Hogan Lovells
[co-author: Bianca Okoye]
On 8 June 2022, HM Treasury published its policy statement, outlining a proposal to regulate third parties to financial services and financial market infrastructure firms (“Firms”). This proposal comes shortly after the EU, on 11 May 2022, provisionally agreed to pass the Digital Operational Resilience Act (“DORA”); a piece of legislation that shares a similar objective, i.e. to mitigate the risks to financial stability and market confidence in the respective market. In this article, we examine the UK proposals and draw comparisons between DORA and the UK NIS Regulations.
The UK financial regulators (i.e. the PRA and FCA) require Firms to be resilient to operational disruption when contracting with service providers. The PRA Supervisory Statement on ‘Outsourcing and third-party risk management’ and the FCA Handbook set out requirements which Firms must follow, such as data security, business continuity and exit planning requirements. These obligations, quite critically, do not extend to the third party service providers who contract with these Firms (the “Third Parties”).
The UK proposal therefore highlights the concerns over Firms’ dependency on a limited number of critical Third Parties (over whom the financial regulators have no oversight) for key services within the financial services sector. “As of 2020, for example, over 65% of UK Firms used the same four cloud providers for cloud infrastructure services.” Therefore, the failure or disruption of a critical Third Party could have a systemic impact across the financial sector.
The proposal therefore aims to allow UK regulators to directly oversee services provided by critical Third Parties, to ensure the resilience of financial services, and reduce the risk of systemic disruption, and proposes to do this by enacting a primary legislation. The proposed regime also aims to be flexible and proportionate.
Designating a Third Party as ‘Critical’
Third Parties will be designated as critical by HM Treasury via secondary legislation. HM Treasury would make the designation in accordance with a ‘designation framework’ which will be laid out in the primary legislation. HM Treasury would also consult the following parties when making such designation (and potentially other bodies):
The financial regulators (who may recommend that HM Treasury designate certain Third Parties as critical, based on their analysis of data and information from Firms);
Third Parties (who may make representations to HM Treasury, perhaps to avoid a designation as critical where they do not consider themselves to be such); and
Firms (who may make representations in relation to their own Third Parties, to HM Treasury).
Regulator Powers
In order to assess whether the resilience standards are being met, the financial regulators would be granted powers to:
The financial regulators would have the power to direct critical Third Parties to:
The question of how the proposed regulation will interact with the existing UK NIS Regulations; is certainly something to consider. The NIS Regulations currently regulates relevant digital service providers (“RDSPs”) (which would include cloud computing service providers) and aims to boost the resilience of network and information systems that are critical for the provision of digital services and other services in specified ‘relevant sectors’ such as the energy, transport and health sectors. Whilst this regulation is not overseen and enforced by the financial regulators in relation to financial services, but rather by the ICO more broadly, at this stage, we can determine that cloud computing service providers will now fall within the scope of regulation by the UK financial regulators, in addition to their existing current regulator; the ICO. Firms can as a result, take comfort in knowing that Third Parties will now be subject to oversight and enforcement by the same regulators by which they too are regulated. This may prove beneficial for the efficiency and understanding between parties, in contractual negotiations between Firms and Third Parties.
In the meantime, Firms should maintain compliance with the existing operational resilience requirements applicable to them whilst taking an active interest in these new proposals.
[View source.]
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Hogan Lovells var today = new Date(); var yyyy = today.getFullYear();document.write(yyyy + ” “); | Attorney Advertising
Refine your interests »
This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.
Back to Top
Explore 2022 Readers’ Choice Awards
Copyright © var today = new Date(); var yyyy = today.getFullYear();document.write(yyyy + ” “); JD Supra, LLC


Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *