Strengthening Resilience in the UK Financial Sector: New Rules for Critical Third Parties
UK financial regulators have introduced new measures to enhance the resilience of technology providers and other third parties delivering essential services to financial firms. The UK operational resilience regulation change aims to safeguard the UK financial system against potential disruptions caused by critical third parties (CTPs).
The new measures were published by the Bank of England, PRA and FCA in a joint policy statement on operational resilience and critical third parties in the UK financial services sector.
Financial firms and market infrastructures, such as payment systems, increasingly depend on a small group of critical third-party providers. While these providers offer significant benefits, their disruption—due to events like cyber-attacks or power outages—could impact a vast number of consumers and businesses, jeopardising financial stability across the UK.
To address this risk, regulators have been granted new oversight powers, enabling them to ensure the resilience of services provided by critical third parties. Following extensive industry consultation, the Financial Conduct Authority (FCA), Bank of England, and Prudential Regulation Authority have outlined their approach to using these powers. These rules align with international standards, including the EU’s Digital Operational Resilience Act (DORA).
Who do the operational resilience rules impact?
These rules will primarily affect critical third parties (CTP’s) and firms who may become CTPs.
They may also be relevant to:
- Firms and financial market infrastructures (FMIs).
- Trade associations representing the various market participants or member groups with thematic interests.
- Wider financial market participants, such as researchers, academics and other market commentators.
Key Highlights of the Operational Resilience Rules
- Enhanced Resilience: The rules focus on strengthening the operational resilience of services offered by critical third parties, bolstering the overall stability of the UK financial sector.
- Designation Process: The government, with advice from regulators, will identify which third parties fall under the regime.
- Third-Party Accountability: Designated third parties will be required to:
- Provide regular updates and notifications to regulators.
- Conduct resilience testing and scenario-based exercises, including collaboration with financial firms.
- Report major incidents such as cyber-attacks or natural disasters.
- Financial Firm Responsibility: The rules complement existing operational resilience requirements, ensuring financial firms remain responsible for managing third-party risks.
How does the UK’s Operational Resilience and CTP regime compare to DORA?
- Incident reporting: In the UK, CTPs are required to report incidents directly to the regulator. In contrast, DORA requires CTPPs to report incidents through regulated entities.
- Third-party Contracts: The UK rules offer greater flexibility, while DORA sets out more prescriptive requirements.
While the objectives of DORA and the UK regime are broadly aligned, DORA takes a more detailed, rule-based approach. By comparison, the UK framework is principles-based. Despite these differences, achieving compliance with both EU and UK rules necessitates implementing similar processes and procedures in practice.
Implementation Timeline
The final rules and policies take effect on 1 January 2025. While regulators will oversee critical third-party services specific to the financial sector, they will not regulate third parties in their entirety.
For more details, refer to:
- Policy Statement (PS) 24/16
- Supervisory Statement: Operational Resilience of Critical Third Parties
- Regulators’ Oversight Approach
- HM Treasury’s Designation Process
By strengthening operational resilience and promoting financial stability, these measures position the UK as a secure and attractive environment for business.
Steps to compliance with the UK’s Operational Resilience policy
Market participants affected by these changes should review:
- the new CTP sourcebook
- related enforcement rules
- the regulators practical guidance on the oversight of CTPs
- conduct a gap analysis
- form a project team and plan to address the gaps identified
We switched from a competitor to Adoptech for ISO 27001 and it was the best decision we made. Superior platform, hands-on support, and no need for costly consultants. Great team, great results!
We left behind spreadsheets and templates for Adoptech’s tech-driven platform, and we’ve never looked back. Real-time visibility, scalability, and expert support make ISO 27001 compliance easy.
Switching to Adoptech was a game-changer. Their expert-led, tech-driven platform made achieving ISO 27001 and SOC 2 seamless. Intuitive tools and top-tier guidance has made compliance a breeze.
Adoptech’s expertise made ISO 27001, SOC 2, and DORA compliance straightforward. Their cost-effective, advanced platform outshines our old solution. Switching to Adoptech was a brilliant decision!
“Relying on Adoptech’s intuitive functionality and helpful team has made the process of implementing ISO 27001 far smoother than we had expected. We feel confident about migration to the 2022 standards, which Adoptech is managing seamlessly.”
“We needed to become ISO 27001 certified in a very short period of time, I found adoptech.co.uk. They saved us tons of time, their platform is easy to use, super affordable and backed by a very responsive UK-based support. Honestly, I can’t praise them enough.”
Adoptech’s platform is intuitive yet customisable, making bespoke document creation effortless. Alastair and the team provided exceptional guidance and support whenever we needed it. Highly recommend.
It’s a slick intuitive application which is ideal for software companies preparing for the commercialisation of their products. The team that developed the app were also incredibly supportive. I am sure we will continue to benefit from their services as we apply for ISO 9001 accreditation over the coming year.
Having used Adoptech for a variety of documents we found the platform to be extremely intuitive and at the same time customisable allowing us to create bespoke document instantaneously. Not to mention Alastair and the rest of the team were extremely helpful in providing guidance, assistance and support when needed.
How Adoptech help’s firms comply with the UK’s Operational Resilience policy?
Adoptech brings together a unique blend of skills, with our founders experienced in Financial Services, RegTech, Fintech and information security. We understand the requirements of the UK’s Operational Resilience policy and the EU’s equivalent DORA.
Whether you simply require a gap analysis to be conducted or would like an automated tool to efficiently monitor and track your compliance, the Adoptech team can assist.
Our blend of automation and regulatory expertise can help financial entities, FinTechs and other technology suppliers in scope, achieve and maintain compliance.
We offer extensive expertise in compliance, information security, operational resilience and third-party risk management. Our expert team offers comprehensive solutions to help companies navigate the complexities of the regulation.
Create, automate and monitor compliance
We can help you to create and automate the policies and processes you will need to comply including
Risk & Control Tracking
Capture risks and automatically link controls and policies. Divide responsibility and track compliance against your risk management framework.
Supply chain mapping
Maintain your technology supplier register with ease. We’ve removed the complexity so you can track and export supply chain data in the format required by UK and EU regulators in seconds.
Automated Compliance Management
Remove manual compliance checks by using our API integrations to run ongoing tests to confirm compliance with your controls. Tests can be set up for everything from employee background checks being completed to data being encrypted at rest.
Automated Document Management
Generate, track and share the documents, policies, and reports through our centralised platform.
Independent Audit
Evidence compliance with DORA Accreditation and Audit Report
Demonstrate your organisation’s commitment to compliance with an independent audit report. Experienced independent auditors evaluate your controls and operational resilience, generating a detailed report that details your firm’s level of compliance with your risk management framework. Such reports are key to demonstrating compliance to your Board and the regulators.
Avoid Costly Fines: Non-compliance can result in costly fines. Completing an audit helps ensure you’re not only compliant but have demonstrated you have governance in place over your risk management framework.
