British banking regulators are proposing increased scrutiny of financial firms’ reliance on third-party technology companies.
The Bank of England, Prudential Regulation Authority, and Financial Conduct Authority are seeking to enhance oversight and bolster the resilience of services provided by critical third parties (CTPs) to UK regulated financial services firms and financial market infrastructure entities (FMIs). The regulators are concerned that disruptions at these third-party sites could destabilize banks’ ability to serve the broader economy.
The proposed regulations would grant regulators the authority to directly oversee the technology and cyber resilience of third-party firms, as well as address supply chain risks, change management, and incident management. These rules would primarily target major cloud service providers such as IBM, Google, Microsoft, and Amazon.
Sarah Breeden, Deputy Governor of the Bank of England, stated, “Financial market infrastructure firms are becoming increasingly dependent on third-party technology providers for services that could impact UK financial stability if they were to fail or be disrupted. We are consulting today on proposals to implement new powers given to us by Parliament to manage these risks for those providers who could present risks to financial stability, in an effective and proportionate way.”
The consultation period for these proposals is open for feedback until March 15, with final rules expected to be published in the second half of 2024.