United Kingdom: Implemented FCA, Bank of England, and PRA rules for critical third parties in financial services including resilience testing and incident reporting requirements

Description

Implemented FCA, Bank of England, and PRA rules for critical third parties in financial services including resilience testing and incident reporting requirements

On 1 January 2025, the Financial Conduct Authority (FCA), Bank of England, and Prudential Regulation Authority (PRA) rules to strengthen the resilience of critical third parties (CTPs) providing services to the financial sector enter into force. The rules aim to address the risks posed by reliance on a limited number of third-party providers, which could disrupt the financial system due to failures or cyber incidents. The rules are aligned with international standards, such as the EU’s Digital Operational Resilience Act (DORA), and complement existing operational resilience requirements for financial firms and market infrastructures. The government will determine which third parties fall under the regime based on advice from regulators. Once designated, critical third parties will be subject to specific oversight related to the services they provide to the financial sector rather than being overseen in their entirety. The rules require these third parties to provide regular assurance, information, and notifications to regulators, as well as undertake resilience testing, including scenario-based exercises with firms and financial market infrastructures (FMIs). Additionally, critical third parties will be required to report major incidents, such as cyber-attacks.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
digital payment provider (incl. cryptocurrencies), other service provider
Implementation Level
national
Government Branch
executive
Government Body
central bank

Complete timeline of this policy change

Hide details
2024-11-12
adopted

On 12 November 2024, the Financial Conduct Authority (FCA), Bank of England, and Prudential Regulat…

2025-01-01
in force

On 1 January 2025, the Financial Conduct Authority (FCA), Bank of England, and Prudential Regulatio…