disruptions from third-party providers. Successful implementation could strengthen infrastructure and protect financial stability, however would the improved resilience outweigh the increased cost of compliance?
Enhanced reporting and testing requirements encourage greater clarity and transparency between financial firms and their service providers, potentially improving risk management. However, could meeting these standards strain smaller firms’ resources and create disparities in resilience across the industry?
For CTPs, compliance with stringent new requirements, including resilience testing and governance upgrades, may demand additional and significant investment. While larger CTPs may be able to absorb these costs, smaller providers could struggle – leading to higher service prices, market consolidation and reduction in competition. Could this leave financial institutions overly reliant on a few large providers, ultimately adding to the problem that the regime is intending to solve?
Additionally, CTPs must address not only their client firms’ needs but also their broader impact on financial stability. By focusing these regulatory efforts on a limited group of CTPs could this inadvertently increase systemic risk and concentrate reliance on just a few large providers?
What Next?
As with any upcoming change, proactive preparation is key. For the CTP Oversight Regime, these preparations should continue to reinforce firms existing implementation of existing requirements and guidance on operational resilience and outsourcing.1 Key strategies to explore include:
- Enhance Oversight: Establish clear accountability for managing third-party risks at senior management levels and review policies.
- Map Dependencies: Identify key third-party providers, assess their importance to operations and be prepared to stress test them.
- Monitor Continuously: Implement real-time monitoring systems to track third-party performance and strengthen contracts to cover incident management, resilience testing and regulatory compliance.
- Diversify Providers: Review whether there is an overreliance on a single third party and mitigate this risk by diversifying service providers where possible.
- Develop Plans: Create clear protocols for managing disruptions involving CTPs, and practice scenarios to test and improve response plans.
- Engage Early: Maintain open communication with CTPs and regulators to clarify expectations, and ensure compliance by aligning on testing, reporting and resilience efforts.
- Budget for Compliance: Set aside resources for governance updates, resilience testing and other regulatory requirements, and ensure insurance policies cover risks related to third-party disruptions.
By strengthening governance, improving risk management and collaborating with both regulators and service providers, firms can ensure compliance and enhance resilience. These steps will position them to continue to meet requirements while safeguarding their operations against third-party risks.
The CTP Oversight Regime cannot be looked at in isolation. Divergent regulatory frameworks, such as the EU’s DORA, could complicate compliance for firms operating across borders. Without greater harmonisation, multinational institutions may face duplicative or conflicting requirements, increasing operational inefficiency and raising costs.
For the framework to succeed, regulators must play their part in ensuring transparency and provide support to impacted firms. Collaboration between financial institutions, CTPs and regulators will be essential to balancing resilience with competition and innovation.
1: Further information on requirements can be found here:
https://www.fticonsulting.com/insights/articles/fca-operational-resilience-requirements-fortifying-financial-services
https://www.fticonsulting.com/insights/articles/operational-resilience-are-you-ready-seizing-opportunities
Published
December 17, 2024
Key Contacts
Senior Managing Director, EMEA Head of Financial Services, Forensic & Litigation Consulting
Senior Managing Director
Senior Director