This year, the UK is introducing a new regulatory framework for critical third-parties (CTPs).
CTPs are technology providers whose services are considered essential to the functioning of the UK financial system.
For this reason, the government is giving the regulators additional powers to regulate the most ‘critical’ of these providers directly.
The new regime complements, but does not replace, existing outsourcing and operational resilience rules, effectively sharing the responsibility for compliance between providers and users.
Throughout 2025 all three regulators – the Financial Conduct Authority, Prudential Regulation Authority, Bank of England – will proactively identify potential CTPs and recommend them to HM Treasury for official designation. Only designated CTPs will need to follow the new rules.
Financial firms are still accountable for their own operational resilience and third-party risk management
There are still many unknowns around how this case-by-case assessment will work in practice, but it is worth preparing now as the new rules are likely to affect all independent financial advisers.
Designated CTPs will need to comply with the following:
- Requirements broadly aligned with existing FCA/PRA regulations for financial institutions.
- Incident management and reporting requirements.
- Self-assessments and scenario-based testing.
- Setting a maximum tolerable level of disruption.
While CTPs are subject to the new rules, financial firms are still accountable for their own operational resilience and third-party risk management.
It’s still early days in the UK’s CTP regime. However, based on the criteria and discussions so far, here are some likely examples:
Cloud service providers:
- Hyper-scalers: Amazon Web Services, Microsoft Azure, Google Cloud Platform.
- Specialised cloud providers: Firms offering specific cloud solutions for financial services, like core banking platforms or trading systems.
Data providers:
- Market data providers: Companies like Bloomberg, Refinitiv, and ICE Data Services provide essential market data feeds for trading and investment decisions.
- Credit rating agencies: Firms like Moody’s, S&P Global, and Fitch Ratings which provide credit ratings that influence lending and investment decisions.
Technology infrastructure providers:
- Network providers: Companies that provide critical network infrastructure and connectivity, such as BT, Vodafone, and Virgin Media.
- Data centre operators: Firms that operate the data centres housing critical systems and data for financial institutions.
Software providers:
- Trading platform providers: Firms that provide trading platforms for financial markets.
Other potential CTPs:
- Artificial intelligence (AI) providers: As AI becomes more prevalent in finance, providers of key AI models or data sets could be designated.
- Cybersecurity providers: Firms providing essential cybersecurity services to the financial sector.
Given the ubiquity of critical third-party providers, the new rules are likely to affect almost all IFAs operating in the UK.
The good news is that the recommended actions are for the most part activities which firms should be carrying out already under operational resilience and third-party risk management regulations.
As before, firms should conduct thorough due diligence on CTPs and have robust risk management frameworks in place. You should also actively monitor the performance of your critical third parties and their compliance with regulations.
The new regime aims to strengthen the resilience of the UK financial system
It will be more important than ever to establish clear communication channels with providers and be prepared to cooperate with them in the case of an incident. And firms should have contingency plans in place to deal with potential disruptions to CTP services.
We suggest revising your reporting processes regarding material outsourcing arrangements. This includes identifying materiality in alignment with regulatory expectations and documenting sub-outsourcing arrangements if applicable.
The new regime aims to strengthen the resilience of the UK financial system. A positive outcome for firms is that the CTP regime is about shared responsibility – both CTPs and the firms that rely on them have a role to play in ensuring this resilience.
The new regime will likely lead to increased compliance costs for CTPs, and it remains to be seen whether they will pass these costs down to users and consumers.
But firms should also benefit from the regime in terms of increased transparency and access to information, which should assist them with their own operational resilience reporting and risk management efforts.
Christian Blackwell is associate partner at Pathlight
