UK financial regulators set new OpRes rules for third parties

The UK’s financial regulators have announced new rules designed to improve the resiliency of technology firms and other third parties providing services to financial services institutions.

The move comes after the government last year gave regulators new powers to oversee the resilience of third parties over concerns about the risk they could pose to financial stability.

The Financial Conduct Authority (FCA), Bank of England, and Prudential Regulation Authority have this week set out how they plan to use these new powers.

The regulators have said that under their rules third parties must provide them with regular assurance, information and notifications on their services.

They will also have to undertake resilience testing and scenario-based exercises, including collaborating on some with their firms and financial market infrastructures (FMIs), as well as report major incidents like cyber-attacks, natural disasters and power outages.

The new rules, which will come into force on 1 January next year, align closely with international standards such as the EU's upcoming Digital Operational Resilience Act (DORA).

The FCA said with financial firms and FMIs, including payment systems, becoming increasingly reliant on the services of a small number of third party providers, a disruption or failure to one of them could impact a large number of consumers and firms and "threaten the stability of the UK financial system".

Earlier this month, the financial watchdog urged firms to strengthen their defences against major technology disruptions following the CrowdStrike incident that caused global chaos in July 2024.

At the time, it said that issues linked to third-party providers were the leading cause of operational incidents reported to the regulator between 2022 and 2023.

The July incident occurred when CrowdStrike released a faulty Falcon content update for Microsoft Windows devices, affecting 8.5 million systems worldwide. The disruption led to thousands of flight cancellations and impacted various sectors including banking, healthcare, and retail.

The government is to decide which third parties will come under the new rules based on advice from the financial regulators.

The FCA said that the new regime does not reduce the responsibility of financial firms and FMIs in making sure they are resilient to operational shocks and for their management of third-parties, in-line with its existing outsourcing and operational resilience rules.

"The policy stipulates that financial firms must have an understanding of the resilience of their third parties in the face of severe but plausible scenarios, while also ensuring they can remain resilient if those third parties are rendered unavailable," said David Ferbrache, managing director of cyber and resilience consultancy Beyond Blue in response to the news. "While we expect the CTP regime will regulate the most important of those third parties, there will many hundreds more of suppliers on which the financial sector depends and which could also cause major disruption."

Ferbrache said that this will require the financial sector to work together to tackle the resilience of those “significant” third parties."

He went on to say that operationalising the findings of the Cross Market Operational Resilience Group (CMORG) of the Bank of England, which brought financial institutions together to agree the next steps on how the community tackles the next tier of suppliers, will be key to improving sector resilience and complements the financial regulators' critical third party regime.



Share Story:

Recent Stories


Safeguarding economies: DNFBPs' role in AML and CTF compliance explained
Join FStech editor Jonathan Easton, NICE Actimize's Adam McLaughlin and Graham Mackenzie of the Law Society of Scotland as they look at the role Designated Non-Financial Businesses and Professions (DNFBPs) play in the financial sector, and the challenges they face in complying with anti-money laundering and counter-terrorist financing regulations.

Ransomware and beyond: Enhancing cyber threat awareness in the financial sector
Join FStech editor Jonathan Easton and Proofpoint cybersecurity strategist Matt Cooke as they discuss the findings of the State of the Phish 2023 report, diving into key topics such as awareness of cyber threats, the sophisticated techniques being used by criminals to target the financial sector, and how financial institutions can take a proactive approach to educating both their employees and their customers.

Click here to read the 2023 State of the Phish report from Proofpoint.

Cracking down on fraud
In this webinar a panel of expert speakers explored the ways in which high-volume PSPs and FinTechs are preventing fraud while providing a seamless customer experience.

Future of Planning, Budgeting, Forecasting, and Reporting
Sage Intacct is excited to present FSN The Modern Finance Forum’s “Future of Planning, Budgeting, Forecasting, and Reporting Global Survey 2022” results. With participation from 450 companies around the globe, the survey results highlight how organisations are developing their core financial processes by 2030.