Operational Resilience – CTPs: What should you be doing about the proposed UK/EU Critical Third Parties Regimes?

• Applies to CTPs only. Firms remain subject to existing rules (and regulator expectations) on operational resilience, outsourcing and third party risk management.
• Wide category of CTP services: CTPs are not limited to digital / data service providers.
• Cloud Services Providers (CSPs) are likely to be considered for designation. But DP3/22 contemplates non-ICT services (e.g. claims management services to insurers or cash distribution) possibly being designated.
• Criteria for being a CTP: FSM Bill proposes two criteria for CTPs:
  1. materiality – the materiality of the services to the delivery by UK firms and FMIs (only) of activities, services or operations that are essential to the economy or financial stability of the UK; and
  2. concentration – number and type of UK firms and FMIs to which the third party provides its services.
• The CTP regime may, in the future, extend to artificial intelligence, quantum computing, machine learning etc.

• Applies to both:

a. Firms: 20 categories (listed in Article 2(1) of DORA) of in-scope EU "financial entities", including:

• • • Banking sector: Credit institutions, payment institutions, electronic money institutions, investment firms and cryptoasset service providers;
    • Markets infrastructure: Central securities depositories, central counterparties (CCPs), trading venues, trade repositories and data reporting service providers;
    • Funds sector: Alternative investment fund managers (AIFMs) and Undertakings for Collective Investment in Transferable Securities (UCITS) management companies;
    • Insurance sector: Insurance and reinsurance undertakings, and insurance, reinsurance and ancillary insurance intermediaries; and
    • Other financial entities: Credit rating agencies, administrators of critical benchmarks, crowdfunding service providers and securitisation repositories.

The term "financial entities" does not include insurance intermediaries or other exempt entities.

b. ICT third-party service providers: Digital / data service providers only.

• Under FSM Bill, designation is by HMT via secondary legislation, following consultation with supervisory authorities.
• Designation is evidence-based. It is expected that only a very small percentage of the total number of third parties providing services to firms will be designated as CTPs.
• Supervisory authorities may recommend designation of a particular third party to HMT. In doing so, supervisory authorities would look at:
  1. materiality – economic functions, critical services / functions, certain important business services;
  2. concentration – number / type of firms / FMIs that use the third party, (in)direct dependencies, market share in material services; and
  3. potential impact – aggregation risk, substitutability, survivability.

• Designation is by the European Supervisory Authorities (the ESAs – the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA)).
• The ESAs will designate through a Joint Committee and upon recommendation from an Oversight Forum.
• EBA, ESMA or EIOPA will be appointed as Lead Overseer for each ICT CTP, depending on the total value of assets of financial entities making use of the services of that provider.
• The ESAs will, through the Joint Committee, establish, publish and update yearly the list of the ICT CTPs at the EU level.
• ICT third-party service providers who are not designated as ICT CTPs may request to be designated and included in this list.
• Criteria for designating ICT third-party service provider as ICT CTPs: Article 31(2) of DORA outlines the following criteria for ICT CTPs:
  1. systemic impact on the stability, continuity or quality of the provision of financial services in the event of the ICT CTP facing a large scale operational failure to provide its services;
  2. systemic character or importance of the financial entities that rely on the relevant ICT CTP;
  3. reliance of financial entities on the services of the ICT CTP in relation to critical or important functions of the financial entities; and
  4. degree of substitutability of the ICT CTP (including lack of real alternatives and difficulties to partially / fully migrate across to an alternative third-party provider).

• Regulators:
  • BoE;
  • FCA; and
  • Prudential Regulation Authority (PRA).
• Nature of regulation:
  • Services (not entity) based oversight. Supervisory authorities would focus on the services that CTPs provide to UK firms and FMIs, where the failure or disruption of those services could have a systemic impact on the supervisory authorities' objectives (material services).
  • Regulators would not oversee, regulate or supervise CTP entities in their entirety, nor the services they provide to other sectors of the economy.
  • Supervisory authorities may consult with public bodies and other regulators on designation, including National Cyber Security Centre, Centre for the Protection of National Infrastructure, Digital Regulation Cooperative Forum (includes the Competition and Markets Authority (CMA) and the Information Commissioner's Office (ICO)), UK Regulators Network and / or the Department of Digital, Culture, Media and Sport.

• Regulators:
  • Financial entities: Financial entities will be subject directly to extra requirements under DORA (and through amendments to existing EU legislation made under the DORA Amending Directive).
  • ICT CTPs: For each ICT CTP, the regulator will either be EBA, ESMA or EIOPA (whichever is Lead Overseer).
• Nature of regulation: The Lead Overseer:
  • Conducts the oversight of the assigned ICT CTP and is, for all matters related to oversight, the primary point of contacts for those ICT CTPs.
  • Assesses whether each ICT CTP has comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage the ICT risk which it may pose to financial entities.
  • Has powers to:
    • request information;
    • conduct investigations and inspections;
    • make recommendations; and
    • request reports and require recommendations to be addressed.
• Oversight Forum
  • An ESA Joint Committee will establish a sub-committee (the Oversight Forum), which shall discuss relevant developments and annually undertake a collective assessment of the results and findings of the oversight activities conducted for all ICT CTPs and promote coordination measures.
  • The ESAs, through the Joint Committee and based on the work of the Oversight Forum, will present yearly to the European Parliament, Council and Commission a report on designation and supervision.

• No specific extra obligations proposed.
• UK regulated firms and FMIs will retain primary responsibility (and accountability to their regulators) for managing risks to their resilience (including operational resilience) arising from arrangements with third parties, including those designated as CTPs.  

• Financial entities:
  • In summary, financial entities must comply with the 'general principles', put in place key contractual provisions and undertake assessments of ICT concentration risks for all ICT third-party service providers including those designated as ICT CTPs.
  • Note: 'General principles' include:
    1. contractual arrangements;
    2. proportional management based on the scale, complexity and importance of ICT-related dependencies and risks arising from contractual arrangements on the use of ICT services;
    3. putting in place a strategy on ICT third party risk;
    4. maintaining at an entity level and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers;
    5. reporting to competent authorities;
    6. exercising access, inspection and audit rights over ICT third-party service providers;
    7. putting in place exit strategies; and
    8. identifying alternative solutions and develop transition plans to enable them to remove or transfer the ICT services.
  • Must review concentration risk before entering into a contractual arrangement for the use of ICT services (Article 28(4)(c) and Article 29).
  • Must put in place key contractual provisions with any ICT third-party service provider (e.g. on locations, accessibility, notice periods, SLAs, right to monitor, etc.) (Article 30). Standard contractual clauses are to be considered but not as yet mandated (Article 30(4)).
  • May only enter into contractual arrangements with ICT third-party service providers that comply with appropriate security standards (Article 28(5)).
  • Must take into account or sufficiently address all specific risks identified in a Lead Overseer's recommendations (addressed to the ICT CTP – see below) (Article 42(3)).
  • May only use the services of an ICT third-party provider established in a third (non-EU) country and which has been designated as critical by the ESAs if that third country ICT CTP has established a subsidiary in the EU within 12 months of its designation (Article 31(12)).

• CTPs would have to comply with proposed minimum resilience standards to be set by the regulators (which could be tailored to CTPs but built on CPMI-IOSCO Principles for FMIs).
• The minimum resilience standards (DP3/22, chapter 5) would apply to material services; build on existing operational resilience framework for firms / FMIs; avoid duplication of existing standards; impose common / minimum obligations on CTPs; and be outcomes-focused and principles-based.
• Elements of potential minimum resilience standards:
  • identification of relevant services;
  • mapping resources required to deliver those services, including nth parties;
  • risk identification and management;
  • resilience testing including participating in sector-wide testing;
  • engagement with supervisory authorities including providing reasonable notice of information on incidents or threats;
  • developing a financial sector continuity playbook i.e. measures to test failure or severe but plausible disruption to material services;
  • post-incident communication, including communication plans (e.g. bank runs); and
  • learning and evolving from actual disruption and testing.
• Compliance with existing government and industry-recognised certifications and standards may give partial assurance about compliance with minimum resilience standards.
• No one-size fits all approach to CTP resilience. But expectation is that resilience testing may be performed jointly for CTPs.
• Testing would include scenario testing (perhaps in collaboration with the Cross Market Operational Resilience Group), sector-wide exercises (such as in conjunction with SIMEX) and cyber-resilience testing (such as testing by CBEST).

• The obligations of designated ICT CTPs are largely based on compliance with the exercise of the authority of their Lead Overseer on security, risks, reporting, testing, access etc.
• DORA otherwise does not impose specific obligations on ICT CTPs.
• Generally, the proposed UK regime will put more obligations on CTPs; whereas DORA puts more obligations on financial entities than CTPs.

