2024-11-14
This week in the UK, a new policy statement was published jointly by the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA), aimed at enhancing the resilience of the financial sector by bringing the “Critical Third Parties” (CTPs) that provide essential services to financial institutions under the regulators remit.
The new policy announcement responds to rising concerns about the impact of disruptions within third-party providers on the stability of (and therefore confidence in) the UK financial system that could pose systemic risk. With an increasingly interconnected financial system, the UK regulators are setting policy to address risks and vulnerabilities tied to service providers of existing and emerging technology and non-technology, that play crucial roles across the sector.
Eight compliance factors for CTPs
The policy aims to create a structured oversight system for CTPs to prevent or manage these risks in order to increase the resilience of the sector. Operational risk and resilience requirements in the policy cover eight factors that CTPs would be required to comply with in relation to the material services:
- Governance
- Risk management
- Dependency and supply chain risk management
- Technology and cyber resilience
- Change management
- Mapping
- Incident management
- Termination of services
What this means for CTPs
According to the policy, organizations designated as CTPs will have to submit self-assessments to regulators within three months and annually thereafter. Additionally, they must regularly test their ability to provide material services with severe scenario exercising, annually test their incident management playbook with representative client firms, share relevant information with client firms, and comply with skilled person review requirements.
What This Means for Financial Firms
For financial institutions, the CTP designation of a third-party provider does not relieve them of responsibility for managing outsourcing risks. Firms will still be accountable for their own third-party risk management. However, the new policy should provide firms with better insights into their third-party dependencies and strengthen their ability to manage such risks.
How Can Continuity Management Software Help?
Whether a financial institution or a CTP, Continuity Manager from 4C can support and automate your organization’s continuity management processes, helping with testing and validation of capabilities, and enabling you to maintain operations during disruptions.
It provides tools for identifying, visualizing, managing and monitoring critical services and critical third parties, documenting and evaluating risks and threats, and effectively responding to disruptions. The software’s powerful business impact analysis (BIA) tool provides an overview of critical services and operations, their dependencies on critical third parties, risks, and tolerances. Users can see all the critical dependencies connected to a service such as a CTP, the potential impacts of a disruption, as well as how long the organization has to respond to a disruption before it starts to impact operations. When a disruption does occur, the appropriate response plans can be instantly invoked directly in the tool and stakeholders are notified. The software also comes with intuitive reporting tools to simplify compliance reporting. More can be read about Continuity Manager here.
Deadline day is approaching
The new rules are set to take effect on January 1, 2025. A transitional period will be provided for CTPs to comply with specific requirements. If you would like to discuss how we can help your organ ization improve business continuity or prepare for stricter resilience regulations contact us today.