The oversight of critical third parties

By Michael Faber

Where is the missing piece in the oversight of critical third parties?

On 29th March 2021 two key subjects were covered by new regulation within the finance sector.  One was associated with Operational Resilience provided through joint policy and supervisory statements from the Bank of England, PRA and FCA.  The other was published by the PRA on outsourcing and third-party risk management.

These initiatives by the regulators provide a major step forward in the UK towards overall resilience of the finance sector, strengthening market stability and reducing the risk of service disruption.

However, while this strengthens the responsibility of financial services to reduce harm to customers, markets and firms, it also highlights the reliance many firms have on a limited number of third parties, particularly major cloud providers, for which the regulators have little or no oversight.

Systemic Risk

Given the current lack of regulation over third parties, this provides an obvious systemic risk to the overall financial services infrastructure.

The EU is close to finalising a legislative framework including an oversight of critical third parties, under the digital operational resilience act (DORA) which is expected to become operational in 2024.

Financial Services and Markets Bill

In the UK, the Financial Services and Markets Bill put before parliament on 20th July this year proposes a statutory framework for managing systemic risks posed by third parties.  The second sitting is due on 7th September.

This UK bill has been proposed as a result of ongoing discussions between the HM Treasury, the Bank of England, PRA and FCA, for which the financial regulators published a discussion paper on 20th July. This includes potential measures for overseeing the systemic risks arising from the services of critical third parties (CTPs) provided to the finance sector. The joint discussion paper PRA DP3/22 and FCA DP22/3 requests responses by 23rd December 2022.

Supervisory Powers

It has certainly been difficult to obtain the necessary reassurance and associated evidence of resilience from some of the large suppliers, and therefore these initiatives by the EU and the UK should further the aims of operational resilience, including allowing the supervisory authorities powers over CTPs, to help strengthen the overall resilience of the sector.

Not a high enough priority

However, I have seen that the resilience management of CTPs has often not been high on the priority list in the past.  Hopefully now with the additional focus on end-to-end mapping of Important Business Services, which further highlights the importance of third parties in the delivery of services, will ensure that the due diligence on CTPs, the reviewing of contracted SLA’s, the confirmation of recovery time objectives against recovery times achieved, matching to impact tolerances, and consideration of alternate suppliers / alternate ways of working, will be a priority going forward.

If you would like to talk to someone about how to enhance your third party risk management processes get in touch.