UK: Critical third parties to the UK financial sector - regulatory notifications

Why should I read this?

If you are designated as a CTP in due course, or are reviewing your business in preparation for potentially being designated as a CTP, this briefing, along with our briefing on ‘Critical Third Parties: Designation and Rules’ will give you an overview of the new regulatory framework and what is required.

In particular, this briefing focuses on the new incident reporting rules, as well as broader notification obligations, that will be placed on designated CTPs.

What should I do?

Incident Reporting

A CTP must, as soon as is practicable, after the occurrence of a ‘CTP operational incident’, submit an incident report.

A CTP operational incident is defined as: an event or series of events: (1) causing serious disruption to the delivery of a ‘systemic third party service’[1]; or (2) impacting the CTP’s operations such that the availability, authenticity, integrity, or confidentiality of assets may be seriously or adversely impacted.

Only incidents with an actual impact on one or both elements must be reported, not events with potential uncrystallised impact (although note the broader regulatory notification requirements outlined below).

The CTP Rules set out a phased approach to incident reporting:

• Initial incident report: Must be provided to regulators AND affected firms as soon as practicable after a CTP operational incident occurs, containing key details about the incident and its impact.
• Intermediate incident reports: Required as soon as practicable after any significant change in circumstances from the initial report (or earlier intermediate report), providing information further to that already disclosed.
• Final incident report: To be submitted within a reasonable time after the incident is resolved, including details of root causes, remedial actions, and lessons learned.

Notifications

Separately, a CTP must immediately notify the regulators of any actual or potential circumstances or event that seriously and adversely, or could seriously and adversely, impact the delivery of its systemic third party services or comply with its obligations. Examples include civil or criminal proceedings, disciplinary measures/investigations, and financial difficulties.

CTP Fundamental Rule 6

The CTP regime is governed by six high level principles (the “CTP Fundamental Rules”).  CTP Fundamental Rule 6 requires that ‘a CTP must deal with the regulators in an open and co-operative way, and disclose to the regulators appropriately anything relating to the CTP of which they would reasonably expect notice.’  This is a separate – and broader – obligation to the incident reporting and notification requirements outlined above.

Inaccurate, False, or Misleading Information:

CTPs are required to take reasonable steps to ensure the accuracy and completeness of information provided to the PRA and/or FCA and firms. If a CTP becomes aware of any false, misleading, incomplete, or inaccurate information, it must notify any such regulators immediately.

Comment

The notification obligations upon CTPs broadly align with those imposed on financial services firms.  The purpose of these notification obligations is to ensure that the FCA and PRA have a wide range of information to enable them to meet their responsibilities for monitoring compliance with regulatory requirements and supervise firms effectively. 

Recent regulatory pronouncements have made clear that the approach to supervision is forward-looking, assessing firms not just against current risks, but also against those that could plausibly arise further ahead.  This requires firms (and will require CTPs) to be “open and straightforward in their dealings…, taking the initiative to raise issues of possible concern at an early stage”. 

Whilst regulators recognise that firms will want to investigate issues further once they have been identified, firms should not wait until they have completed internal investigations or attempted to remediate issues before making notifications. This is because, for supervision purposes, “understanding how an error has occurred is ancillary to knowing that an error had potentially occurred”. 

In future, when deciding whether to take enforcement action against a CTP, the regulators will consider how promptly, comprehensively and effectively the CTP brought any breaches to the attention of the regulators.

What else do I need to know about Critical Third Parties: regulatory notifications?

Designated CTPs (and firms who may potentially be designated as such and wish to comply from a best practice perspective) should:

• ensure that key stakeholders are familiar with the regulatory notification obligations and consider these at all times;
• review and update internal incident reporting procedures to ensure compliance with the operational incident reporting requirements; and
• following any notification, be prepared for increased regulatory scrutiny and the need to respond to regulators’ questions quickly and comprehensively.  Consider how best to manage this engagement.

Further reading:

• Supervisory statement SS6/24: Critical third parties to the UK financial sector - designation and rules

[1]                 A service provided by a CTP to one or more firms a failure in, or disruption to, the provision of which (either individually or, where more than one service is provided, taken together) could threaten the stability of, or confidence  in, the UK financial system.