AWS for Industries

What customers need to know about implementing the UK regime for critical third parties

On 12 November 2024, the UK financial services authorities (Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA)) published the final documents on the critical third parties (CTPs) to the UK financial sector regime (‘the regime’). These documents confirm the approach to and details of implementation of the regime, which will expand the regulatory remit to specific services CTPs provide to the UK financial sector. AWS is preparing for this regime based on the assumption that regulators will designate us as a CTP.

The Supervisory statement (SS) 6/24 and Critical Third Parties Instrument in PRA Rulebook set out the key changes. The instrument details the requirements for designated CTPs, and SS6/24 provides guidance on interpreting it and forms the basis of what the regime will require.

Key points important for the financial services sector include:

  • These rules introduce the concept of Systemic Third-Party Services (STPS), a subset of services offered by a CTP whose failure or disruption could threaten the stability of, or confidence in, the UK financial system.
  • CTPs must meet detailed requirements for their STPS, including performing scenario testing, running incident management playbook exercises, and sharing information.
  • The regime came into force on 1 January 2025, but will only apply once regulators confirm CTP and service designations. This will take at least six months, so the first designation is expected in mid-2025. Once designated, CTPs will have three months to perform the first self-assessment on their STPS compliance.
  • The regime aims to align with international standards and focus on interoperability with other jurisdictions.

The overall objective of the regime is to help manage risks to the stability of, or confidence in, the UK financial system posed by systemic third-party concentration risk. This regime addresses third parties and builds on wider tenets established in SS1/21, SS2/21 and the Statement of Policy (SoP) ‘Operational resilience’. These set out expectations on financial sector institutions in dealing with outsourcing and third-party risk management and impact tolerances for important business services.

The UK CTP regime is an outcomes-based regime, providing flexibility for CTPs without placing an additional burden on firms using their services. AWS supports the objectives of the Authorities to ensure a robust UK financial system and appreciates the ongoing dialogue and opportunity to engage throughout the process. AWS works to comply with applicable regulations and will continue to help customers understand our approach to the CTP regime and support them in enhancing their operational resilience.

Impact on our customers

The UK Regulators have clarified that the requirements under the regime do not eliminate, reduce, or replace the accountability of firms, their boards, and senior management. As such, it does not impose direct mandates on our customers. However, customers will be expected by regulators to submit accurate information about their usage of third parties for the regulators to designate CTPs and their STPS. We expect firms will review their risk management and due diligence practices considering any additional information received from CTPs because of the requirements. AWS has a range of services that help organizations deliver effective incident management within AWS and hybrid environments. As part of the AWS Well-Architected Framework, we also provide clear guidance for cloud incident management.

If you have questions about this regime or about operational resilience including incident management, please contact your AWS account team. We have a team of regulatory and technology experts with expertise in financial services ready to support you.

Michael Jefferson

Michael Jefferson

Michael Jefferson is head of Financial Services Public Policy UK, Middle East, Africa and Switzerland at AWS. He is also co-lead for Financial Stability Board (FSB) engagement. Michael leads on policy and engagement for issues relating to adoption and use of cloud across the finance sector. He has experience working in technology, trade associations, investment banking and the UK Government. Before joining AWS, he led on capital markets policy at the Investment Association and prior to that at UK Finance, representing the UK-based banking and finance industry. Previously, he was head of Public Policy EMEA at Nomura and spent the early part of his career as a UK civil servant working on international trade and business issues, including working in the office of the UK Minister for Trade and Investment.

Arvind Kannan

Arvind Kannan

Arvind Kannan is a Principal Compliance Specialist at Amazon Web Services based in London, United Kingdom. He spends his days working with financial services customers in the UK and across EMEA, helping them address questions around governance, risk and compliance. He has a strong focus on operational resilience and helping customers navigate the regulatory requirements and understand supervisory expectations