Critical third parties: best practices for supplier resilience
This year marks one of the busiest on record for regulations affecting financial firms.
The CTP regime officially came into force in the UK on 1 January 2025
From the Digital Operational Resilience Act (DORA) to the Critical Third Parties (CTP) regime, financial organisations, and the firms that support them, are facing increasing pressure to monitor and manage risks which could threaten the availability of the services they provide to their clients.
Critical third parties
The CTP regime officially came into force on 1 January 2025, and it has been introduced by the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) to strengthen how CTPs identify, manage and respond to disruptions to protect the UK financial sector.
Financial organisations today are increasingly dependent on a small number of third-party providers to facilitate their services. While these providers can enhance efficiency and improve banking services, failures within them, whether due to a cyber-attack, power outage, poorly executed change or another digital disruption, could impact consumers and UK businesses and pose a serious risk to the stability of the financial system.
This concern has been the key driver behind the introduction of the CTP regime.
The FCA and PRA want to ensure the firms financial organisations partner with apply good cyber hygiene and robust risk and control practices and have monitoring and mitigation techniques and strategies in place to safeguard the availability of their services.
The objective of the regulation is to improve resilience against digital disruptions, ensure suppliers are adopting specific measures to safeguard their services, and to mitigate systemic risks which can arise from reliance on a limited number of third-party service providers.
Key requirements of the regulation include:
- Operational resilience standards: CTPs must adhere to regulations ensuring they can withstand and recover from disruptions.
- Regular reporting: CTPs must provide assurance, information and notifications to financial regulators regarding their services.
- Incident management: CTPs must implement protocols for reporting and managing incidents that could impact the financial sector.
Significant third parties
The PRA and FCA are yet to confirm which firms will be officially designated as a CTP. However, this information is expected to be published within 2025.
Although no firms are immediately affected, it is likely that cloud service providers and the largest managed service and data providers will be among those designated.
Furthermore, while the regulation only specifically impacts suppliers that will be designated as a CTP, financial organisations will also need to assess their other suppliers to identify which are considered significant to their operations.
These Significant Third Parties (STPs) won’t be officially covered by the regulation, but it is strongly recommended they also follow the best practices adopted by CTPs.
It’s highly likely that many smaller firms will fall into this STP bracket, including many which are in the fintech sector.
Best practices for third-party resilience
To meet regulatory expectations and enhance resilience, financial organisations and their third-party providers should consider adopting the following best practices:
- Evidential requirements: Financial firms should obtain clear, verifiable evidence that their third parties can respond effectively to disruptions. This includes technical, organisational and contractual controls such as backup and restore processes for critical data, recovery timelines and resilience governance structures.
- Scenario testing: Supply chain partners should establish robust scenario testing frameworks to assess their ability to withstand severe but plausible disruptions. Selecting appropriate scenarios is crucial. A scenario library, comprising a repository of severe but plausible incidents, can help firms choose relevant tests.
- Contractual obligations: Embedding security and scenario testing requirements into contracts can ensure third parties commit to resilience obligations and can evidence them as required. This facilitates transparency and helps organisations meet regulatory obligations.
The introduction of the CTP regime marks an important step in enhancing the resilience of the financial sector. While financial organisations await confirmation of those who have been officially designated a CTP, they should still be proactively identifying critical and significant suppliers and ensuring robust security measures and controls are in place to comply with the regulation.
