In November 2024, the Bank of England, in collaboration with the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), released PS16/24 – Operational resilience: Critical third parties to the UK financial sector. This new policy sets forth operational resilience requirements for entities deemed critical to the stability of the UK financial system, similar to initiatives like the EU’s Digital Operational Resilience Act (DORA), which also emphasises resilience for critical service providers in financial markets.
For service delivery, Critical Third Parties may need to implement more rigorous testing, monitoring, and reporting processes to meet resilience standards. These requirements could influence how quickly and flexibly they can adapt their services to clients’ needs, potentially prioritising compliance over customisability and speed. Additionally, the costs associated with meeting these resilience requirements—such as investments in cybersecurity, scenario testing, and governance enhancements—may be passed on to clients. For regulated financial institutions, this could mean higher service fees and increased scrutiny of their providers’ compliance frameworks, prompting a more strategic approach to third-party risk management.
This article delves into the key compliance requirements, expected readiness gaps, and types of organisations most likely to be affected by the new regulations, highlighting the broader implications for service delivery and cost in the financial sector.
TABLE OF CONTENTS
Scope and Objectives of PS24/16 Policy
The policy targets third-party service providers that deliver essential services to UK financial firms. These Critical Third Parties (CTPs) are defined as entities whose operational disruption could have a systemic impact on the financial sector’s stability. Designated by HM Treasury, these entities will now be subject to new regulations to ensure they uphold stringent operational resilience standards. The aim is to protect the financial sector from vulnerabilities caused by external dependencies on essential service providers.
The regulations are also relevant to financial services firms and financial market infrastructure entities (FMIs), which are expected to manage their third-party risks proactively. By ensuring resilience within CTPs and their client firms, the policy seeks to reinforce the entire ecosystem of financial stability and confidence.
PS16/24 primarily focuses on non-regulated third-party service providers that offer essential services to regulated financial institutions. These non-regulated entities are now required to meet specific operational resilience standards due to their significant role in the financial sector. Here’s how the policy applies to different types of organisations:
Non-Regulated Third Parties: The policy is directed at non-regulated third-party providers that do not traditionally fall under financial sector regulations but whose services are critical to the functioning of regulated financial institutions. Examples include cloud service providers, data centres, and payment processors. By designating certain third parties as CTPs, the Bank of England and other regulatory bodies aim to ensure that these essential service providers meet operational resilience standards.
Regulated Financial Firms and FMIs: While the policy does not directly impose new requirements on regulated financial firms and financial market infrastructures (FMIs), it does impact them indirectly. Financial institutions that rely on CTPs must ensure that their third-party risk management aligns with this policy. These institutions are expected to manage the risks associated with critical third-party dependencies as part of their own operational resilience frameworks.
Entities will be designated as CTPs by HM Treasury based on factors such as service materiality and impact on the financial sector, and once designated, they must meet the outlined operational resilience standards.
Is Your Organisation Prepared for the New Operational Resilience Standards?
At Aevitium LTD, we guide financial services firms and their suppliers through the complexities of regulatory compliance and operational resilience. From building robust risk management frameworks to implementing scenario testing and incident response plans, our experts are here to help you navigate the demands of the Bank of England’s PS16/24 policy and strengthen your resilience against systemic risks.
Contact us today to enhance your organisation’s resilience, ensure compliance, and protect your critical operations in an increasingly regulated landscape.
Impact on Services Offered by Regulated Firms
The policy doesn’t only affect traditional third-party service providers but also has implications for certain services offered by regulated firms, like BlackRock's Aladdin, if these services are not directly regulated but are critical to financial stability. Even though these services are provided by regulated entities, they could be designated as Critical Third Parties (CTPs) if their disruption poses systemic risks.
Implications for Such Services:
CTP Designation: Services critical to multiple financial institutions, like Aladdin, could be classified as CTPs, making them subject to the policy's operational resilience requirements.
Resilience Measures: If designated, providers must meet resilience standards, including scenario testing, governance, and IT security improvements.
Likely Sectors and Services:
FinTech and Risk Platforms (e.g., Aladdin, Charles River): Widely used for portfolio and risk management.
