On 12 November, the Bank of England, Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) released Policy Statement PS16/24, establishing the final rules for operational resilience of critical third parties (CTPs) in the UK financial sector. This policy statement reflects feedback received on Consultation Paper CP26/23, incorporating industry feedback and detailing the regulators’ final approach to strengthening resilience requirements for CTPs.
Overall, consultation feedback received was considered supportive. It was, however, varied. Whilst firms were keen to see greater accountability and information sharing, CTPs looked to minimise the costs of compliance by relying on existing mechanisms.
As a result, changes have been made. These include incorporating additional guidance on the approach to identifying potential CTPs and recommending them for designation, clarification of definitions such as ‘critical third party’ are now more precisely defined as an entity whose failure or disruption could significantly impact the stability of the UK financial system, and CTP’s are now allowed to use existing, documented incident management policies and procedures instead of developing a bespoke ‘financial sector incident management playbook’ for its UK firm customers, if it meets the regulators’ rules.
Other changes include clearer guidelines on incident management, such as specific reporting timelines and types of reportable incidents, as well as stronger requirements for information sharing to enhance transparency. There is also an increased emphasis on governance, requiring CTPs to establish more robust frameworks to manage operational risks. Additionally, the policy includes more proportionate regulations for managing supply chain risks – CTPs must continue identifying and managing these risks but with fewer specific requirements.
Some feedback was not incorporated into the final policy, such as the suggestion to align the definition of ‘relevant incident’ with the EU’s DORA definition of ICT-related incidents. The regulators felt that while some CTP operational incidents may lead to ICT-related incidents under DORA, alignment was not possible because DORA is focused on EU financial entities, not third-party suppliers, and CTPs may also need to report non-ICT-related incidents.
Practitioners may encounter some overlaps between global operational resilience regulations, with some firms finding themselves accountable to several sets of reporting legislation in the same timeframe. However, regulators say they have designed the oversight regime for CTPs to be as ‘interoperable as reasonably practicable’ with similar frameworks.
James Lodge, Leader of the BCI Operational Resilience Special Interest Group said:
“The publication of PS16/24 represents an important step forward in managing systemic risk from critical third parties in the UK financial sector. The regulators have struck a pragmatic balance between strengthening operational resilience and ensuring proportionate implementation. While there are significant implementation challenges ahead, this framework provides much-needed clarity on how concentration risk and third-party dependencies will be overseen. The focus now must be on effective collaboration between CTPs, financial institutions and regulators to deliver these enhanced resilience measures.”
The final compliance deadline for firms and their critical third parties to demonstrate that they fully meet the new standards is March 2025, and whilst larger firms report being on track for compliance, smaller CTP providers may struggle to meet the requirements and could face sanctions, fines, or restrictions despite the recent amendments.
