Alert
June 6, 2023

Too Important to Fail - Part 2: The Coming Regulation of Providers of Critical Technology Services to UK Financial Institutions

An earlier version of this Alert appeared on the Oxford Business Law Blog on 25 October 2022 as Too Important to Fail: Regulating Critical Third Parties in the UK | Oxford Law Blogs

How do lawmakers address the risk that regulated entities, such as banks, broker-dealers, investment managers, and insurers (Firms), with their increased reliance on unregulated technology providers, stop operating if an unregulated provider fails?

This is one of the questions the Financial Services and Markets Bill 2022 (the Bill), introduced in the UK Parliament on 20 July 2022 and still under consideration, seeks to address. The provisions of the Bill, which amends the Financial Services and Markets Act 2000, are expected to come into force in Q3/Q4 2023.

Chapter 3C of the Bill seeks to extend various powers the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and Bank of England have over Firms to “critical third parties” (CTPs).

A CTP is an entity that provides services:

  • to authorised persons, i.e., FCA- or PRA- authorised Firms, and other financial-sector entities, such as FCA-authorised electronic money and payment services institutions and entities, such as clearinghouses, central security depositaries, and financial market infrastructures, such as investment exchanges (FMIs), all of which are subject to FCA oversight
  • that are critical, i.e., the failure of which, or disruption to which, could, in the Treasury’s opinion, “threaten the stability of, or confidence in, the UK financial system”

Are Non-UK CTPs in Scope?

As noted above, the Bill defines a CTP as “a person who provides services to one or more authorised persons, relevant service providers or FMI entities”. It does not specify that the CTP must be established in the UK in order for it to be a CTP. Instead, it requires only that the Firm, other financial-sector entity, or FMI to which the CTP provides services be in the UK. This indicates that non-UK CTPs, including a CTP located in the United States or the European Union, is capable of being subject to the CTP regime.

The FCA Data Request of 14 March 2023 to third parties for information to help determine the costs of implementing the proposals in the PRA and FCA joint discussion paper Operational resilience: Critical third parties to the UK financial sector, discussed below, appears to confirm that the CTP designation will turn not on whether a CTP is located in the UK but on whether a recipient of its services is, with the question: “Do you provide services to the UK financial sector?”

Unlike the EU Digital Operational Resilience Act (DORA), noted in our Alert Too Important To Fail? Further Light on When EU and Non-EU Technology Providers Will Become Subject To DORA (goodwinlaw.com), the Bill contains no provisions that would require a non-UK CTP to establish a subsidiary in the UK if it wanted to provide services to the UK financial sector.

Fleshing Out the CTP Test

The Bill identifies the following factors to which the Treasury must have regard when forming its opinion on deciding whether services are critical and an entity providing those services designated as a CTP:

  • the materiality of the services the third party provides to the delivery by Firms and FMIs of activities, services, or operations that are essential to the economy of, or financial stability in, the UK—a materiality test
  • the number and type of Firms and FMIs to which the third party provides services—a concentration test

On the day of the Bill’s introduction, the PRA and FCA published a joint discussion paper, Operational resilience: Critical third parties to the UK financial sector (DP 3/22, noted above). DP 3/22 fleshes out the materiality and concentration tests and adds a potential impact test, looking at the impact on the objectives of the PRA and FCA of a services failure or disruption.

Materiality Indicators

  • the economic functions the Firms/FMIs receiving services perform
  • whether the provider supplies services critical to the UK economy/financial stability
  • whether the services are “important business services” for the Firm/FMI

Concentration Indicators

  • the number of Firms/FMIs that use the provider
  • the direct and indirect dependencies, e.g., through supply chains, from the service arrangements
  • the combined market share of the Firms/FMIs that use the provider

Potential Impact Indicators

  • aggregation risk, i.e., the cumulative impact of the provider’s failure
  • substitutability, i.e., the availability of another provider if the provider fails
  • survivability, i.e., options for the continuation/recovery of the provider

Powers for the Regulators, Duties for CTPs

Returning to the primary legislation, the Bill grants powers to the FCA and PRA that include powers to:

  • make rules and give directions
  • gather information and undertake investigations
  • appoint “skilled persons” to make reports
  • issue public censures and take disciplinary measures, such as imposing financial penalties and prohibiting a critical third party from providing services

Although the Bill is silent on the duties that will apply to CTPs, DP 3/22 seeks to address this with a focus on: minimum resilience standards, citing international standards such as the CPM-IOSCO Principles for FMIs; the requirement for resilience testing; and the alignment between the operational resilience frameworks for Firms and FMIs, such as those covered in the PRA’s Operational Resilience and the FCA’s Building operational resilience.

Comment

In their blog, Systemically Important Technology, Kevin Werbach and David Zaring highlight the risks posed by what they describe as “systemically important network institutions”, such as the dominant providers of cloud and communications infrastructures in the US, and propose measures for regulating them. Although the Bill has a more limited sector focus than those Werbach and Zaring discuss, the fundamental issue highlighted by Her Majesty’s Treasury in a policy statement on ”Critical Third Parties to the Finance Sector” that led to the Bill are the same: unregulated institutions, such as cloud services providers and the providers of critical software, that provide critical services pose systemic risk. Where that systemic risk includes risks to the financial system, financial regulatory authorities need powers to address those risks.

The approach to this issue in the UK and the EU has been to place duties on Firms to monitor critical service providers and impose contractual risk-management obligations on those service providers (see, for example, the outsourcing provisions in Section 2 of the MiFID Organisational Regulation and “Outsourcing and third party risk management”, issued by the UK PRA). Regulatory control over third-party providers of critical services is, therefore, indirect.

Some market participants had discussed the extension of stabilisation powers, under measures such as the Banking Act 2009 and the EU Recovery and Resolution Directive that allow public authorities to take action against a failing Firm, to critical service providers. These powers, which include the power to take Firms into public ownership, typically apply where a Firm has failed or is close to failure, i.e., is a gone concern, as was the case with some banks and other institutions that thought themselves “too big to fail” during the 2007–9 financial crisis. The powers are designed to mitigate the effects of failure.

The Bill seeks instead to prevent or, at least, reduce the risk of failure: like those in DORA, noted above, the powers under the Bill are focused, however, on CTPs as going concerns and designed to prevent failure. As such, CTPs will be subject to the same jurisdiction, in effect, as Firms in that the PRA and FCA will have near-identical powers, with the corresponding public law duties, over CTPs as they have over Firms. This is potentially significant because, in support of the PRA and FCA powers over CTPs, the Bill will impose duties of cooperation, the breach of which will be directly punishable by the PRA and FCA or via the courts.

The PRA and FCA have yet to give guidance on the governance requirements for CTPs, including rules governing the fitness and properness of directors. That said, the details of regulatory governance expectations typically appear in rules and guidance the Bill gives the PRA and FCA the power to make. The resilience standards do, however, point to material regulatory obligations for CTPs, although these may well mirror performance standards that the larger technology providers and their regulated customers already impose on them.

The Bill and DP 3/22 highlight the fact that, given the central and key position that CTPs have assumed within the financial system, they have become too important to fail. The policy choices have echoes of those designed to address the hazard of banks that believed they were “too big to fail”. With the rise of technology in finance, however, the locus of power, and risk, is shifting away from the finance businesses themselves. The measures in the Bill and DP 3/22 reflect this shift.