Skip to content
Back to Blogs

New BoE Paper on Critical Third Parties

Bank of England paper on CTPs

Introduction

On 7th December 2023, the Bank of England published it’s follow up to July 2022’s Discussion Paper (DP3/22) on proposed regulatory oversight of Critical Third Parties (CTPs).

The Consultation Paper (CP 26/23) outlines the Bank’s response to questions, insights and challenges from a range of Third Party providers to the UK Financial Services Sector.

The Paper states proposed requirements to ensure the appropriate management of potential risks posed by CTPs to the “stability of, or confidence in, the UK financial system”.

The proposals outlined in the Consultation Paper will translate to new requirements for Critical Third Parties (CTPs) in FCA and PRA Rulebooks and a Supervisory Statement which articulates regulatory objectives and expectations on how CTPs should comply with the new requirements.

The proposals and requirements will be distilled into six proposed “CTP Fundamental Rules” which CTPs “would be required to comply with in respect of all the services that they provide to firms and FMIs”.  

  • CTP Fundamental Rule 1:  A CTP must conduct its business with integrity.
  • CTP Fundamental Rule 2:  A CTP must conduct its business with due skill, care, and diligence.
  • CTP Fundamental Rule 3:  A CTP must act in a prudent matter.
  • CTP Fundamental Rule 4:  A CTP must have effective risk strategies and risk management systems.
  • CTP Fundamental Rule 5:  A CTP must organise and control its affairs responsibly and effectively.
  • CTP Fundamental Rule 6:  A CTP must deal with the regulators in an open and co-operative way and disclose to the regulators appropriately anything relating to the CTP which they would reasonably expect notice.

Identifying Critical Third Parties
In several places, the Consultation Paper points out that no firms have yet been designated as Critical Third Parties and outlines several steps that both regulators and potential CTPs will take before any designation is reached.  
However, the Paper lays out three factors which any potential CTPs will be assessed against.

  1. Materiality of the Services provided which may include to what level a potential CTP supports the delivery of a firm’s Important Business Services,
  2. Concentration of the services provided, noting that “the greater the share of the financial sector relying on a third party, the greater the risk to the UK financial system in the event of a failure in, or disruption to, the services that the third party provides”,
  3. Other factors including substitutability, difficulty with migrations to a new provider and embedment with firms and firms' data across their resource pillars (people, suppliers, data, technology, facilities).

Resilience Requirements for Critical Third Parties 
The Paper states that most respondents recognised the “increasing reliance on certain third parties” and support the introduction of “direct regulatory oversight” and a proportionate, principles-based framework for CTPs.

As part of that framework, there is support for Minimum Resilience Standards for the services that CTPs provide to firms, which should be drawn from existing regulatory requirements or standards.

Following responses, the Bank of England has reshaped the 8 Minimum Standards set out in July 2022’s Discussion Paper with a more robust set of 8 Minimum Standards.

1.    Governance

  • Establishing an approach (framework) which supports the CTPS in preventing, responding and adapting to, recovering and learning from any event which causes disruption
  • Designating clear roles and responsibilities for staff involved in the CTPs “delivery of material services”
  • Appointing someone with the skills, knowledge and authority as a central point of contact with the regulators

2.    Risk Management

  • Development of a “sound risk management framework”, strategy, and policy, which supports the identification and monitoring of known and new threats and risks, and processes and procedures which effectively manage risks.
  • Update the framework with lessons learned from live incidents and scenario testing.

3.    Dependency and Supply Chain Risk Management

  • Identify and oversight supply chain risks in material service delivery, and ensure that any sub-outsourcers understand the obligations of the CTP and support the CTP in meeting those obligations.
  • Perform appropriate due diligence on any providers who will support the CTP in material service delivery and monitor arrangements on an ongoing basis.
  • Include disruption to supply chain in any scenario testing activity.

