Information and News

PRA/BoE CP 26/23 – Operational Resilience: Critical Third Parties to the UK Financial Sector 

The financial industry is undergoing a significant shift with the latest consultation paper, PRA/BoE CP 26/23, which focuses on operational resilience and critical third parties (CTPs).  
In this article, we’ll highlight the key headlines and shed light on what this means for both regulators and buyers of CTP Material services. 

The proposed PRA/BoE CP 26/23 introduces new obligations without altering existing Operational Resilience or Third-Party Risk requirements for service buyers. This focuses on yet-to-be-designated Critical Third Party (CTP) suppliers. The consultation phase concludes on March 15, 2024. 

Building on Discussion Paper DP 3/22, the consultation paper adjusts proposals based on feedback. It relates to the new powers under section 312L (1) of FSMA 2000, amended by FSMA 2023. 

The oversight regime aims to manage risks to the UK financial system by improving the resilience of CTP services. 

Key Points: 

  • Regulators (BoE, PRA, FCA) collaborate to enhance oversight on CTPs, especially regarding Material services to UK regulated firms. 
  • HM Treasury designates CTPs based on service criticality, concentration risk, and other factors. 
  • Six Fundamental Rules and eight detailed requirements apply to CTP Material services, irrespective of location. 
  • CTPs must provide an annual self-assessment, covering operational risk factors, supply chain resilience, cyber risks, and change management. 
  • CTPs should conduct an annual test of a financial sector incident management playbook in partnership with buyers. 

Impact on our Buyer members: 

  • No new requirements for buying firms, and no reduction in accountability. 
  • Greater reporting from CTPs aids resilience teams but doesn’t replace the need for understanding supplier relationships. 
  • Reporting to regulators through outsourcing registers remains crucial; changes to reporting may occur in 2024. 
  • CTP designation doesn’t guarantee inherent resilience; it signifies increased scrutiny. 
  • No change in Third-Party Risk scope; non-FS utilities remain outside the scope. 
  • Location agnostic proposals eliminate outsourcing distinctions. 
  • Estimated CTP compliance costs are £660,000-£930,000 (one-off) and £500,000 (annual ongoing). 

Summary: 

The proposals align critical third-party obligations with client responsibilities, formalising and broadening the flow of operational risk information. Higher quality data shared by CTPs enhances buyer views of the supply chain, fostering industry resilience.  

Hellios welcomes increased risk transparency and collaborative testing, positioning the FSQS community to support the controlled access of CTP outputs and improve regulatory reporting for buyers through financial services supplier data. 

To learn more about how we can assist in navigating these changes and improving your regulatory reporting experience, speak to your Account Manager.