AWS for Industries

UK regime for critical third parties and its impact on financial services customers

As the proposed regime for critical third parties (CTPs) to the UK financial services sector continues to progress, financial institutions are interested in assessing and understanding the impact that working with a designated CTP will have on their reporting requirements and regulatory expectations around operational resilience.

The Financial Services and Markets Act 2023 allows HM Treasury to designate a third party as critical in consultation with the Bank of England (BoE), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA), jointly the Authorities. The regime will bring designated CTPs into the direct oversight of the Authorities for the first time to “manage potential risks to the stability of, and confidence in, the UK financial system that may arise due to disruption of services provided by a CTP”1. AWS is preparing for this regime based on the assumption that we will be designated as a CTP.

As part of the implementation of the CTP regime, on 7 December 2023 the Authorities published a consultation paper, CP26/23. The consultation paper (CP) sets out the considerations for designating CTPs as well as proposals for obligations from CTPs such as the Operational Risk and Resilience Requirements (ORRR), which are information gathering and incident management obligations. AWS responded to the CP on 15 March 2024, with our key points outlined below.

Advanced technologies, such as cloud computing, have significant benefits for the financial sector, including increased security, flexibility, operational resilience, rapid scalability and reliability. So, it is important that the implementation of any requirements does not introduce barriers on how our financial services customers choose to use technologies on a location or industry basis.

While we welcome the risk-based, outcomes-focused regime set out in the CP, we identified opportunities where changes could help better meet the objectives of the regime. These include introducing the AWS shared responsibility model2 as an appropriate regulatory concept for operational resilience; emphasising that any information required to be provided to the regulator under the regime will always be on a proportionate, useful, and relevant basis; and avoiding a requirement for regulated firms to adopt a multi-vendor cloud strategy as part of the CTP regime.

We also proposed specific changes to the Operational Risk & Resilience Requirements, approaches to ascertaining material services, incident management, the financial sector playbook and scenario testing. We identified these areas as they are where the proposals do not fit with the operating model of potential CTPs, such as cloud service providers, or how customers use them.

While the CTP regime does not mandate direct obligations for financial services firms, we expect AWS financial services customers will want to review their incident management, testing, and due diligence processes. AWS looks forward to working with our customers and the industry on these elements as the requirements are finalised.

The proposals do not reduce or eliminate the responsibility of financial services institutions to understand, manage, and carry out their own due diligence concerning operational resilience, outsourcing, and third-party risk management. However, the proposals set out in the CP should help deliver better understanding of the risks associated with the use of CTPs and financial services institutions should see an evolution of how they can apply a proportional risk-based assessment of CTPs on the topic of operational resilience.

The other important area for the Authorities to focus on when finalising the regime is international interoperability. Many customers have cross-border operations and want to use technology and services on the same basis without artificial barriers. So, ensuring that that new standards are built in global coordination with international bodies will also be important in delivering a workable regime.

AWS supports the objectives of the Authorities to ensure a robust UK financial system and appreciates the continued dialogue. AWS works to comply with applicable regulations and will continue to help customers understand our approach to the CTP regime and support them in enhancing their operational resilience.

If you have any questions about this consultation paper or about operational resilience in general, please contact your AWS account team. We have a team of regulatory and technology experts with a background in financial services ready to support you.

[1] https://www.bankofengland.co.uk/speech/2024/march/gareth-truran-keynote-speech-at-the-techuk-summit
[2] https://aws.amazon.com/compliance/shared-responsibility-model/

TAGS: ,
Michael Jefferson

Michael Jefferson

Michael Jefferson is head of Financial Services Public Policy UK, Middle East, Africa and Switzerland at AWS. He is also co-lead for Financial Stability Board (FSB) engagement. Michael leads on policy and engagement for issues relating to adoption and use of cloud across the finance sector. He has experience working in technology, trade associations, investment banking and the UK Government. Before joining AWS, he led on capital markets policy at the Investment Association and prior to that at UK Finance, representing the UK-based banking and finance industry. Previously, he was head of Public Policy EMEA at Nomura and spent the early part of his career as a UK civil servant working on international trade and business issues, including working in the office of the UK Minister for Trade and Investment.

Arvind Kannan

Arvind Kannan

Arvind Kannan is a Principal Compliance Specialist at Amazon Web Services based in London, United Kingdom. He spends his days working with financial services customers in the UK and across EMEA, helping them address questions around governance, risk and compliance. He has a strong focus on operational resilience and helping customers navigate the regulatory requirements and understand supervisory expectations