Data Analytics and Intelligence (e.g., S&P Global, Refinitiv): Provides essential financial data and analysis.
Outsourced Trading & Operations (e.g., State Street Alpha): Key for transaction and operational support.
Compliance Software (e.g., NICE Actimize): Critical for regulatory processes but not always directly regulated.
These services may soon need to meet operational resilience standards under the new CTP designation due to their essential role in the financial ecosystem.
Key Compliance Requirements for Critical Third Parties
These requirements apply specifically to third-party providers designated as CTPs and set the foundational standards for operational resilience. Financial institutions relying on these services should also be aware of these requirements to understand CTP obligations and potential impacts on service delivery.
Designation and Scope: Only entities formally designated by HM Treasury as CTPs fall within the policy’s scope. The selection process considers the materiality of the services they provide and their impact on the financial sector.
As of November 13, 2024, HM Treasury has not yet published a list of designated Critical Third Parties (CTPs) for the UK financial services sector. The entire process is expected to take approximately six months from the initial recommendation to the final designation. However, specific timelines for when HM Treasury will publish the list of designated CTPs have not been announced. You should monitor official communications from HM Treasury and the financial regulators for updates on the designation process and the publication of the CTP list.
Fundamental Rules: CTPs must adhere to a series of high level rules, known as Fundamental Rules, which mandate:
Conducting Business with Integrity: CTPs must operate with a strong ethical foundation, ensuring honesty and trustworthiness in all business practices. This includes avoiding conflicts of interest, preventing misconduct, and adhering to high ethical standards, fostering reliability and resilience in services provided to financial institutions.
Acting with Due Skill, Care, and Diligence: CTPs are required to perform their duties skilfully and with an acute awareness of potential risks. This entails making informed decisions, maintaining expertise, and continuously managing and updating systems and protocols to safeguard service delivery.
Ensuring Organised and Effective Control of Affairs: CTPs should have well-defined governance structures and internal controls to manage operations effectively. This includes clear policies, accountability structures, and processes that minimise risk and ensure continuity, even during disruptions.
Maintaining Adequate Financial Resources: To meet resilience standards, CTPs must maintain sufficient financial resources. This ensures they can address operational issues, withstand disruptions, and invest in necessary upgrades or resilience improvements without risking service reliability.
Following Market Conduct Standards: CTPs must comply with established market rules and practices, aligning with regulatory expectations and best practices to maintain a fair and efficient market environment. This includes adhering to transparency principles, honesty, and respect for all market participants.
Dealing Transparently with Regulators: CTPs are expected to engage openly with regulatory authorities, providing timely and accurate information. This transparency is crucial for enabling regulators to monitor and support resilience efforts effectively.
Appropriately Disclosing Critical Information to Regulators: CTPs must inform regulators of any incidents or information that could affect the financial system’s stability. This includes timely disclosures of significant operational issues, cybersecurity threats, or service disruptions that may impact the financial institutions relying on their services.
Operational Risk and Resilience Requirements: CTPs are expected to establish comprehensive frameworks to identify, assess, and manage risks. This includes creating risk registers, performing impact assessments, implementing and monitoring controls, and conducting regular scenario testing for potential disruptions.
Additionally, CTPs should have robust incident management and crisis response plans, backed by strong governance structures with senior accountability. Continuous improvement is essential, with CTPs expected to review and refine their resilience strategies by learning from incidents and industry developments. This proactive approach ensures CTPs can sustain their critical services to the financial sector, even under stress.
For further guidance, refer to our resource on Crisis Management and Response: Best Practices and Strategies to develop robust response frameworks that align with regulatory expectations.
Scenario Testing: Organisations in scope must conduct rigorous scenario testing to simulate severe but plausible disruption events, assess their impact, and ensure preparedness. For example, they should consider:
Cyberattack Simulation: Assess the organisation’s ability to prevent, respond, and recover from a cyberattack.
Data Centre Outage: Evaluate backup systems and response time in case of a physical data centre failure.
Third-Party Supplier Failure: Test continuity plans in case a key supplier is unavailable. To enhance scenario testing and preparedness, explore our guide on Business Continuity and Contingency Planning, which outlines proactive steps for maintaining continuity through potential disruptions.
