2024-2025 Global AI Trends Guide
On 8 June 2022, HM Treasury published its policy statement, outlining a proposal to regulate third parties to financial services and financial market infrastructure firms (“Firms”). This proposal comes shortly after the EU, on 11 May 2022, provisionally agreed to pass the Digital Operational Resilience Act (“DORA”); a piece of legislation that shares a similar objective, i.e. to mitigate the risks to financial stability and market confidence in the respective market. In this article, we examine the UK proposals and draw comparisons between DORA and the UK NIS Regulations.
The UK financial regulators (i.e. the PRA and FCA) require Firms to be resilient to operational disruption when contracting with service providers. The PRA Supervisory Statement on 'Outsourcing and third-party risk management’ and the FCA Handbook set out requirements which Firms must follow, such as data security, business continuity and exit planning requirements. These obligations, quite critically, do not extend to the third party service providers who contract with these Firms (the “Third Parties”).
The UK proposal therefore highlights the concerns over Firms’ dependency on a limited number of critical Third Parties (over whom the financial regulators have no oversight) for key services within the financial services sector. “As of 2020, for example, over 65% of UK Firms used the same four cloud providers for cloud infrastructure services.” Therefore, the failure or disruption of a critical Third Party could have a systemic impact across the financial sector.
The proposal therefore aims to allow UK regulators to directly oversee services provided by critical Third Parties, to ensure the resilience of financial services, and reduce the risk of systemic disruption, and proposes to do this by enacting a primary legislation. The proposed regime also aims to be flexible and proportionate.
Designating a Third Party as ‘Critical’
Third Parties will be designated as critical by HM Treasury via secondary legislation. HM Treasury would make the designation in accordance with a ‘designation framework’ which will be laid out in the primary legislation. HM Treasury would also consult the following parties when making such designation (and potentially other bodies):
The financial regulators (who may recommend that HM Treasury designate certain Third Parties as critical, based on their analysis of data and information from Firms);
Third Parties (who may make representations to HM Treasury, perhaps to avoid a designation as critical where they do not consider themselves to be such); and
Firms (who may make representations in relation to their own Third Parties, to HM Treasury).
Regulator Powers
In order to assess whether the resilience standards are being met, the financial regulators would be granted powers to:
Enforcement
The financial regulators would have the power to direct critical Third Parties to:
The question of how the proposed regulation will interact with the existing UK NIS Regulations; is certainly something to consider. The NIS Regulations currently regulates relevant digital service providers (“RDSPs”) (which would include cloud computing service providers) and aims to boost the resilience of network and information systems that are critical for the provision of digital services and other services in specified ‘relevant sectors’ such as the energy, transport and health sectors. Whilst this regulation is not overseen and enforced by the financial regulators in relation to financial services, but rather by the ICO more broadly, at this stage, we can determine that cloud computing service providers will now fall within the scope of regulation by the UK financial regulators, in addition to their existing current regulator; the ICO. Firms can as a result, take comfort in knowing that Third Parties will now be subject to oversight and enforcement by the same regulators by which they too are regulated. This may prove beneficial for the efficiency and understanding between parties, in contractual negotiations between Firms and Third Parties.
In the meantime, Firms should maintain compliance with the existing operational resilience requirements applicable to them whilst taking an active interest in these new proposals.
Authored by John Salmon and Bianca Okoye.