[ad_1]
Yvonne Dunn of Pinsent Masons, who specialises in financial services technology contracts, said: “Many of these requirements are currently included in services contracts as obligations on suppliers to reflect the regulatory obligations to which financial services firms are subject. With the new fundamental rules and the operational risk and resilience requirements proposed, CTPs must address direct requirements from the regulators rather than be indirectly affected by the regulatory regime via their contracts with financial services firms.”
As well as proposing what the new rules applicable to CTPs should address, the regulators also provided an insight into the more fundamental question of which specific businesses will be brought within scope of the new regime.
Under the Financial Services and Markets Act (FSMA) 2023, it is the UK Treasury, not the regulators, that has the power to designate third party service providers as CTPs – the Treasury can make such a designation if the failure in or disruption to the relevant third party service provider’s services would pose a risk to the stability of, or confidence in, the UK financial system. In considering the question of whether to designate or not, the Treasury is obliged to have regard to the materiality of the services that the third party provides to firms and FMIs to the delivery of essential activities, services, or operations, as well as the number and type of firms and FMIs to which the person provides services.
However, while the designation powers rest with the Treasury, it is obliged under the FSMA 2023 to consult with the regulators before exercising those powers and in practice it is anticipated that the regulators will proactively recommend to Treasury that it exercises its power to designate a third party as a CTP. In their consultation paper, the regulators explained how they will form an initial assessment, and make recommendations to Treasury, on whether individual third parties should be designated.
The regulators said their views in this regard will be informed by information gathered from a range of sources – predominantly, in time, information they intend to collect under a new outsourcing and third-party (OATP) data collection policy. The regulators intend to consult on that policy next year.
When looking at all the information, the regulators said they would assess the materiality of the services provided, the concentration of those services, and other drivers of potential systemic impact.
Those other drivers, they said, could include “the lack of viable alternative providers for one or more services”, or the difficulties and risks that could arise in switching, as well as the extent to which the third party “has direct access to firms’ and FMIs’ people, processes, technology, facilities, data, and information (the ‘resources’) that support the delivery of important business services”. They said that where third parties have such access, it “may have the potential to increase the systemic risk of any disruption or failure and hence the likelihood of designation”.
Yvonne Dunn said: “One of the concerns arising from the regulators’ prior consultation through the earlier discussion paper on a new CTP regime was that the CTP designation would be used by suppliers as a sales tool. The regulators have addressed this in the consultation paper by requiring that CTPs refrain from indicating or implying that they have the endorsement of regulators by virtue of their designation as a CTP. The regulators have also made clear that financial services firms and FMIs must continue to conduct due diligence.”
[ad_2]
Source link