This article explores the implications of the new Critical Third Parties Regime to the UK Financial Sector regime – and how an innovative approach to third-party risk management can help critical suppliers gain the visibility into their extended supply chains to achieve compliance.
The new Critical Third Parties (CTP) Regime extends regulatory oversight to key suppliers providing systemic services to the financial sector. It brings the UK into line with other global regulators attempting to bolster operational resilience in financial services in the face of growing threats. The onus of the new Regime is on critical suppliers to assess risks and maintain resilience in their own supply chains. In this article, we explore the implications for CTPs and highlight the role of third-party risk management in achieving compliance.
On 1 January 2025, new rules came into force extending the oversight of UK financial regulators to cover critical third party (CTP) service providers to the financial sector. The new UK Critical Third Parties Regime aims to increase the operational resilience of financial services firms and financial market infrastructure, by allowing regulators to intervene to improve the resilience of key financial sector suppliers.
The regulatory authorities responsible for overseeing the new regime are the Prudential Regulation Authority (PRA), the Bank of England (BoE) and the Financial Conduct Authority (FCA). The new rules align with similar regimes globally, especially the EU’s new Digital Operational Resilience Act (DORA), recognising the growing risk to financial stability and integrity posed by cyber-attacks or outages at critical third-party suppliers.
Cyber-criminals are increasingly targeting critical national infrastructure and financial markets, causing widespread turmoil, instability and financial losses. Similarly, IT faults within third-party suppliers can cause significant disruption, as seen during the CrowdStrike/Microsoft IT outages of July 2024.
In this article, we’ll outline the implications of the new regulations, explain the requirements for suppliers designated as critical third parties, and introduce an approach to third-party risk management that will help suppliers comply with the new rules.
The CTP Regime aims to reduce systemic risks to the stability of the UK financial system by bringing key third-party providers into the scope of regulators’ supervisory oversight.
The UK government has recognised that financial firms and infrastructure have become increasingly reliant on a small number of third-party providers to deliver essential services. Any disruption to these services could have a disproportionate impact on consumers, businesses and the entire financial system.
Under the new regulations, a supplier can be designated as a critical third party (CTP) by HM Treasury if it believes that “a failure in, or disruption to, the provision of those services (either individually or, where more than one service is provided, taken together) could threaten the stability of, or confidence in, the UK financial system”. The Treasury will designate CTPs based on recommendations from the PRA and FCA.
Once designated, CTPs will be subject to supervision and oversight by the regulators for all services provided to financial market entities. CTPs will be assessed by regulators against a set of outcome-focused rules and expectations, which aim to ensure the services they provide are resilient.
Crucially, the UK regulations are technology-neutral, which means CTPs could include Cloud Service Providers (CSPs), Artificial Intelligence (AI) or market data providers, for example, as well as non-IT related suppliers, such as firms providing cash distribution services.
The CTP regime includes disciplinary measures that regulators can take against CTPs if they fail to comply with the requirements. The sanctions include prohibiting the supplier from providing services to authorised financial firms, and issuing conditions or limitations on any services they do provide.
The regime is intended to protect the UK financial system by strengthening the way CTPs identify, manage and respond to operational disruption. The key aims of the regulations are to:
The new rules are in line with international trends in protecting financial markets, including regimes like DORA in the EU. There is likely to be some overlap between the critical suppliers subject to both CTP and DORA, if they provide services to both EU and UK financial sectors. However, there are some differences in the scope of CTP and DORA, notably that the CTP regime covers all critical suppliers, not just those providing IT services. Unlike DORA, the CTP Regime does not mandate specific contractual conditions in the agreements between suppliers and financial firms.
Any supplier designated as a CTP must comply with the CTP Fundamental Rules, which include conducting business with integrity, care and diligence, acting prudently and responsibly, following effective risk-management strategies and dealing with regulators in an open and cooperative way.
Specifically, to meet the requirements of the new regime, CTPs must:
Implementing the CTP Regime will also help regulators improve their understanding of the extended digital supply chains associated with financial institutions. By mapping out the network of suppliers connected to CTPs, the authorities will gain a much broader and clearer picture of supply chain interdependencies and associated risks, and where these risks are concentrated.
The regulations could play a critical role in providing such insight into fourth, fifth and six-tier suppliers that could present risks to the stability of the financial sector as a whole or to individual financial entities. These ‘nth’ party providers often play a key role in the delivery of essential financial services, but until now have been largely invisible to the authorities. By better understanding complex digital supply chains, regulators – and financial firms themselves – can better track risks and monitor vulnerabilities throughout the supply ecosystem.
The new CTP Regime now also takes critical service providers themselves into responsibility for investigating and mapping out their own supply chains. By identifying service dependencies and potential points of failure within their own operations and wider supply chains, CTPs can help to better secure the financial sector and improve its resilience to disruption.
The Bank of England’s report on Operational Resilience in a Macroprudential Framework, published in August 2024, suggested just such a systemic approach to understanding and managing risks in the wider financial system – to help firms prevent and better respond to operational disruptions.
Gaining a clearer understanding of and visibility into the extended digital supply chains of individual organisations and entire sectors is vital for enabling critical third-party providers to comply with the new CTP Regime, and for helping regulators better identify and manage risks.
Risk Ledger is a dedicated third-party risk management platform, designed to provide real-time visualisations of complex digital supply chains. The platform works like a social network, with individual companies and suppliers providing key information about their security status, and other relevant risk metrics, which are made available to all connected participants on the platform. By connecting with suppliers on the platform, financial organisations can view and monitor the risk status of their own critical service providers.
Crucially, however, Risk Ledger enables the network of suppliers connected to any organisation to be mapped, providing a unique visualisation of the wider supply chain ecosystem – uncovering critical interdependencies and connections beyond immediate critical suppliers. For regulators, Risk Ledger provides a bird’s eye view of entire supply networks, enabling the discovery of concentration and systemic risk, so that efforts to enhance resilience can be focused on these critical bottlenecks.
Furthermore, Risk Ledger supports faster incident response when supply chain incidents strike by reaching out to the now over 7500 organisations on its platform and asking them to share information on whether they are affected, investigating, remediating or have resolved any issues and to voluntarily but safely share this information with their clients. By doing so, the platform provides an early warning of potential impacts of incidents to financial sector participants, enabling organisations to take relevant mitigation action in good time.
Risk Ledger further enhances third-party risk management using sophisticated risk-scoring algorithms and reporting dashboards to give organisations real-time views into their exposure to third-party risk. These insights will help CTPs to enhance supply chain security and make smarter, risk-based decisions about where to focus their resources, but also to demonstrate what they are doing to map out their own supply chain dependencies and work towards compliance to regulators.
The new CTP Regime represents a significant shift in financial sector regulation in the UK. It heralds a new era of collaboration between regulators, financial firms and their critical service providers to build a more resilient and stable UK financial sector.
Organisations designated as CTPs face new challenges in adapting to these regulatory expectations and complying with the new rules. The UK regulations, unlike DORA in the EU, put the onus on critical suppliers themselves – rather than financial firms – to gather information and identify risks associated with their own supply chains.
That means CTPs will need effective third-party risk management practices in place, along with tools like Risk Ledger, to map supply chains, monitor risks, address vulnerabilities and fulfil the expectations of the new CTP Regime.
Also check out our white paper on TPRM and DORA Compliance, which Risk Ledger co-authored with Evelyn Partners.
Download the white paper here.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
