Managing technology supply chains

• Comply with the six CTP Fundamental Rules (with Rules 1-5 applicable only in respect of systemic third party services of the CTP, and Rule 6 applicable in respect of all services offered by the CTP).
• Meet the eight Operational Risk and Resilience Requirements (ORRR).
• As part of the ORRR, within twelve months of designation, conduct mapping of the resources (including persons, key nth-party providers, assets, supporting services and technology) and internal/external interdependencies required to support delivery of each systemic third party service it provides (and regularly update this thereafter).
• Submit an interim self-assessment to the relevant regulator within three months of designation as a CTP and thereafter provide an annual update, to detail the CTP’s compliance with the CTP rules.
• Set an appropriate maximum tolerable level of disruption for systemic third party services and share details of this with the firms it provides its services to (subject to the ability to agree higher thresholds in contracts with specific counterparties). This should include at least one time-based metric and cover the end-to-end delivery of the systemic third party service in both business-as-usual and periods of heightened or peak activity. This level should be informed by information from firms about which systemic third party services are key to the resilience of important business services and the recovery times they would expect in relation to the systemic third party service.
• Conduct regular scenario testing (in conjunction with firms and regulators) of the CTP’s ability to continue providing each of its services within its appropriate maximum tolerable level of disruption, in the event of a severe but plausible disruption to its operations.
• Devise and conduct incident management playbook exercises.
• Conduct appropriate incident reporting, including in respect of near-misses.
• Plan for termination or disorderly exit from an arrangement to provide a systemic third party service.

Financial services firms who rely on service providers who play a prominent role in the UK financial services ecosystem will be watching attentively, in particular to understand:

• How the designations affect their own operational resilience strategy.
• The possible impact on their own compliance costs.
• The costs of acquiring technology solutions from newly designated CTPs.

Whilst the regulators have again emphasised that the CTP regime does not relieve firms of their own operational resilience obligations under PRA and/or FCA rules, the reality is that CTP designations will inform how firms assess their operational resilience – especially if the firm’s service supply chains involve several CTPs – and will affect how the firms are required to interact with the CTPs.

From a ‘day 1’ perspective, following designation, firms may not see too many immediate changes to the nature of the services they receive from CTPs. However, to enable a CTP to demonstrate that it is meeting its new commitments under the CTP regime, a CTP will be expected to interact more with its financial services clients.  For example, involving them in setting tolerances for disruption and scenario testing, as well as understanding the interplay between a CTP’s services and a firm’s identification of its important business services and critical/material outsourcings.  Firms will also get more information from CTPs to inform their operational resilience strategy from a CTP’s annual self-assessment and feedback from incident management playbook exercises and responses from scenario testing.

However, note that CTPs are not required to remediate their customer contracts immediately to reflect the new CTP requirement, rather as and when contracts are due for renewal in the ordinary course of business.  This contrasts with re-papering exercises currently being undertaken by businesses in the EU in readiness for implementation of the EU’s Digital Operational Resilience Act 2022/2554 (DORA).  The CTP rules are intended to align with international standards, particularly the DORA and the US incident reporting rules, such as the Bank Service Company Act.  See our previous article: The EU’s Digital Operational Resilience Act 2022/2554 (DORA).

The regulators stress that being badged as a CTP is not intended to function as an endorsement. Feedback to CP26/23 suggested that whilst there may be a halo effect for providers designated as CTPs, there are counter disincentives, as set-out above in “What will be required of designated CTPs?”. Some respondents also suggested that the increased regulatory burden on CTPs will see internal compliance costs increase and that these costs will be passed onto customers, which may affect how firms select third party service providers to support important business services.

It is important to highlight that there are currently no financial sanctions for non-compliance by CTPs with the CTP rules. Instead, regulators can issue directions to instruct a CTP to take (or not take) certain actions, which could extend to being told not to offer services to regulated firms. Although query whether the regulator will wield this sanction in practice, given the risk that this could leave regulated firms without an important service provider. This sanction is unlikely to be deployed in practice without significant warning to the market.