UK financial regulators have announced new rules aimed at enhancing the resilience of technology and other third-party service providers that are essential to financial firms.
The decision comes as financial institutions increasingly depend on a limited number of technology suppliers. While these third parties can boost the competitiveness of the sector, the Financial Conduct Authority (FCA) warns that disruptions or failures—such as cyber-attacks or power outages—could impact numerous consumers and companies, thereby jeopardizing the stability of the UK financial system.
Under the new framework, critical third-party (CTP) technology providers will fall under the supervision of the FCA and the Bank of England. The regulators will work with HM Treasury to designate a third-party service provider as a CTP if it determines that failure or disruption in their services could threaten the stability or confidence in the UK financial system.
Once designated, CTPs will not be entirely overseen by regulators; rather, only the specific services they provide to the financial sector will be subject to scrutiny.
Under the new regime, major technology firms will be required to offer regular assurances, share information, and notify financial regulators about their services. They will also need to engage in various forms of resilience testing and scenario-based exercises, some of which will involve collaboration with financial institutions and financial market infrastructures (FMIs). Additionally, they must report significant incidents such as cyber-attacks, natural disasters, and power outages.
The FCA stresses that these new regulations do not diminish the responsibility of financial firms and FMIs to ensure their own resilience to operational shocks and to manage their third-party relationships in accordance with existing outsourcing and operational resilience requirements.