The latest piece in the operational resilience jigsaw: what do banks need to know about the newly refined rules for Critical Third Parties (CTPs)? 

In recent years, UK banks and regulators have taken significant steps to enhance the operational resilience of financial firms. Among the key initiatives are the Financial Conduct Authority’s (FCA) Policy Statement PS21/3 and the Prudential Regulation Authority’s (PRA) Supervisory Statement SS1/21, both introduced in 2021. These regulations established foundational requirements for banks to strengthen their operational resilience.  

Building on these efforts, the recently published PS16/24 (Operational Resilience: Critical Third Parties to the UK Financial Sector) focuses on the vital role of third parties within a bank’s extended enterprise. This new policy statement is set to take effect on January 1, 2025. 

Since the introduction of the initial regulations, we have collaborated with numerous banking clients to strengthen their operational resilience. In one recent example, we conducted a gap analysis and developed a comprehensive plan to align the operational resilience policies, standards and frameworks of a newly acquired bank with those of its Tier 1 parent bank. 

The inherent risks with Third Parties  

Third party-related issues were the leading cause of operational incidents reported to the FCA between 2022 and 2023. In July 2024, a major CrowdStrike outage disrupted numerous airports, businesses and healthcare services, widely regarded as the “largest outage in history”. The incident affected an estimated 8.5 million Microsoft Windows devices – less than 1% of all Microsoft Windows machines – but caused significant economic and societal impacts due to the critical nature of the affected organisations. 

The high-profile CrowdStrike outage highlighted the significant risks third parties can pose when providing critical services to banks, along with the potential implications for the broader UK financial system. 

Regulators spotlight on Critical Third Parties (‘CTPs’) 

The new rules represent the latest addition to the operational resilience regulatory landscape for banks. These regulations: 

  • Explicitly define Critical Third Parties (‘CTPs’) as specific entities whose service failures or disruptions could significantly impact the stability or confidence of the UK financial system
  • Require CTPs to adhere to standards similar to those imposed on financial firms in the original operational resilience regulation (PS21/3) including technology and cyber resilience, governance, incident reporting and notification standards  

Our view: The steps banks can take today   

While the new policy statement does not introduce additional requirements for banks directly, banks remain accountable and responsible for managing the risks in any outsourcing or third-party arrangements as part of the extended banking enterprise. Below are steps banks can take today to strengthen their operational resilience: 

1. Review important business services and identify critical third parties 

Managing important business services (IBS) and identifying critical third parties are the foundational steps to enhancing operational resilience for banks. Current processes can be further enhanced by using big data tools and machine learning to provide dynamic visualisations of the key services and dependencies of IBSs. Our deep banking and operational resilience expertise can help banks to efficiently refresh and improve these materials ready for the upcoming CTP rules. 

2. Adapt business processes and plan for collaboration  

The new rules set expectations for CTPs, including increased information sharing with banks, such as annual self-assessments and enhanced collaboration through joint testing of incident management playbooks. We can support banks in designing future-state processes that incorporate digital solutions, such as AI-powered tools to analyse third-party contracts, extract key insights and flag risks. These solutions enable banks to efficiently manage their third-party oversight responsibilities while ensuring compliance with the new regulations.   

3. Enhance the cyber resilience of critical third parties 

With the escalating threat of cyber risks, banks must actively work with third parties to minimise their cyber risk exposure. We advise banks to design, build and optimise third-party related cyber controls, integrating broad risk management capabilities and leveraging diverse solutions to demonstrate measurable risk reduction. Banks can implement measures such as scoring models to evaluate third parties’ cybersecurity, collecting data on variables such as vulnerabilities and past incidents to monitor progress and demonstrate improvements in resilience. 

Want to know more? 

We have extensive experience delivering operational resilience programmes for our clients. Please get in touch to talk to our operational resilience and third-party risk management experts.

Contact us