With the Financial Services and Markets Act 2023 (FSMA) bedding in, it is a good time to consider how the CTP regime will work in practice and the implications for operational resilience.
What is the status on the UK’s CTP regime?
The regulators are currently reviewing responses to their joint CTP Discussion Paper 22/3[2] and are now consulting on potential rules and guidance relating to CTPs, given the new supervisory powers which bring CTPs directly into its regulatory remit for the first time. In December 2023, the FCA and PRA issued CP26/23, setting out proposals for CTP regulation. This comprises a set of fundamental rules all CTPs must follow in respect of all the services they provide, together with a more detailed set of requirements applicable to a CTP’s material services (the 8 Operational Risk and Resilience Requirements). It also prescribes new information which must be shared with regulators and firms, which will assist firms to ensure compliance with their own regulatory requirements. This will include results of scenario testing, as well as information contained in the annual self-assessments which CTPs will be required to submit to regulators. Firms may also be involved in CTP’s financial sector incident management testing. The CP26/23 also foreshadows development of a new policy for collection of outsourcing and third party data from firms (which will be consulted on in 2024). This data source will be used to inform CTP designations and will involve a further layer of reporting by firms on third party service provision.
The potential scope of the remedies afforded to the FCA and Bank of England will include the power to issue a notice preventing a CTP offering its services to regulated entities or limiting the basis on which a particular service can be provided. Equally, regulated entities may receive a notice prohibiting them from using a CTP’s service or limiting how the service can be provided.
Despite the emphasis placed on the CTP regime in FSMA, the FCA Chief Executive’s speech[3] in October 2023 was light on timing and implementation details, noting only the FCA’s new responsibility to oversee CTPs and including the somewhat opaque comment that he “now engages the big tech firms more regularly” (within a section on investment in digital and data infrastructure). As CP26/23 will likely not conclude before mid-2024, it is unlikely any CTPs will be designated as such before this time. CP26/23 indicates in its cost benefit analysis of the CTP regime that it is based on a probable population of 20 CTPs (although the number of entities designated may ultimately vary).
How will the new CTP rules (once in place) affect you?
As part of the FCA’s role in promoting confidence in the markets, ensuring systems resilience is a key plank, given the systemic risks posed by tech provider dominance. You might be forgiven for thinking that the proposed new rules would mean the regulatory spotlight would shift to the CTPs and firms would therefore be enabled to outsource some of the responsibility for ensuring compliance with operational resilience rules to the major tech providers. However, recent commentary from the FCA has given[4] a clear steer that firms remain responsible for their own operational resilience compliance, including in respect of any services that they outsource to third parties. That is not changing with the new CTP rules, with firms still required to meet their compliance commitments no matter how they choose to deliver their services. This is despite the fact that as the FCA’s Executive Director of Markets and International noted[5] recently: “some third parties threaten to overshadow the size and might of the firms they serve. It is right that in a world increasingly reliant on technology and data, the holders of this precious commodity be held to account to prevent things going wrong.” CP26/23 emphasises this, noting that “ultimate accountability and responsibility for firms’ outsourcing and operational resilience obligations cannot be outsourced to a CTP” and that the proposals are intended to “complement, but not blur, eliminate or reduce the accountability and responsibility of firms” – with the new rules not altering the scope of the due diligence and monitoring obligations required of firms. Interestingly, CTPs will not be able to use the CTP designation as a badge indicating that their services are somehow endorsed by UK regulators, with CP26/23 flagging that a CTP will not be able to use the designation for marketing purposes or to suggest that its regulation as a CTP means firms choosing its services have an advantage over firms using service providers who are not so designated.
So, it would seem to be business as usual from a compliance point of view for firms undertaking critical or material outsourcings, even though the FCA will now be exercising an additional layer of oversight of these providers. You can not therefore rely on the FCA to do your regulatory compliance homework for you!
You cannot therefore rely on the FCA to do your regulatory compliance homework for you!
Interplay with the EU’s new resilience requirements
In a sign of increased pragmatism under the Sunak administration, the first meeting of the Joint EU-UK Financial Regulatory Forum was held in October 2023. This forum is to facilitate regulatory co-operation under the Memorandum of Understanding. Notwithstanding the imminent application of the EU’s Digital Operational Resilience Act (2022/2554) (DORA) and the UK’s new rules on CTPs, the topic of resilience was not expressly discussed, with the participants identifying financial stability risks; implementation of relevant international regulatory standards in the financial services sector; and regulatory developments in financial services as topics for the Spring 2024 meeting.
The onset of DORA’s implementation means firms must also focus their 2024 compliance efforts on meeting the EU’s enhanced operational resilience standards, with the DORA regime applying from 17 January 2025.
It is an open question whether the EU’s new rules, which require firms to set out their tolerances for disruption linked to their critical or important functions (CIFs) and to carry out concentration risk assessments of their third party service provider exposures, cut across the UK’s proposals and will therefore require duplication of compliance effort to document how a firm is meeting both UK and EU operational resilience standards. Ultimately, the objectives of the two regulatory regimes are complementary, even if only the UK regulators are intending to take supervision of CTPs into their regulatory perimeter. Recognising the regulatory overlap, CP26/23 notes that its oversight requirements are designed to be interoperable with DORA and the US’s Bank Service Company Act and that it may ask CTPs for information they have provided to EU and US supervisory bodies. This will not affect how firms report to regulators in respect of their own obligations but may help support their due diligence and oversight obligations.
