UK financial regulators refine resilience rules for critical third parties

This document reflects feedback received on Consultation Paper CP26/23, incorporating industry feedback and detailing the regulators’ final approach to strengthening resilience requirements for critical third parties.

Overall, consultation feedback received was considered supportive. It was, however, varied. While firms were keen to see greater accountability and information sharing, critical third parties looked to minimise the costs of compliance by relying on existing mechanisms.

Changes introduced

As a result, changes have been made. These include incorporating additional guidance on the approach to identifying potential critical third parties and recommending them for designation. A ‘critical third party’ is now more precisely defined as an entity whose failure or disruption could significantly impact the stability of the UK’s financial system.

Critical third parties are now allowed to use existing documented incident management policies and procedures instead of developing a bespoke ‘financial sector incident management playbook’ for UK firm customers if the regulators’ rules are met.

Other changes include clearer guidelines on incident management, such as specific reporting timelines and types of reportable incidents, as well as stronger requirements for information sharing to enhance transparency.

There is also an increased emphasis on governance, requiring critical third parties to establish more robust frameworks for managing operational risks.

Supply chain risks

Additionally, the policy includes more proportionate regulations for managing supply chain risks. Critical third parties must continue identifying and managing these risks, but with fewer specific requirements.

Some feedback was not incorporated into the final policy, such as the suggestion to align the definition of ‘relevant incident’ with the European Union’s DORA definition of ICT-related incidents. The regulators felt that, while some critical third parties’ operational incidents may lead to ICT-related incidents under DORA, alignment was not possible because DORA is focused on European Union financial entities, not third party suppliers, and critical third parties may also need to report non-ICT-related incidents.

Practitioners may encounter some overlaps between global operational resilience regulations, with some firms finding themselves accountable to several sets of reporting legislation in the same timeframe. However, regulators state that they have designed the oversight regime for critical third parties to be as ‘interoperable as reasonably practicable’ with similar frameworks.

Important step forward

James Lodge, leader of the Business Continuity Institute’s Operational Resilience Special Interest Group, said: “The publication of PS16/24 represents an important step forward in managing systemic risk from critical third parties in the UK’s financial sector. The regulators have struck a pragmatic balance between strengthening operational resilience and ensuring proportionate implementation.”

Lodge added: “While there are significant implementation challenges ahead, this framework provides much-needed clarity on how concentration risk and third party dependencies will be overseen. The focus must now be on effective collaboration between critical third parties, financial institutions and regulators to deliver these enhanced resilience measures.”

The final rules for critical third parties will come into effect on 1 January 2025. They have 12 months to achieve compliance following their designation by His Majesty’s Treasury. While they may not reach full compliance within this time period, they’re expected to show continuous improvement over time.