The UK’s financial regulators have announced new rules designed to improve the resiliency of technology firms and other third parties providing services to financial services institutions.
The move comes after the government last year gave regulators new powers to oversee the resilience of third parties over concerns about the risk they could pose to financial stability.
The Financial Conduct Authority (FCA), Bank of England, and Prudential Regulation Authority have this week set out how they plan to use these new powers.
The regulators have said that under their rules third parties must provide them with regular assurance, information and notifications on their services.
They will also have to undertake resilience testing and scenario-based exercises, including collaborating on some with their firms and financial market infrastructures (FMIs), as well as report major incidents like cyber-attacks, natural disasters and power outages.
The new rules, which will come into force on 1 January next year, align closely with international standards such as the EU's upcoming Digital Operational Resilience Act (DORA).
The FCA said with financial firms and FMIs, including payment systems, becoming increasingly reliant on the services of a small number of third party providers, a disruption or failure to one of them could impact a large number of consumers and firms and "threaten the stability of the UK financial system".
Earlier this month, the financial watchdog urged firms to strengthen their defences against major technology disruptions following the CrowdStrike incident that caused global chaos in July 2024.
At the time, it said that issues linked to third-party providers were the leading cause of operational incidents reported to the regulator between 2022 and 2023.
The July incident occurred when CrowdStrike released a faulty Falcon content update for Microsoft Windows devices, affecting 8.5 million systems worldwide. The disruption led to thousands of flight cancellations and impacted various sectors including banking, healthcare, and retail.
The government is to decide which third parties will come under the new rules based on advice from the financial regulators.
The FCA said that the new regime does not reduce the responsibility of financial firms and FMIs in making sure they are resilient to operational shocks and for their management of third-parties, in-line with its existing outsourcing and operational resilience rules.
"The policy stipulates that financial firms must have an understanding of the resilience of their third parties in the face of severe but plausible scenarios, while also ensuring they can remain resilient if those third parties are rendered unavailable," said David Ferbrache, managing director of cyber and resilience consultancy Beyond Blue in response to the news. "While we expect the CTP regime will regulate the most important of those third parties, there will many hundreds more of suppliers on which the financial sector depends and which could also cause major disruption."
Ferbrache said that this will require the financial sector to work together to tackle the resilience of those “significant” third parties."
He went on to say that operationalising the findings of the Cross Market Operational Resilience Group (CMORG) of the Bank of England, which brought financial institutions together to agree the next steps on how the community tackles the next tier of suppliers, will be key to improving sector resilience and complements the financial regulators' critical third party regime.
Recent Stories