UK Banking Regulation Over Critical Third Parties: Fit for Purpose or Regulatory Overreach?

Third-party providers are integral to financial services, aiding firms in digital transformation, innovation, and enhancing technology infrastructure resilience. The UK regulators—Bank of England, Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA)—have long been aware of firms' dependence on these providers. After notable IT failures like TSB Bank’s 2018 incident, these authorities launched inquiries into systemic risks posed by third parties and what supervisory measures could be implemented to prevent such disruptions. This resulted in direct supervision of the relevant regulator, whether the FCA, PRA or the Bank of England, over so-called critical third parties in the recently enacted Financial Services and Markets Act 2023 (FSM Act), which received royal assent on 29 June 2023.

The FSM Act introduces sweeping changes to financial regulation, among other sustainability disclosure requirements and the appointment of the Complaints Commissioner, but the designation of critical third parties (CTPs) is easily one of the most consequential parts of the FSM Act in granting power to regulate an entirely new category of parties—those that are deemed as critical by HM Treasury when providing services to third parties. A joint discussion paper published by the PRA and the FCA, Operational resilience: Critical third parties to the UK financial sector, discusses the materiality and concentration tests, as well as a potential impact test, that may be considered in the designation of a CTP.

This blog post examines whether the UK CTP regime is fit for purpose in directly regulating or supervising CTPs, or if it is a case of regulatory overreach—especially considering that the services that designated CTPs provide may not be specific to the financial services industry.

Is the UK CTP Regime Fit for Purpose?

Following various reports and consultations, HM Treasury and regulators issued proposals in 2022 concerning the regulation of CTPs. The rationale for regulating CTPs centered around mitigating financial instability, market confidence, and consumer harm due to reliance on a limited number of large cloud providers, including Amazon Web Services (AWS) and Google Cloud.

A. Risks of Engaging CTPs

Supervisory authorities have identified three main risks linked to CTPs. First, financial instability due to potential systemic disruptions, particularly when 65% of firms rely on four cloud providers. Second, the potential damage to market confidence if such disruptions occur. Finally, frequent interruptions in CTP services could lead to significant consumer harm.

The broad interpretation of ‘disruption’ covers any service interruption, extending its scope to cover essential services firms depend on. Disruptions in providers like Google Cloud or AWS could threaten the UK's financial stability, affecting not just individual firms but also the broader economy.

B. Statutory Framework Under the FSM Act

The FSM Act introduces a statutory framework targeting systemic risks posed by CTPs. Its measures include identifying critical third parties and enforcing resilience standards to minimize disruption.

1. Designation of CTPs

In March 2024, HM Treasury issued Critical Third Parties: Approach to Designation, setting out an indicative process for designation, starting with an expectation of receiving recommendations from the financial regulators, followed by receipt of formal representations for the prospective CTP. It concludes with HM Treasury considering the evidence and representations, then making a final designation decision and, where the decision is to designate, making and publishing the Designation Regulations.

CTPs will be designated based on their potential systemic impact on financial stability. This process involves two assessments: materiality, evaluating how critical the services are, and concentration, considering the number of firms the provider serves. A major point of contention is that providers offering the same services may be treated differently based on their client base, raising questions of fairness and constitutionality. Once classified as a CTP, the provider becomes subject to direct regulation by the financial regulators. This is a significant shift, as many CTPs, unlike traditional financial firms, have no prior experience dealing with financial regulators, making compliance burdensome.

2. Resilience Standards and Testing

CTPs will be required to comply with resilience standards and conduct regular resilience testing. This involves mapping the services they provide, identifying risks, implementing communication plans, and developing continuity playbooks. They must also undergo independent investigations and audits, producing reports for regulators.

The overarching goal is to mitigate systemic risks to the financial system, but it remains unclear how the proposed standards would achieve this. The broad powers granted to supervisory authorities to obtain information, enforce action, or even prohibit CTPs from providing services seem disproportionate and may lead to unnecessary delays and disruptions.

Moreover, firms must still conduct due diligence on third parties and maintain business continuity plans, as required under existing frameworks like the operational resilience framework. This raises questions about whether direct regulation of CTPs introduces redundant oversight, especially when firms already have similar requirements in place.

3. Information-gathering and Investigations; Power of Direction and Censure

The CTP will be subject to the relevant financial regulator’s power to direct it to do anything or refrain from doing anything if it appears to the regulator to be necessary or expedient for the purpose of advancing its objectives, as well as its information-gathering and investigation powers. The extent of information-gathering powers also extends to a person connected with a CTP. In terms of its enforcement powers, the regulator may censure or impose disciplinary measures ranging from subjecting the CTP to certain conditions or limitations when providing services to FMI entities or prohibiting them from providing services altogether.

 Rationale for Financial Regulation Over Firms vs CTPs

Financial instability and consumer protection are common justifications for banking regulation. However, applying these to CTPs is not straightforward.

A. Financial Instability as a Justification for Regulation

The financial regulators argue that regulating CTPs is essential for maintaining financial stability, echoing the principles behind banking regulation. However, there's little evidence to support the claim that disruptions in CTP services would trigger the kind of systemic failures seen in traditional banking crises. With firms already required to maintain business continuity and operational resilience measures, the necessity of direct CTP regulation remains questionable.

Banking regulation is designed to prevent market failures that could lead to economic collapse. In contrast, the disruption of CTP services, while inconvenient, is unlikely to result in the same level of economic harm. The existing operational resilience framework already addresses many of the risks posed by CTP disruptions, making additional regulation seem excessive.

B. Information Asymmetry and Moral Hazard

HM Treasury justifies regulating CTPs by citing information asymmetry between firms and third parties, which could prevent firms from ensuring operational resilience. While it's true that outsourcing relationships can create information gaps, this issue is already addressed through contractual arrangements, due diligence, and the operational resilience framework.

The analogy between financial regulation and CTP regulation is flawed. CTPs are not financial agents and do not engage in risky behavior that could endanger the financial system. The additional regulatory burdens proposed could drive CTPs out of the market, reducing competition and innovation.

An Alternative Regulatory Approach to CTPs

A more effective regulatory approach might involve adopting a global framework for CTP regulation, as suggested by the Basel Committee on Banking Supervision. A principles-based, flexible approach that emphasizes operational resilience, business continuity, and risk management would be more appropriate given the scale and complexity of CTP services.

First, there should be a clear delineation between the roles of different regulators, with the PRA taking the lead on macro-prudential risks and the FCA overseeing micro-prudential risks. This would streamline regulatory oversight and reduce the risk of market exit by CTPs.

Second, a global regulatory approach would better address the international nature of CTP services. Cloud providers like AWS and Google operate globally, and their compliance with divergent national regulations could lead them to withdraw from certain markets. By coordinating international regulation under bodies like the Basel Committee, the UK can ensure its financial system remains resilient without stifling competition or innovation.

Final Note

The CTP regime in the FSM Act seeks to mitigate systemic risks but introduces unnecessary regulatory burdens on third-party providers. Existing frameworks like the operational resilience framework already address many of the concerns raised by regulators. A more flexible, globally coordinated approach could better balance financial stability with market innovation and competition.

Arvin Kristopher A. Razon is a Dual-Qualified Solicitor (England and Wales and the Philippines) and a Data Protection and Compliance Manager at Thought Machine Group Limited.