Subtle or seismic shift in IT firms’ regulation?

The report, available here, identified the key risks with “critical third party” IT providers, such as cloud computing services, and set out what the financial services sector should be doing to mitigate these risks.

Last month, HM Treasury published a policy statement following the outcomes from the 2019 report.  It, along with the Bank of England (BoE), the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) has developed a framework to:

• understand what “direct regulatory oversight” of critical third-party services means;
• help firms manage risks to their own financial stability; and
• assist firms in complying with their statutory and regulatory obligations.

Why now?

The risks associated with the outsourcing of certain “critical” or “material” functions is nothing new; it’s been on the PRA/FCA’s radar for several years. What has shifted is the way in which financial services firms use IT providers in their key lines of business, which has been compounded by the large-scale shift to remote/hybrid working.

The Treasury’s policy statement highlighted that “over 65% of UK firms used the same four cloud providers for cloud infrastructures” in 2020. This potentially poses a significant risk to the financial services market, if any one of these firms suffer a failure or interruption to their services. In the FCA’s view, any disruption of these “critical third parties”, threatens the stability and confidence in the UK’s financial services system.

So what?

The Treasury’s proposal will allow it to designate certain third parties as “critical”. This designation will then enable the FCA/PRA to set rules and frameworks that apply to those firms. Regulators will also have the power to assess compliance based on their own standards and where the “critical third party” fails to meet such standards, the FCA/PRA can then take direct enforcement action against them.

This is a seemingly subtle, but in practice, seismic shift from the previous position, where the regulatory framework and responsibility to comply with it, lay solely with authorised financial services firms.

How does this affect your business?

This will mark a shift in the regulation of critical outsourcing. On the face of it, it has the potential to lessen the burden on regulated firms, as some of the current regulatory obligations will shift to the “critical third party”. But given the FCA’s current position on outsourcing, it seems unlikely that firms will be absolved of their responsibilities when it comes to using outsourced providers, especially where the function(s) being outsourced is integral to the business and in ensuring that a firm meets its own regulatory obligations.

The FCA and PRA have released a joint Discussion Paper that builds on the Treasury’s proposal; providing firms with an opportunity to provide comments by 23^rd December 2022.

How we can help

Our Financial Services team provides a multitude of services to firms in this area – such as operational risk gap analysis, policy drafting and legal opinions to rely on, if your internal practices are brought into question. So if help your business needs help to navigate the complexities of outsourcing or other aspects of the constantly evolving landscape of the financial services industry, please get in touch at t.swaminathan@capitallaw.co.uk.