Too Important to Fail: Regulating Critical Third Parties in the UK
How do lawmakers address the risk that, regulated entities, such as banks, broker-dealers, investment managers and insurers (Firms), with their increased reliance on unregulated technology providers, stop operating if an unregulated provider fails?
This is one of the questions that Financial Services and Markets Bill 2022 (the ‘Bill’), introduced in the UK Parliament on 20 July 2022 and currently under consideration, seeks to address.
Chapter 3C of the Bill seeks to extend various powers, which the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and Bank of England have over Firms, to ‘critical third parties’ (CTPs).
A CTP is an entity that provides services:
- to Firms and other financial sector entities, such as electronic money and payment services institutions and entities, such as a clearing houses, central security depositaries, and investment exchanges (FMIs); and
- that are critical, ie the failure of which, or disruption to which, could, in the Treasury’s opinion, ‘threaten the stability of, or confidence in, the UK financial system.’ (See ss 312L(1) and (2).)
Fleshing out the CTP test
The Bill identifies the following factors to which the Treasury must have regard when forming its opinion on deciding whether services are critical and an entity providing those services designated as a CTP:
- the materiality of the services the third party provides to the delivery by Firms and FMIs of activities, services or operations that are essential to the economy of, or financial stability in, the UK—a materiality test; and
- the number and type of Firms and FMIs to which the third party provides services—a concentration test. (See s 312L(3).)
On the day of the Bill’s introduction, the PRA and FCA published a joint discussion paper, Operational resilience: Critical third parties to the UK financial sector (‘DP 3/22’). DP 3/22 fleshes out the materiality and concentration tests and adds a potential impact test, looking at the impact on the objectives of the PRA and FCA of a services failure or disruption:
Whether the services are ‘important business services’ for the Firm/FMI.
The combined market share of the Firms/FMIs that use the provider.
Survivability, ie options for the continuation/ recovery of the provider.
Powers for the regulators, duties for CTPs
The Bill grants powers to the FCA and PRA that include powers to:
- make rules and give directions;
- gather information and undertake investigations;
- appoint ‘skilled persons’ to make reports; and
- issue public censures and take disciplinary measures, such as imposing financial penalties and prohibiting a critical third party from providing services.
Although the Bill is silent on the duties that will apply to CTPs, DP 3/22 seeks to address this with a focus on: minimum resilience standards, citing international standards such as the CPM-IOSCO Principles for FMIs; the requirement for resilience testing; and the alignment between the operational resilience frameworks for Firms and FMIs, such as those covered in the PRA’s Operational Resilience and the FCA’s Building operational resilience.
In their recent blog, Systemically Important Technology, Kevin Werbach and David Zaring highlight the risks posed by what they describe as ‘systemically important network institutions’, such as the dominant providers of cloud and communications infrastructures in the United States, and propose measures for regulating them. Although the Bill has a more limited sector focus than those which Werbach and Zaring discuss, the fundamental issue highlighted by Her Majesty’s Treasury in a policy statement on ‘Critical Third Parties to the Finance Sector’ which led to the Bill are the same: unregulated institutions, such as cloud services providers and the providers of critical software, that provide critical services pose systemic risk. Where that systemic risk includes risks to the financial system, financial regulatory authorities need powers to address those risks.
The approach to this issue in the UK and the European Union (EU) has been to place duties on Firms, to monitor critical service providers and impose contractual risk-management obligations on those service providers (see, for example, the outsourcing provisions in Section 2 of the MiFID Organisational Regulation and ‘Outsourcing and third party risk management’ issued by the UK Prudential Regulation Authority (PRA)). Regulatory control over third party providers of critical services is, therefore, indirect.
Some market participants had discussed the extension of stabilisation powers, under measures such as the Banking Act 2009 and the EU Recovery and Resolution Directive which allow public authorities to take action against a failing Firm, to critical service providers. These powers, which include the power to take Firms into public ownership, typically apply where a Firm has failed or is close to failure, ie is a gone concern, as was the case with some banks and other institutions that thought themselves ‘too big to fail’ during the 2007–9 financial crisis. They are designed to mitigate the effects of failure.
The Bill seeks instead to prevent or, at least, reduce the risk of failure: like those in the proposed EU Digital Operational Resilience Act (DORA), the powers under the Bill are focused, however, on CTPs as going concerns and designed to prevent failure. As such, CTPs will be subject to the same jurisdiction, in effect, as Firms in that the PRA and FCA will have near-identical powers, with the corresponding public law duties, over CTPs as those they have over Firms. This is potentially significant because, in support of the PRA and FCA powers over CTPs, the Bill will impose duties of co-operation, the breach of which will be directly punishable by the PRA and FCA or via the courts.
The PRA and FCA have yet to give guidance on the governance requirements for CTPs, including rules governing the fitness and properness of directors. . That said, the details of regulatory governance expectations typically appear in rules and guidance which the Bill gives the PRA and FCA the power to make. The resilience standards do, however, point to material regulatory obligations for CTPs, although these may well mirror performance standards which the larger technology providers and their regulated customers already impose on them.
The Bill and DP 3/22 highlight the fact that, given the central and key position that CTPs have assumed within the financial system, they have become too important to fail. The policy choices have echoes of those designed to address the hazard of banks that believed they were ‘too big to fail’. With the rise of technology in finance, however, the locus of power, and risk, is shifting away from the finance business themselves. The measures in the Bill and DP 3/22 reflect this shift.
Andrew Henderson is a Partner at Goodwin Procter LLP.