• The FSM Bill proposes to grant supervisory authorities with powers to:
  • make compulsory information requests of CTPs;
  • commission skilled persons reviews of CTPs (akin to section 166 of the Financial Services and Markets Act 2000 (FSMA)). CTPs would be under a statutory obligation to give skilled persons all such assistance as they may reasonably require;
  • issue a direction requiring CTPs to do (or refrain from doing) anything specified. This could involve implementing the recommendations of a skilled persons review, remediating issues or suspending or imposing conditions on the CTP's ability to provide services to UK firms and FMIs; and
  • if a CTP breaches an applicable requirement: (a) publish a statement (censure); (b) impose conditions or limitations on the ability of the CTP to provide services to UK firms and FMIs; and (c) issue a disqualification notice prohibiting it from entering into future agreements with UK firms and FMIs, prohibiting it from providing (some of its) services or imposing conditions / limitations on its ability to provide services.
• Supervisory authorities would only be able to use certain powers where it undertakes an investigation that concludes the CTP breached a requirement.
• No financial penalties listed in DP3/22.
• After the FSM Bill receives Royal Assent, the supervisory authorities would publish a Statement of Policy setting out how they would exercise their statutory powers over CTPs.

• Lead Overseer is to assess whether ICT CTPs have in place sound rules, procedures, mechanisms and arrangements to manage ICT risks which it may pose to financial entities (Article 33). This assessment will include:
  • physical security;
  • risk of management processes;
  • governance arrangements;
  • ICT-related incidents;
  • mechanisms for data portability and interoperability;
  • testing;
  • ICT audits; and
  • use of relevant national and international standards.
• Based on this assessment, the Lead Overseer will adopt an Oversight Plan for each ICT CTP which will be communicated to the provider each year.
• Lead Overseer has a range of powers over ICT CTPs (Article 35), including to:
  • request all relevant information and documentation;
  • conduct general investigations and inspections;
  • request reports specifying remedies to be taken;
  • issue recommendations (for example on ICT security or refraining from subcontracting);
  • impose financial penalties.
• Before exercising its powers, the Lead Overseer must consult the Oversight Forum.
• General investigations (Article 38): includes examining records, summoning representatives for oral / written explanations, interviews etc. An investigation may only be exercised in accordance with a written authorisation specifying the subject matter and purpose of the investigation.
• On-site inspections (Article 39): inspections to cover the full range of ICT systems, networks, devices, information and data used for or contributing to the provision of services to financial entities. Reasonable notice must be given to the ICT CTPs unless such notice is not possible due to an emergency or crisis situation or if it would lead to a situation in which the inspection would no longer be effective.
• Post-investigation / inspection recommendations (Article 40(3)): within 3 months after the completion of an investigation or inspection, the Lead Overseer must, after consulting the Oversight Forum, adopt recommendations to be addressed to the ICT CTP and those recommendations should be immediately communicated to the ICT CTP and competent authorities of the financial entities to which it provides services.
• Periodic penalties (Article 35(6)): to compel the ICT CTP to comply with its obligation to respond to information requests, comply with an investigation or provide requested reports. Payable daily until compliance is achieved, for maximum 6 months. Up to 1% of the average daily worldwide turnover of the ICT CTP in the preceding business year.
• ESAs will publish a range of joint Implementing Technical Standards (ITS), Regulatory Technical Standards (RTS) and Guidelines under DORA.

• DP3/22 highlights that a global methodology to identifying CTPs would be challenging (but notes that there is such a methodology for identifying systematically significant financial institutions).
• Global resilience standards for CTPs could be developed based on Annex F of the CPMI-IOSCO Principles for FMIs and the High Level Expectations for the Oversight of SWIFT.
• Sector-wide testing and cross-border resilience testing may be employed.
• DP3/22 asks respondents about UK supervisory authorities taking into account resilience tests, sector-wide exercises and other oversight activities undertaken by or on behalf of non-UK financial supervisory authorities on CTPs. "Taking into account" is not defined; this could fall short of recognition / validation for the purposes of the UK regime.

• Article 44 provides that the ESAs may conclude administrative arrangements with third country regulatory and supervisory authorities to foster international cooperation on ICT third-party risk across different financial sectors.
• The ESAs must report every 5 years in a confidential report to the European Parliament, Council and Commission summarising relevant discussions with such third country authorities.