Bank of England (BoE) Proposes A Regulatory Regime For Critical Third Parties

  • Blog
  • Risk Management

Bank of England (BoE) Proposes A Regulatory Regime For Critical Third Parties

In recent years, enhancing operational resilience has been a top priority for regulators across the globe, creating a set of rules and guidance for firms to better manage their internal and external risk exposure. In the UK, the Bank of England is proposing a framework to oversee financial institutions’ exposure to critical third parties (CTPs) and safeguard stability. The regulation focuses on managing risks posed by systemic third-party concentration, recognizing that high concentration levels in the provision of material services can pose a risk to the financial system.

Third parties are integral to a firm’s supply chain and are a fundamental component of operational resilience because they provide essential services, expertise and resources that organizations depend on for their operations. However, their involvement also introduces additional risks, such as operational disruptions, data breaches and regulatory compliance issues. Effective management of these risks involves comprehensive contingency planning, continuous monitoring, and collaboration between the organization and its third-party providers.

Key features of the proposed CTP framework include the development of fundamental rules and operational risk requirements tailored to CTPs' material services. These requirements cover areas such as governance, risk management and incident management, with a focus on ensuring protection against potential systemic risks.

Verdantix expects the proposed UK regime for critical third parties (CTPs) to impact firms within the financial sector by:

  • Increasing oversight and accountability of firms: Organizations will face increased oversight from regulators regarding their ownership of operational resilience practices and reliance on critical third-party services, requiring enhanced due diligence processes and risk management practices to ensure compliance.
  • Enforcing dependency assessments: Firms must assess their dependency on critical third parties, identifying alternative service providers or developing contingency plans to mitigate associated risks.
  • Imposing collaboration with CTPs: Organizations will be required to collaborate more closely with designated CTPs to ensure the resilience of critical services, establish effective communication channels, and participate in joint risk assessments and incident response planning.
  • Mandating compliance with regulatory requirements: Firms will have to align their operational processes with regulatory requirements imposed by the CTP standards, including implementing additional controls and reporting mechanisms. This may incur additional costs for organizations, including investments in technology, cyber security measures and enhanced due diligence activities.
  • Impacting the competitive landscape: We expect that the CTP framework may influence firms' decisions regarding outsourcing and third-party arrangements, potentially leading to shifts in market dynamics and vendor relationships.


Next steps

In the UK, the consultation period ends in March 2024, with the final draft expected to be published in the second half of the year. In addition, other regulators across the world are starting to consider a similar approach. Under the Digital Operational Resilience Act (DORA) in Europe third parties delivering critical services will be subject to further scrutiny by their clients to mitigate any potential operational or digital threats

For more guidance on managing operational resilience within your firm, please read Verdantix Best Practices: Managing Operational Resilience.

Industry Analyst

Elizabeth is an Industry Analyst in the Verdantix Risk Management practice. Her current research agenda focuses on enterprise risk management, risk management information systems, organizational and strategic resilience, and global risk management trends. Prior to joining Verdantix, Elizabeth worked in corporate risk management roles across the financial and tech industries, where she gained hands-on experience of executing risk management strategies. She holds an MBA degree with a specialty in finance from the University of Lagos.