Natural Disaster Impact: Simulate the effects of a severe event on physical locations and continuity protocols.
Pandemic or Workforce Disruption: Ensure readiness to operate with reduced staff or remote work.
System Malfunction or Software Failure: Assess resilience of IT and software systems essential for operations.
For real-world insights, see our article on Lessons from the CrowdStrike Windows Outage: How to Strengthen Your Incident Response Plan, which provides practical tips to enhance your response to service disruptions.
Incident Notification: CTPs are obligated to promptly inform regulators of any incidents that could materially affect their ability to provide services, facilitating a timely response to manage systemic risk. This requirement helps regulators assess systemic risk, but clients can benefit by establishing escalation protocols and setting expectations with CTPs for timely updates to manage potential impacts on their operations.
The incident notification requirement mandates that CTPs promptly inform regulators of any incidents that could impact service delivery. This early regulatory notification helps in assessing systemic risk. Clients, meanwhile, can benefit by establishing clear escalation protocols, setting expectations for updates, and integrating the CTP’s regulatory obligations into their contingency plans to enhance continuity and readiness during potential service interruptions.
To enhance preparedness, clients can establish clear escalation protocols, agree on update expectations, and integrate the CTP’s regulatory obligations into their contingency plans for better response coordination during disruptions. They should consider having an exit strategy in place. Learn more about developing this approach with our guide on How to Develop a Third-Party Vendor Exit Strategy.
Governance and Accountability: CTPs need to establish strong governance structures, clearly define roles and responsibilities, and ensure senior management is accountable for maintaining operational resilience.
Expected Gap Areas for Critical Third Parties
While CTPs are critical to the financial sector, adapting to these compliance requirements may reveal several gap areas:
Operational Risk Management Frameworks: Many CTPs may not currently possess comprehensive frameworks that align with the stringent regulatory standards for risk assessment, control, and management.
Scenario Testing and Incident Response: Some organisations may lack experience in conducting advanced scenario tests or have limited resources to meet the required testing intensity and frequency. In addition to be effective, such scenarios should operate jointly with their clients.
Governance and Accountability Structures: Clear governance structures with defined accountability—particularly at senior management levels—may be underdeveloped, leading to challenges in aligning management practices with resilience goals.
Technological and Cyber Resilience: CTPs may need to enhance their cybersecurity and IT resilience to prevent and respond to disruptions effectively, requiring additional investment and expertise.
Resource Allocation and Capacity: Smaller CTPs may lack the financial and human resources needed to comply with these requirements while continuing to serve their financial sector clients effectively. Effective resource allocation includes understanding exit triggers for third-party vendors. Our resource on Monitoring Triggers for Third-Party Vendor Exit provides insight into identifying and acting on these critical signals.
Regulatory and Compliance Awareness: Non-financial service providers that are new to these regulations might lack familiarity with the stringent requirements, necessitating further education and training to build a compliance-oriented culture.
Cross-Functional Collaboration: Organisations may face challenges in achieving cross-functional collaboration, with responsibilities for operational resilience often dispersed across departments, leading to siloed implementation efforts.
Organisations Likely to Be Captured Under the New Regulations
Given these challenges, it’s helpful to understand which types of organisations are most likely to be affected by this policy. This includes entities providing essential services that financial firms depend on are most likely to be designated as CTPs. Below are some categories of organisations expected to fall within this scope:
Cloud Service Providers (CSPs): Major CSPs like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, which offer critical infrastructure, data storage, and processing capabilities for financial firms, are likely to be included due to their foundational role in data management and processing.
Payment Processors and Networks: Companies like Visa, Mastercard, and PayPal, as well as those involved in real-time payment systems and settlement services, are critical to transaction processing in the financial system and would likely be captured under this regulation.
Data and Analytics Providers: Providers such as Bloomberg, Refinitiv, and ICE Data Services, which supply crucial financial data and analytics, would likely be included due to their integral role in trading, investment, and risk management.
IT Service and Outsourcing Companies: Firms providing IT infrastructure and outsourcing, such as IBM and Accenture, are essential to maintaining operational continuity for financial institutions, making them likely CTP candidates.
