• The Financial Services and Markets Act 2023 grants regulators authority to oversee third-party tech providers deemed vital to the financial sector.
• The new rules, effective January 1, 2025, require CTPs to implement strict risk management, governance, and cybersecurity protocols.
• CTPs must maintain detailed records, conduct self-assessments, and report risks, including supply chain vulnerabilities and operational disruptions.
• Industry experts praise the regulations for balancing resilience with practical implementation.

A major global technology failure in July 2024 sent shockwaves through multiple industries, affecting air travel, retail, and banking systems, and resulting in a $1.15 billion loss for financial institutions.

The widespread disruption underscored the risks posed by financial firms’ reliance on external technology providers, prompting UK regulators to take decisive action to prevent similar crises in the future.

The Financial Services and Markets Act 2023 has granted regulators the authority to oversee third-party providers whose services are deemed critical to the financial sector, with new rules coming into effect on January 1, 2025. 

Under the Act, the UK Treasury has the power to designate a company as a "critical third party" (CTP) if its services are essential to financial institutions and if a failure on its part could destabilize the UK’s financial system. 

This designation considers factors such as the importance of the service, its concentration in the market, and whether alternative providers exist. Once a company is labeled a CTP, it falls under the regulatory jurisdiction of the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA).

These regulators have been given broad powers, including the ability to impose compliance directives, investigate CTP operations, and take disciplinary action against those that violate regulations. However, their authority is limited to overseeing a CTP’s activities as they relate specifically to financial service providers. 

In November 2024, the Bank of England, PRA, and FCA published a framework outlining their approach to regulating CTPs, with the goal of improving financial stability and market confidence. 

The new rules make it clear that all CTPs providing services to UK financial firms must comply with the regulations, regardless of where they are based. Even foreign companies that lack a physical presence in the UK must establish a local point of contact and provide an official UK address for regulatory communications.

 Governance requirements have also been strengthened. CTPs are now obligated to appoint a central compliance officer with expertise in financial regulations to ensure adherence to the rules. 

Additionally, all information submitted to regulators must undergo a rigorous review process by senior decision-makers, ensuring accuracy and accountability. Regulators stress that while the internal structures of CTPs may vary, key disclosures must be reviewed at the highest levels of the organization.

The regulations also impose stringent risk management obligations on CTPs, requiring them to identify potential risks, implement mitigation strategies, and continuously update their risk management frameworks.

A significant focus has been placed on two key areas: supply chain vulnerabilities and technology-related threats. To address supply chain risks, CTPs must conduct due diligence on their subcontractors and disclose these relationships to regulators, particularly when operational incidents occur.

In cases where disruptions compromise the availability, integrity, or confidentiality of financial firms' assets, CTPs must immediately inform regulators and take corrective action. 

Given the increasing prevalence of cyber threats, the new regulations also mandate that CTPs implement robust cybersecurity defenses to prevent cyberattacks and system failures.

Companies must develop contingency plans to swiftly respond to technological outages, reducing potential damage to the financial sector. However, the requirement for rapid response extends beyond cybersecurity incidents. 

CTPs are now required to maintain a comprehensive incident management playbook, ensuring they can effectively handle any crisis that threatens financial stability or public confidence in the sector.

To facilitate regulatory oversight, CTPs must maintain detailed records of their interactions with financial firms and provide these records upon request. They are also required to conduct periodic self-assessments to evaluate compliance with the regulations, as well as engage in scenario testing and emergency response drills.

These measures are intended to strengthen the financial sector’s resilience and prevent another widespread disruption like the one that occurred in 2024.

Industry experts have largely welcomed the new regulations, describing them as a pragmatic approach to balancing enhanced oversight with practical implementation. 

While some concerns remain about the potential compliance burden on smaller service providers, the rules are seen as a necessary step to protect the integrity of the UK’s financial system.

With the regulations now in force, financial regulators are expected to closely monitor CTP compliance and refine their approach based on industry feedback in the coming months.

As financial institutions continue to integrate external service providers into their operations, the UK’s regulatory approach could serve as a model for other jurisdictions looking to mitigate third-party risks.

The financial industry will now be watching closely to see how these new rules impact market stability and whether they can effectively prevent another technology-driven crisis.