Financial regulators in the United Kingdom issued long-expected rules governing “critical third parties.”
The new regulations, expected to go into effect Jan. 1, will govern major tech companies that work with financial firms in the U.K., according to a Tuesday (Nov. 12) press release.
“Financial firms and financial market infrastructures (FMIs), such as payment systems, have become increasingly reliant on the services of a small number of third-party providers, known as critical third parties,” the U.K.’s Financial Conduct Authority said in the release. “While these third parties can enhance competitiveness for the sector, disruption or failure to one of them — such as a cyberattack or power outage — could affect a large number of consumers and firms, and threaten the stability of the U.K. financial system.”
The new rules give regulators such as the FCA and Prudential Regulation Authority more power to take action against service providers if they believe there’s a threat to the financial system. As PYMNTS wrote last year when the rules were first proposed, the third parties include cloud providers such as Google and Amazon, as well as information and communications technology firms.
“Financial market infrastructure firms are becoming increasingly dependent on third-party technology providers for services that could impact UK financial stability if they were to fail or be disrupted,” Bank of England Deputy Governor Sarah Breeden said Dec. 7.
The regulations will require critical third parties to work with regulators when operational incidents happen and demonstrate how they are managing security risks, the Tuesday release said.
The regulations come as incidents like the CrowdStrike outage over the summer drew attention to cyber risks. A Bank of England survey showed that around 70% of banks and 80% of insurers relied on just two cloud infrastructure providers, Bloomberg reported Tuesday.
This isn’t the first time U.K. regulators have made this argument. In 2022, the British Treasury released a policy paper calling for a new regulatory framework similar to the one rolling out in January.
“The government is concerned about the growing dependence of banks on cloud computing, as these services are mostly provided by a handful of players,” PYMNTS wrote at the time.
While the government has not named any tech companies by name, Amazon, Microsoft and Google make up the majority of the world’s cloud computing market.