4.    Technology and Cyber Resilience

  • For any technology that supports, maintains or delivers a material service, the CTP must ensure they have appropriate operational resilience, cyber and technology risk capabilities and measures in place.  
  • Those capabilities and measures should be tested regularly with processes and measures updated according to lessons learned through testing.
  • The CTP must ensure timely reporting of information to support risk management activity and enable decision making.

5.    Change Management 

  • Any changes to material service provision should be managed systematically through “implementing appropriate policies, procedures, and controls to ensure the resilience of any change to a material service”.
  • Any changes must be implemented with minimal risk to the disruption of material services and robust change proving activity must have taken place before implementation.  The Paper states that any change must be “appropriately risk-assessed, recorded, tested, verified, and approved”.

6.    Mapping

  • Within 12 months of being designated, the CTP must have in place mapping which identifies the resources and processes required to deliver a material service.
  • The mapping should be to a level of sufficient granularity to identify any threats or vulnerabilities to the process and should help the firm understand if the resources are “fit for purpose”.
  • The mapping should include the interconnections and interdependencies between resources and should consider the result of any resource being unavailable.

7.    Incident Management    

  • The Bank of England proposes that CTPs must have in place appropriate Response and Recovery measures to support their ability to manage incident which may have an adverse impact on material services.
  • The proposals state that CTPs should:

    1. classify incidents based on potential impact and recovery time.

    2. establish Maximum Tolerable Period of Disruption (MTPD) for material services in advance of any incident occurring.

    3. establish processes, and procedures for recovering inside RTO and RPO thresholds, aligned where possible with firm Impact Tolerances.

    4. Create internal and external communications plans.

    5. Test response and recovery measures at least every 12 months and update according to lessons learned.

    6. Create specific “Financial Sector Incident Management Playbooks” to “consider, plan, document, test, and regularly review how it would communicate with and support the regulators, and its firm and FMI customers (collectively and individually) during an incident affecting one or more of its material services”.

8.    Termination of Services 

  • CTPs should establish appropriate measures (Exit Plans) to ensure that any termination of material services can be achieved in an effective, timely and orderly manner and transferred to another provider or the firm itself where applicable.
  • In these events, the CTP must ensure that access to and return of assets is facilitated appropriately.

Next steps
The Paper goes on to outline other proposed requirements around information sharing, testing and self-assessment.

Responses to the Paper are requested by mid-March 2024 and we can expect that Supervisory Statements will be published at some point later in 2024, or early 2025.

It’s clear that proper oversight of Critical Third Parties is a priority for The Bank of England and its regulators, and the proposed requirements outline a proportionate yet robust approach.

It’s likely that potential CTPs and technology providers to UK Financial Services firms are already underway with resilience programmes.  We’ve seen third party providers respond to increased requirements and expectations from their customers regarding the resilience of services provided.  

FourthLine are advising technology providers to UK Financial Services and reviewing their resilience capabilities.  Many providers are aligning to the principles of FCA and PRA Operational Resilience regulation and are using that alignment with the objective to develop trust with their customers, use resilience as a competitive advantage and win new business.  

If you would like to discuss the Bank of England’s Consultation Paper further or discuss how FourthLine could support your resilience objectives, please get in touch
 

 
Read our Outsourcing and Third-Party Risk Management Technical Paper
Download now
Read our Operational Resilience Insight Deck
Download now
December 10, 2023
| |
Daniel Waltham
Responsible for leading client relationships and new business sales. Dan takes a lead role in customer engagement, identifying, creating and designing solutions to help our customers with risk and regulatory challenges. 13 years of experience working with financial services businesses across risk, compliance, data protection and regulatory change.
Talk to an expert
Back to Blogs

Contact Us

Company Number: 6952875

VAT Number: 981375491

Privacy Policy

Complaints Procedure

Code of Conduct

CONNECT WITH US

Stay up to date with industry news, risk and resilience events and webinars.

Copyright © 2022, FourthLine. All Rights Reserved.