On 12 November 2024, the PRA and FCA published new policies on operational resilience critical third parties UK financial sector. This marks a major step for banks and investment firms.
The final rules from the Bank of England, PRA and FCA set out a regime to manage systemic risk posed by third-party providers. These documents detail the oversight mechanisms and enforcement plans designed to protect firms and market infrastructure from disruption or failure by critical service suppliers.
The updated oversight regime comes into force from 1 January 2025. It targets technology and operational services counted as systemic for the sector. The rules focus on regular assurance, information sharing, and testing.
Critical third parties must now annually assess and evidence their resilience, collaborating with clients on scenario-based exercises. