Financial services outsourcing: UK plans to regulate service providers and their customers
The UK government is proposing greater regulatory oversight of financial services outsourcing involving “critical third parties” (CTP). If implemented, these changes will mean that CTPs – some of whom may not consider themselves to be part of the financial sector – will be directly regulated by financial services supervisors. This would represent a major change in approach.
- Why is the reform necessary?
- What changes is the UK government proposing?
- Who would be affected by the new regulatory framework?
- What powers will regulators have over designated CTPs?
- What does all this mean?
1. Why is the reform necessary?
Financial services firms (including payment service providers and e-money providers) (Firms) and financial market infrastructure firms (FMIs) increasingly rely on third parties outside the financial sector – such as cloud-based IT and communications technology service providers – to support their operations through outsourcing arrangements. Failure or disruption of these “critical” third parties could ultimately threaten stability or confidence in the UK financial system. Although the current outsourcing rules impose requirements on outsourcing services of companies and MFIs, they do not directly apply to third-party providers as such. The increased reliance of businesses and MFIs on these third-party providers has led the Bank of England’s Financial Policy Committee to conclude that it “could increase risks to financial stability without greater direct regulatory oversight the resilience of the services they provide”.
The current outsourcing regime for financial services firms
The existing rules are complex, but, in general, with regard to certain outsourcing deemed important, Companies and MFIs may be required to notify the competent supervisory authorities and ensure that appropriate practical and contractual safeguards are in place. This is to ensure that the outsourcing concerned does not compromise the ability of companies to comply with their licensing conditions and their regulatory obligations. However, the focus is on the regulation of companies and MFIs and there is currently no direct regulation of outsourced service providers.
2. What changes is the UK government proposing?
The legislative framework proposed by the UK government would allow the FCA, the PRA and the Bank of England (together the “supervisors”) to oversee the services that CTPs provide directly to businesses and MFIs (and not indirectly by imposing obligations on companies and MFIs when they practice outsourcing). The proposed regime aims to ensure the resilience of these services (thereby limiting the risk of systemic disruption in the event of failure). The legal regime proposed by the government is supplemented by a joint working document published by the supervisory authorities. These proposals are part of the reforms contained in the Financial Services and Markets Bill (WSF invoice) which is currently before Parliament.
“A large IT services company with a significant number of financial services customers could find itself subject to the direct scrutiny of financial services regulators – even if historically it has always considered itself part of the technology sector.”
3. Who would be affected by the new regulatory framework?
HM Treasury may – after consultation with supervisors and other bodies – be able to designate certain third parties as “critical” under secondary law. The appointment of a third party will generally follow a recommendation from one or more of the supervisory authorities and will be made when, in the opinion of HM Treasury, “a failure or disruption in the provision of these services (either individually or, where more than one service is provided, taken together) could threaten stability or confidence in the UK financial system”. In forming such an opinion, HM Treasury must consider: (a) the ‘materiality’ of the services provided by the third party to the provision of ‘essential’ activities, services or operations; and (b) the number and type of Businesses or MFIs to which the third party provides services (i.e. its “concentration”). Activities, services or operations are “essential” if they are essential to (a) the UK economy; or (b) stability or confidence in the UK financial system. Supervisors may also consider the potential impact of any interruptions or failures of the third party when considering whether or not to recommend designation as a CTP. However, companies that are already regulated by supervisors would not be recommended to be designated as CTPs, as long as their existing licenses give supervisors the ability to impose equivalent requirements on the resilience of all the services they provide to businesses. .
The “materiality” assessment will examine whether the services are essential for the provision by businesses and MFIs:
- All functions listed in PRA SS19/13 ‘Resolution Planning’These include deposit taking and savings, lending and loan servicing, capital markets and investment, wholesale funding markets and payments, clearing, custody and settlement.
