UK Law and Practice Contributed by: Richard Brown, Louisa Chambers, Adam Wyman and Michael Ross, Travers Smith LLP
Some of those firms (such as banks, large investment firms, insurers, building societies, and credit unions) are also subject to prudential supervision by the Prudential Regulation Authority (PRA). The FCA and the PRA have each published specific and detailed rules governing outsourcing arrangements entered into by regulated firms – although the provisions vary depending on the type of financial services business undertaken. Firms that are regulated only by the FCA will need to comply with the FCA outsourcing rules relevant to their type of firm, whereas firms that are regulated by both the FCA and PRA must also comply with the relevant PRA outsourcing rules. A number of rules in this area were originally derived from EU law, and may be subject to future changes as the UK continues to review this “assimilated EU law” over time. To date, the FCA and PRA have largely restated EU-derived outsourcing provisions without material amendments. The Bank of England regulates UK financial market infrastructures (FMIs) and has equivalent rules govern - ing outsourcing arrangements. Oversight It is a key principle that a firm remains responsible for compliance with any applicable regulatory rules con - cerning any outsourced services. This means that the firm will need to exercise proper oversight and monitor the performance of outsourced service providers to verify that any relevant regulatory requirements are being satisfied. Where the firm fails to do so, it may be subject to enforcement action. The FCA and PRA outsourcing rules typically require the firm to carry out due diligence on any proposed service provider to ensure that the provider has the capacity to provide the necessary services effectively. In addition, the firm will normally be required to ensure that the outsourc - ing contract contains certain mandatory provisions – for example, those relating to ongoing co-operation and/or enhanced termination rights. A firm must normally provide advance notification to the relevant regulator when proposing to enter into (or make significant changes to) a material outsourc - ing arrangement. Broadly, this is required where any failure or weakness in the outsourced services might cast serious doubt upon the firm’s continuing satisfac -
tion of the conditions for authorisation or compliance with the general regulatory principles applicable to it. In December 2024, the FCA, PRA and Bank of Eng - land each published proposed new operational inci - dent and third-party reporting rules, broadening these existing notification obligations to cover “material third-party arrangements”, which would continue to include (but would not be limited to) material out - sourcings. Finalised rules are expected by the end of 2025. Critical third parties Under the Financial Services and Markets Act 2000 (as amended), third parties providing critical services to authorised firms, payment and e-money institu - tions and FMIs may be designated as “critical” by HM Treasury. If designated, the services provided by such critical third parties (CTPs) will be subject to direct oversight by the regulators, which will be armed with information-gathering and enforcement powers. The new regime is intended to address concerns around the fact that a large number of regulated firms and FMIs are dependent on a small number of third- party service providers and the associated risks to the financial system should any such third party fail. Accordingly, a third party may be designated as a CTP only if a failure in, or disruption to, the provision of the relevant services could threaten the stability of, or confidence in, the UK financial system. This assess - ment will include the materiality of the services pro - vided and the number and type of service recipients. While the regime is only likely to affect outsourcings involving a relatively small number of very large and/ or highly specialised service providers (particularly those which are cloud-based), the requirements it will impose upon them will be onerous. In November 2024, the FCA, PRA and Bank of England published their respective final rules for designated CTPs, including detailed provisions on governance, risk and incident management, operational resilience and termination of services. At the time of writing (September 2025), no CTPs have yet been designated by HM Treasury, although some designations are expected by the end of 2025 following consultation.
68 CHAMBERS.COM
Powered by FlippingBook