UK financial regulators have confirmed new rules to bolster the resilience of technology and other third parties providing key services to financial firms.
The regulators have been stirred to act as financial firms increasingly rely on a small number of tech providers to keep the lights on. While these third parties can enhance competitiveness for the sector, notes the FCA, disruption or failure to one of them — such as a cyber-attack or power outage - could affect a large number of consumers and firms, and threaten the stability of the UK financial system.
Under the new regime, critical third party (CTP) technology providers will, in part, come under the ambit of the FCA and Bank of England.
As guided by the regulators, HM Treasury will be called on to designate a third party service provider as a CTP if, in its opinion, a failure in, or disruption to, the services that the third party provides to firms could threaten the stability of, or confidence in, the UK financial system.
Once designated, CTPs will not be overseen in their entirety by the regulators, but the third-party services they specifically provide to the financial services sector will be overseen.
Under the new regime, Big Tech firms will need to provide regular assurance, information and notifications to the financial regulators on their services, undertake various forms of resilience testing and scenario-based exercises, including collaborating on some with their firms and financial market infrastructures (FMIs), and report major incidents like cyber-attacks, natural disasters and power outages
The FCA emphasises that the new rules do not reduce the responsibility of financial firms and FMIs in making sure they are resilient to operational shocks and for their management of third-parties, in-line with existing outsourcing and operational resilience rules.