UK financial regulators have confirmed new rules to bolster the resilience of technology and other third parties providing key services to financial firms.
Financial firms and financial market infrastructures (FMIs), such as payment systems, have become increasingly reliant on the services of a small number of third party providers, known as critical third parties. While these third parties can enhance competitiveness for the sector, disruption or failure to one of them—such as a cyber-attack or power outage—could affect a large number of consumers and firms, and threaten the stability of the UK financial system.
That is why, in 2023, the government gave regulators new powers to oversee the resilience of the services these third parties provide the sector, that may cause risks to financial stability. Today, the Financial Conduct Authority, Bank of England and Prudential Regulation Authority have set out how they intend to use their new powers, having consulted widely and working closely with industry to inform the design of the regime. The new rules align closely with international standards and similar regimes, like the EU’s Digital Operational Resilience Act.
The final rules, when implemented, will not only strengthen the resilience of the services that critical third parties provide to individual firms, but will improve the resilience of the UK financial services sector as a whole. By strengthening resilience and promoting market stability, this will ensure the UK is an attractive place to do business.
The government will decide which third parties should fall under the new regime based on advice from regulators.
The new rules do not reduce the responsibility of financial firms and FMIs in making sure they are resilient to operational shocks and for their management of third-parties, in-line with our existing outsourcing and operational resilience rules.
The regulators welcome engagement from industry over the coming months as the regime is implemented.