Cybersecurity Firms: Providers that offer threat detection and incident response services are critical to securing financial institutions against cyber risks, which have broad implications for the financial sector’s stability.
Telecommunications Providers: Major telecom providers such as BT, Verizon, and AT&T ensure reliable communication networks essential for transaction processing and data exchange, making them likely to be designated as CTPs.
Regulatory and Compliance Technology Providers: Companies offering solutions for regulatory reporting, anti-money laundering (AML), and compliance are integral to the compliance obligations of financial firms.
Infrastructure Providers: Data centres and facilities management firms like Equinix and Digital Realty, which host vital digital infrastructure, are essential for operational continuity and resilience in the financial sector.
Conclusion
The Bank of England’s new policy on Critical Third Parties is a significant step toward reinforcing operational resilience within the financial sector. By designating certain third-party providers as CTPs and establishing rigorous compliance requirements, the policy addresses systemic vulnerabilities that could arise from dependencies on external service providers. However, achieving compliance may present challenges for many organisations, requiring substantial investments in risk management, governance, and cybersecurity.
Financial institutions and their service providers must now work closely to ensure resilience at all levels of their operations, with a shared goal of protecting the stability and confidence of the UK financial system.
Organisations expected to fall under this regulation should begin assessing their current resilience frameworks and identify any gaps or areas for improvement. Engaging with resilience experts or conducting a thorough risk assessment can be beneficial first steps toward compliance, ensuring preparedness to meet these new regulatory expectations.
For a deeper dive into the regulatory landscape, watch our Webinar Recap: Navigating the Intersection of Operational Resilience, Consumer Duty, and Regulatory Compliance to explore how these elements align under the new policy.
Frequently Asked Questions
1. What is the Bank of England’s PS16/24 policy on Critical Third Parties (CTPs)?
The PS16/24 policy establishes operational resilience requirements for third-party service providers that are critical to the UK financial sector’s stability. The goal is to ensure these entities can manage risks, maintain continuity during disruptions, and protect financial institutions relying on their services.
2. Who designates Critical Third Parties, and how is this done?
Critical Third Parties are designated by HM Treasury based on their potential impact on the financial sector. Factors include the materiality of the services provided and their systemic importance to financial stability.
3. Which types of organizations are most likely to be designated as Critical Third Parties?
Likely candidates for CTP designation include cloud service providers, payment processors, data and analytics providers, cybersecurity firms, telecommunications providers, and IT infrastructure companies. These entities provide essential services that financial firms rely on to operate securely and efficiently.
4. How could the PS16/24 policy affect the cost of services provided by CTPs?
To meet the new resilience standards, CTPs may need to invest in risk management, cybersecurity, and scenario testing, potentially increasing their operational costs. These costs could be passed on to clients in the form of higher service fees.
5. What are the key compliance requirements for Critical Third Parties under PS16/24?
The policy requires CTPs to implement strong governance, perform regular scenario testing, adhere to fundamental rules (such as conducting business with integrity), and report incidents to regulators promptly. These measures ensure that CTPs are prepared to manage operational risks effectively.
6. How does this policy affect financial institutions that rely on CTPs?
While the policy primarily targets non-regulated third-party providers, financial institutions must manage the risks associated with these CTPs as part of their own resilience planning. This includes ensuring that their third-party risk management aligns with the PS16/24 requirements.
7. What is scenario testing, and why is it important?
Scenario testing involves simulating severe but plausible events—such as cyberattacks, natural disasters, or system malfunctions—to assess an organisation’s ability to respond effectively. It’s essential for identifying vulnerabilities and preparing CTPs to manage real disruptions without impacting their clients.
8. What benefits do financial institutions gain from the incident notification requirement?
The incident notification requirement mandates that CTPs inform regulators and, by extension, clients of significant incidents. This early notification allows financial institutions to activate contingency plans, anticipate service impacts, and minimise potential disruptions.
9. How can CTP clients maximise the benefits of the PS16/24 requirements?
Clients can establish clear communication protocols, set expectations with CTPs for timely updates, and integrate CTP resilience requirements into their contingency plans. This enhances client readiness and continuity during potential disruptions.