- “Critical Functions”, as defined in Sections 3(1) and (2) of the Banking Act 2009: these are functions the interruption of which could lead to the disruption of essential services to the UK economy or disrupt the financial stability of the UK.
- Certain “significant business services” as defined in the supervisory authorities’ operational resilience framework for businesses and FMIs: this includes services which, if interrupted, would have an impact on the objectives of the supervisory authorities and, consequently, on the public interest, as represented by these objectives.
The assessment of “concentration” will largely be determined by reference to a centralized framework as well as information provided by firms and MFIs in their regulatory documents. Supervisors should also consider the type and size, not just the number, of firms and FMIs that rely on a particular CTP.
See Section 5 for a more in-depth discussion of companies that might be referred to as CTPs in practice.
4. What powers will regulators have over designated CTPs?
Minimum Resilience Standards
Once a third party is designated as “critical”, regulators could exercise regulatory power to set minimum standards of resilience that CTPs must meet with respect to the material services they provide.
Supervisors have set out proposed resilience standards in their joint working document. These include: (i) identification; (ii) cartography; (iii) risk management; (iv) testing; (v) engagement with supervisory authorities: (vi) financial sector continuity manual; (vii) post-incident communication; and (viii) learn and evolve.
Supervisors will also carry out resilience testing of services using a number of tools – see below. The exact tools to use will differ depending on the CTP.
Tools that supervisors can use as part of their stress testing include:
- scenario testing;
- sector-wide exercises;
- cyber-resilience tests;
- request information directly from CTPs; and
appoint a qualified person to review a CTP.
Supervisory Authorities will also have a number of statutory powers in relation to CTPs, including the power to (i) direct CTPs to take or refrain from taking specific actions; and (ii) enforcement powers, including a power to make breaches public. As a last resort, Supervisory Authorities will have the power to prohibit a CTP from providing future services or continuing to provide services.
In due course, supervisors will issue a policy statement setting out how they will exercise their statutory powers over CTPs.
The Supervisory Authorities’ Joint Discussion Paper closes on 23 December 2022. Subject to the outcome of the parliamentary debate on the FSM Bill and after consideration of the responses to the Joint Discussion Paper, the Supervisory Authorities intend to consult on their proposed requirements and expectations. for CTPs in 2023.
5. What does this all mean?
Companies likely to be designated as CTPs should be prepared to maintain strong governance arrangements, IT systems and risk management frameworks to limit the systemic risk they pose to the financial services industry. Supervisors have envisioned cloud computing and IT infrastructure companies as central to the proposed regime, given the market dominance enjoyed by certain third parties. For example, Amazon, Google, and Microsoft have a collective 65% market share of the global cloud infrastructure market. However, the legislative framework contained in the FSM Bill is not limited in its scope and therefore companies providing critical services (whether technology-based or not) should make the necessary preparations (even if, in practice, only a small number of suppliers are likely to be caught).
CTPs based wholly or largely outside the UK should not assume that they will be outside the scope of the new regime; From a political point of view, it seems to us that UK supervisors would not want a situation where they are unable to effectively regulate a non-UK CTP, where it provides essential services to UK businesses or MFIs. However, at this stage, it is not clear what legal mechanisms could be used to achieve this political objective.
The UK Government’s proposals are not expected to have an immediate impact on the outsourcing obligations currently applicable to companies and MFIs (as the proposed rules will apply directly to CTPs). However, they may want to consider how existing or future outsourcing service providers might react if they were designated as CTPs. In particular, the prospect of direct regulation by supervisors could prompt some service providers to change their agreements with financial sector clients to reflect increased compliance costs and a perceived increase in regulatory risk. .
The larger picture
More broadly, the proposals are part of a broader trend by governments and regulators to take a more interventionist approach to markets generally in a bid to mitigate perceived risks to critical aspects of the economy. This is reflected, for example, in the UK National Security and Investment Act, which allows the government to intervene in proposed acquisitions of companies deemed essential to the national interest.