FCA announces new rules aimed at strengthening resilience of UK’s financial sector, Wendy Saunders

The FCA, Prudential Regulation Authority and Bank of England have confirmed new rules aimed at improving the resilience of technology and other third parties providing key services to financial firms.

Financial firms and financial market infrastructures (FMIs), such as payment systems, have become increasingly reliant on the services of a small number of third-party providers, known as critical third parties. Although these third parties can enhance competitiveness for the sector, disruption or failure to one of them—such as a cyber-attack or power outage—could affect many consumers and firms, and threaten the stability of the UK financial system.

In 2023, the UK government gave regulators new powers to oversee the resilience of the services these third parties provide the sector, that may cause risks to financial stability. The regulators have now, following consultation, set out how they intend to use their new powers. The new rules align closely with international standards and similar regimes, like the EU’s Digital Operational Resilience Act.

The rules will require critical third parties, once designated by HM Treasury, to:

provide regular assurance, information and notifications to the financial regulators on their services;
undertake various forms of resilience testing and scenario-based exercises, including collaborating on some with their firms and FMIs; and
report major incidents like cyber-attacks, natural disasters and power outages.

The FCA says that the final rules, when implemented, will not only strengthen the resilience of the services that critical third parties provide to individual firms, but will improve the resilience of the UK financial services sector as a whole. It also says that strengthening resilience and promoting market stability will make the UK an attractive place to do business.

The government will decide which third parties should fall under the new regime based on advice from regulators.

The new rules do not reduce the responsibility of financial firms and FMIs to make sure that they are resilient to operational shocks and for their management of third parties, in-line with the FCA’s existing outsourcing and operational resilience rules.

The final rules and policy will come into effect on 1 January 2025.

https://www.fca.org.uk/news/statements/new-rules-strengthen-resilience-uks-financial-sector