The FCA has announced that new regulations to improve the security and resilience of Critical Third Parties to the UK’s financial sector will come into force on 1st January 2025.
In a new update, the FCA, BoE and PRA have set out the new rules, which, when implemented, will not only strengthen the resilience of the services that critical third parties provide to individual firms, but also improve the resilience of the UK financial services sector as a whole.
https://www.fca.org.uk/news/statements/new-rules-strengthen-resilience-uks-financial-sector
In response to the news, please see below comments from David Ferbrache, managing director at Beyond Blue:
“The digital world has grown increasingly interconnected. Heavily regulated industries, such as the UK’s financial sector, have become critically dependent on many less-known and often unregulated suppliers to provide their services. However, this can create serious security and resilience concerns, especially when partners are not practicing good cyber hygiene, have privileged access into your network, or become so critical to operations that financial institutions cannot operate with them.
This is a challenge that the FCA, together with the PRA and the Bank of England, are looking to address through the Critical Third Parties (CTP) regulatory regime.
Operational resilience is the ability for financial firms to meet the vital needs of their customers even in the face of severe disruptions. When third parties—such as cloud service providers, IT management services, or communication platforms—fail, the ripple effect can be catastrophic for financial firms and, by extension, the broader financial ecosystem. The upcoming policy is working to tackle this challenge.
The policy stipulates that financial firms must have an understanding of the resilience of their third parties in the face of severe but plausible scenarios, while also ensuring they can remain resilient if those third parties are rendered unavailable.
While we expect the CTP regime will regulate the most important of those third parties, there will many hundreds more of suppliers on which the financial sector depends and which could also cause major disruption. This requires the financial sector to work together to tackle the resilience of those “significant” third parties.
The Cross Market Operational Resilience Group (CMORG) of the Bank of England brought financial institutions together to agree the next steps on how the community tackles that next tier of suppliers making recommendations on how scenario testing of third parties is carried out, the types of evidence third parties should provide regarding their resilience to give confidence to financial firms, and how resilience obligations may be embedded in future contracts.
Operationalising these findings will be key to improving sector resilience and complements the roll-out of the CTP regime, together these initiatives will both be key to a resilient financial sector ecosystem – one that is increasingly complex and interdependent.”
