In an 8 June 2022 policy statement, the UK Government proposes a specific regime for supervising “critical” service providers to the financial services industry. This is to address concentration risk as many regulated firms rely on a few large service providers whose failure could potentially threaten the stability of, or confidence in, the UK’s financial system. The Government observes that in 2020 over 65% of UK regulated firms used the same four cloud providers for cloud infrastructure services.
While the regime will target “critical” service providers, this is also relevant to regulated firms that are required, under existing outsourcing and operational resilience requirements, to manage the risks associated with outsourcing. However, the statement notes that “no single firm can manage risks originating from a concentration in the provision of critical services”. This may be because there is no easy substitute in the event of disruption, or because firms may not have sufficient negotiating leverage to secure necessary protections (the statement refers to “significant information and power asymmetries”).
Under the regime, HM Treasury will designate certain third party service providers as “critical” following consultation. Regulators will then have powers to impose minimum resilience standards directly on such designated third parties and to take enforcement action including prohibition from providing services. The overall framework will be set out in primary legislation, and the designation of each “critical” service provider will be made by secondary legislation.
There is currently no fixed timeline as the proposed regime requires new legislation (to be made “when parliamentary time allows”). UK regulators are expected to publish a joint Discussion Paper followed by a further consultation on the relevant rules. We look forward to developments with interest.