Critical Third Party Oversight Regime: What You Need to Know

Critical Third Party Oversight Regime: What You Need to Know

The world of financial regulation just got a little more complex 🫠. As of 1st January 2025, the Critical Third Party (CTP) Oversight Regime is officially in play. This new UK financial services regulation, introduced by the Bank of England, Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) in their policy statement PS16/24, is set to shake up the way key service providers operate within the UK’s financial sector.

If you work with cross-border financial operations, this may sound familiar. The EU’s Digital Operational Resilience Act (DORA) introduced a similar set of financial compliance requirements for critical ICT providers which was effective as of 17^th January 2025. The key difference? The UK’s regime focuses on business services continuity, whereas DORA takes a stricter, tech-driven approach, directly regulating ICT third-party providers. If you’re operating across both jurisdictions, ensuring compliance with both regulatory frameworks is now a must 🤓.

So, Who Does This Affect?

This new financial oversight regulation applies to Critical Third Parties (CTPs) serving:

• PRA-regulated firms (such as banks and insurers)

• FCA-regulated firms (like investment firms)

• Financial Market Infrastructure (FMIs) (e.g., clearing houses and payment systems overseen by the Bank of England)

Each UK financial regulator will introduce its own set of compliance rules for CTPs, and the Bank of England is even implementing emergency provisions to help firms stay compliant when unexpected challenges arise.

While the regime places direct regulations on CTPs, it does not remove accountability from regulated firms, FMIs, or their senior management. Instead, it aims to level the playing field between financial institutions and a handful of powerful third-party service providers by making CTPs directly accountable to regulators.

And What Does This Mean in Practice?

The PRA, FCA, and Bank of England now have some serious regulatory oversight powers, including the ability to:

• Identify critical third parties and recommend them to HM Treasury for designation.

• Set compliance rules that impose new obligations on CTPs.

• Direct CTPs in writing to take or avoid specific actions.

• Gather regulatory information, conduct investigations, and appoint skilled persons to review compliance.

• Enforce financial compliance regulations against non-compliant CTPs.

If you’re a designated CTP, you’ll need to follow six key fundamental rules, covering:

• Integrity, due skill, care, diligence, and prudence.

• Effective risk strategies and management systems.

• Responsible and effective organisation of business affairs.

• Open and cooperative engagement with regulators.

The Critical Third Parties Sourcebook (CTPS) also sets out detailed Operational Risk and Resilience Requirements. This means CTPs must have:

• Strong governance and risk management.

• Effective oversight of their supply chains.

• Robust cyber resilience and technology safeguards.

• Change management, service mapping, and incident response frameworks to reduce systemic risks.

These measures align with global financial regulatory trends, reinforcing the resilience of the UK financial sector.

When Do CTPs Need to Comply?

The obligations for each CTP kick in from the date specified in their designation order by HM Treasury. Once designated, a CTP must complete an initial self-assessment within three months. After that, expect a structured implementation timeline to follow.

For the full details, check out:

• The FCA’s policy statement

• The Critical Third Parties Sourcebook

With these financial compliance changes now in force, financial firms and their third-party service providers need to be prepared. If you’re in the UK financial services industry, now’s the time to assess your third-party relationships and ensure compliance with these new regulatory requirements.

For more information, get in touch with Hello@founders-law.co.uk.

‍