UK regulators set new rules to enhance resilience of service providers

The framework, announced by the Financial Conduct Authority (FCA), Bank of England, and Prudential Regulation Authority, targets critical third parties, a small group of external service providers that have become essential to financial firms and market infrastructures (FMIs) such as payment systems. According to the FCA, this limited set of third parties plays an important role in promoting efficiency and competitiveness within the financial sector, but also represents potential points of vulnerability should disruptions occur, including from cyber-attacks or outages. 

In 2023, the UK government granted regulators new powers to oversee the operational resilience of these critical service providers, with the intent of reducing risks to financial stability. Today’s announcement outlines how regulators plan to implement these powers, following extensive consultations with the industry. The new rules align with international standards, such as the EU’s Digital Operational Resilience Act, reflecting global efforts to address operational resilience.

A focus on sector-wide resilience and stability 

Under the new regime, the government will determine which third-party providers are subject to these oversight requirements, based on input from financial regulators. Once designated, critical third parties will be required to: 

• Provide regular updates and notifications to financial regulators regarding their services. 
• Conduct resilience testing and engage in scenario-based exercises, which in some cases will involve direct collaboration with financial firms and FMIs.
• Report significant incidents, such as cyber-attacks, natural disasters, or power outages. 

The final framework intends not only to improve the resilience of individual providers but also to enhance the stability of the UK financial sector. Despite this new oversight, financial firms and FMIs remain responsible for ensuring their own operational resilience and for managing third-party risks in line with existing rules on outsourcing and operational resilience.  

The regulatory bodies have invited ongoing industry engagement throughout the implementation period. During a consultation published in December 2023, regulators received positive feedback from over 60 industry respondents, showing wide support for the new resilience framework. The final rules and policy will come into effect on 1 January 2025.