UK DORA? Government sets out plans to legislate for direct regulation of 'critical' third parties to the finance sector

On 8 June, HM Treasury published a Policy Statement on “Critical third parties to the finance sector”. The Statement confirms the government’s intention to legislate for new and extensive powers to directly oversee certain technology providers to the finance sector for the first time, with significant implications for technology providers that are designated as ‘critical’.

Background: why is the government introducing new legislation? What are the limitations of the current framework?

Financial services ("FS") firms are increasingly reliant on third parties outside the finance sector for key functions or services, for example cloud-based computing services, given the advantages that outsourcing can provide. However, the government and FS regulators are concerned that use of third party technology by firms across the financial sector could potentially be a source of systemic risk (eg in the event of failure or disruption of the relevant technology, in particular where multiple firms rely on a select few providers.

Under the current regulatory framework, UK financial regulators do not generally have direct powers to regulate technology providers such as cloud infrastructure providers and other technology firms that are outside the finance sector. The FCA and PRA do require UK FS firms to implement requirements relating to their own use of technology, through requirements on outsourcing and third-party risk management, and operational resilience. This includes requiring firms to ensure certain contractual terms with third parties on areas such as data security, business continuity and exit planning. 

However, the UK FS regulators currently have no powers to directly supervise those third parties. Certain limited information gathering powers exist under the Financial Services and Markets Act 2000 (FSMA), in particular where financial stability concerns are identified, but there is no overarching power to exercise powers or give directions. The government considers the existing framework as "not sufficient to tackle the systemic risk that disruption at a third party providing key services to multiple firms could cause". Although each individual firm can manage the risks that it is exposed to individually, the UK regulators are mindful that individual firms are not able to manage systemic risks that might arise where third party firms provide material services to multiple firms.

Which third parties might be designated and how would this operate?

The new legislative powers would be specific to third parties that the Treasury designates as "critical". At this stage, the Policy Statement does not explain in detail how this would operate or set out detailed criteria for what constitutes "critical" (in the way that the EU's equivalent proposal has, for example). However, earlier commentary from the UK regulators suggest that designation will focus on third parties that "may be a source of systemic risk to the financial stability of the UK", for example because their services support material functions across a broad range of FS firms in the UK. 

Key points to be aware of regarding the designation process:

• HM Treasury would have the power to designate parties as "critical" in consultation with the UK financial regulators and other bodies and following a consultation process. In some cases (such as where the FCA and PRA have access to data on firms' use of third parties), the regulators might proactively recommend to HM Treasury that certain parties be designated. 
• Designation would take place under secondary legislation, taking into account criteria such as the number and type of services a third party provides, and the materiality of those services. 
• HM Treasury would need to have regard to representations made by the potential critical third parties. 

What powers would the UK regulators have over providers designated as critical?

Once designated, the UK regulators would have a broad range of powers, exercisable in respect of "material services" (being those that are of relevance to the regulators' objectives) provided to the finance sector:

• This could include the power to make rules relating to service provision (eg to impose resiliency standards), to gather information, and to take formal action, including enforcement action, where needed.  
• Critical providers could also be required to take part in a range of targeted forms of resilience testing.

• To assess whether resiliency standards are being met, regulators would have various powers, including to commission independent 'skilled persons' reports (similar to the existing s166 FSMA regime), appoint an investigator to investigate potential breaches, interview representatives, or enter the provider's premises under warrant.
• Enforcement powers would include powers to publicise failings, and as a last resort, prohibit critical third parties from providing future services to UK firms. 
• Financial regulators would need to coordinate with each other when exercising these powers; it's not yet clear how the powers would be split between the different regulators. 

However, the paper emphasizes that it is important that the finance sector and its supply chain remains competitive and innovative, and therefore the regime needs to be "flexible", "proportionate", and still allow UK firms to harness the benefits of outsourcing, while managing the risks.

For authorised firms: could direct regulation of technology providers reduce the compliance burden for FS firms?

No. The government has been clear that firms remain accountable for managing risks to their own operational resilience, and that this will continue to be the case following the new legislation. The regime is intended to manage potential systemic risks arising from concentration among certain key providers -this will not replace the individual responsibilities of firms to manage their own risks.

For technology providers: we are a technology provider to multiple UK financial services firms. How might the proposed regime affect us?

Those third parties designated as critical will need to adjust to direct supervision and oversight from the UK FS regulators for the first time. Directions from the UK regulators on areas such as resilience and cyber security could restrict providers' flexibility over service offerings and operational arrangements. Businesses could be subject to detailed oversight of their compliance, governance and operational arrangements, with the potential for investigative powers, enforcement action, public disclosure, or even restrictions on service provision. 

Service providers to the finance sector might want to start considering whether any services they offer to UK FS firms could make them potential targets for designation. 

Service providers should also be mindful of the potential change to the regulatory dynamic when negotiating with FS firms. The Statement notes the possibility that firms could make representations to HM Treasury concerning their own third parties. If firms are having difficulties obtaining the necessary contractual terms with tech providers, they might seek to use this as leverage. 

How does the proposal compare to the EU's measures?

Compared to the UK, the EU is closer to finalising a legislative framework for oversight of critical third parties, under the digital operational resilience act ("DORA"). Both regimes seek to address potential systemic risks with critical third parties in FS, but with differences in approach. 

Interestingly, the UK government makes no reference to the EU's work on DORA, despite referencing the need to coordinate with international regulators. Once more detail on the UK legislation is available it will be possible to assess to what extent the two regimes align, or whether providers operating in both the UK and EU will need to adjust to two different regimes as the UK charts its own post-Brexit path. 

Next steps

The UK government states that it intends to legislation for the regime "when parliamentary time allows". Shortly after that, the financial regulators will publish a joint Discussion Paper, setting out how any statutory powers granted to them might be exercised and seeking views from industry on effective and proportionate ways to do so. It will also explore how coordination with overseas financial regulators might take place. 

Following Royal Assent of the legislation, the paper anticipates a further Consultation Paper from the UK financial regulators on their proposed rules, building on the feedback to the Discussion Paper and based on their proposed new statutory powers. HM Treasury then expects to begin designating the first critical third parties under the new regime once the regulators' rules have been finalised. 

What can businesses do now?

Keep an eye out for, and consider responding to, the upcoming Discussion Paper, which will seek feedback from industry on how the new powers should be exercised in an effective and proportionate way.

We are following this topic closely. If you're interested in discussing the potential impact on your business, do get in touch.