Out-Law News | May 18, 2022
UK financial regulators are to get new powers to bring some cloud service providers and other technology suppliers within their direct scope of regulation in a move designed to safeguard against the increasing dependency on those providers within the sector.
The necessary powers are expected to be set out in provisions of the Financial Services and Markets Bill – proposed new legislation trailed in last week’s Queen’s Speech.
A background document issued by the government alongside the Queen’s Speech refers to the government’s plans for new legislation to support resilient outsourcing to technology providers in the financial services sector. However, details of the nature and purpose of the proposed legislation was not specified at the time.
Out-Law now understands, however, that the government intends to take forward recommendations made by the Bank of England’s Financial Policy Committee (FPC) last year. It said that “additional policy measures, some requiring legislative change, are likely to be needed to mitigate the financial stability risks stemming from concentration in the provision of some third-party services”.
The FPC highlighted how “critical third parties” (CTPs) are becoming increasingly relied on within the UK financial services sector. While it said that this can bring benefits such as “improved operational resilience”, it said that “the increasing criticality of the services that CTPs provide, alongside concentration in a small number of providers, pose a threat to financial stability in the absence of greater direct regulatory oversight”.
Angus McFadyen of Pinsent Masons, specialist in the application of technology law in the financial services sector, said: “It is a logical leap to expect that new UK rules would align with the EU proposals for a new Digital Operational Resilience Act (DORA) given the similar objectives and concerns of the regulators across Europe.”
UK regulators already collect data from firms about their use of third party providers, so we would expect them to form a short list of CTPs from that information and for that list to then be reviewed annually.
Businesses designated as CTPs would have to establish risk and control management frameworks that meet essentially the same standards that authorised firms have to meet in relation to the resilience of their core services.