Why we’re talking about operational resilience and critical third parties right now
Updated: Jul 19
In a previous article, we highlighted some of the post-Brexit changes being implemented by the Financial Services and Markets Bill (FSM Bill). Brexit brought various changes for the UK, but it also emphasised the importance of the financial sector to the UK economy and its wider role in the global landscape.
The UK government has repeatedly stated its desire to maintain the UK’s status as one of the leading financial services centres in the world. That’s no surprise when you look at some key figures from 2021. The financial services industry:
employs 2.3 million people
contributes £76 billion in tax each year
exceeds £20 billion in exports, and
has total assets worth £40 trillion
Given these figures, it’s no wonder that operational resilience continues to be a key area of focus for the regulators.
The FSM Bill allows the Government to introduce the concept of ‘critical third parties’ (CTPs) in a bid to manage systemic risk posed by this special class of third parties.
Over the last couple of years, we have seen several papers issued jointly by the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority. This collaboration indicates the level of importance attached to operational resilience.
So far attention has been upon the regulated firms and the steps that they need to take to demonstrate resilience. We now see the supervisory attention firmly on other entities in the supply chain, i.e. Critical Third Parties (CTPs).
What is a Critical Third Party?
The term describes third parties who are deemed to be critical by HM Treasury (HMT). Under the FSM Bill, HMT would use its power to assign this designation where HMT is:

The regulators have stated that CTPs include cloud service providers but is not limited to these firms. With the publication of the DP3/22, we again see the UK’s supervisory bodies joining forces together to send a strong message to the industry.
So what are the concerns?
Concerns arise as these special third parties may not be regulated but could cause harm by being embedded the industry’s supply chain. As they’re not regulated, they are not subject to the same standards or supervisory oversight.

The onus is on regulated firms to manage their risks and complete appropriate due diligence to satisfy themselves that any risks are mitigated.
In some cases, the industry may be reliant on a handful of suppliers meaning the risk of contagion is higher. Additionally, some of these suppliers may operate internationally and consequently conduct business to standards which vary from UK requirements or best practice.
What’s the answer?
The supervisors believe that there is an increasing dependency upon certain third parties and this dependency causes concern. The financial services sector is complex and as we saw during the financial crisis, the failure of one link in the supply chain can have a domino effect with the potential for widespread chaos.
It is therefore crucial that firms and Financial Market Infrastructures (FMIs) understand any risks inherent in their outsourcing arrangements. So what do the supervisors have in mind?
The latest discussion paper proposes the following:
a framework to identify potential CTPs and recommend their designation to HMT based on the proposed designation criteria in the FSM Bill
minimum resilience standards that CTPs could be required to meet in respect of certain services they provide to firms and FMIs (referred to as ‘material’ services in this DP) and
resilience testing of CTPs set by the supervisory authorities using a range of tools and focused on the ‘material’ services they provide to firms and FMIs.
Challenges:
However, we need a balance between managing systemic risks and maintaining the UK’s competitive edge. Hence, the supervisors are collaborating to set standards to manage those risks. They also need to co-operate with their international counterparties. This is where we see the regulators' participation in international forums aiding alignment with other jurisdictions.
With operational resilience, we have seen various jurisdictions adopt frameworks or principles like those implemented in the UK. For example, the EU has Digital Operational Resilience Act (DORA), IOSCO has issued its Principles and the US has indicated that its regime will be similar to the UK framework.
Operational resilience is needed to safeguard our economy as well as market participants and consumers. Failures within the financial sector can have far reaching consequences. There are myriad examples of failures that have impacted the consumer personally, whether that be by losing invested capital or by higher taxes to pay for huge bail outs of companies that should have known better.

Given these factors and the level of importance that the FS industry has in our overall economy, it’s important to ensure that firms can respond quickly to disruptions and avoid a domino effect upon firms in the industry.
What does success look like?
Regulated firms should already have identified Important Business Services and considered their reliance on third-parties as well as any sub-contracting arrangements. The key to success is ensuring that you’ve identified potential risks, are monitoring those risks and the ability to respond quickly to resolve issues when they occur. Additionally, firms need to have oversight of these third parties as well as receive timely information about any potential issues. All of which leads to sharing of information, good communication and timely escalation of issues.
Ruleguard is an industry-leading software platform designed to help regulated firms manage the burden of evidencing and monitoring compliance. It has a range of tools to help firms fulfil their obligations across the UK, Europe and APAC regions.
Ruleguard allows firms to organise planning for extreme but plausible scenarios, model impact tolerances and identify investment gaps. It also helps firms to:
define service levels and tolerance thresholds for each service to define how much impact on customers and the market is acceptable in extreme but plausible scenarios
vary the resource parameters using our intuitive interface and see how these changes impact your service thresholds in the model
easily identify gaps for investment and automatically create a resilience self-assessment document for board review.
The scale of operational resilience compliance can seem daunting, but with Ruleguard’s experience and technical design skills we’ll help you quickly have it under control. https://www.ruleguard.com/operational-resilience
Please contact us for further information on: Tel: 020 3965 2166 or hello@ruleguard.com.
Webinars:
Ruleguard hosts regular events on a various regulatory topics.
To register your interest or learn more, please click here.
White Papers:
Request a complimentary copy of our White Paper on Operational Resilience, please click here.
Further resources:
See our blog page for further articles or contact us via hello@ruleguard.com.
Visit our website to find out more about how Ruleguard can help: https://www.ruleguard.com/platform
Contact the author

Head of Client Regulation| Ruleguard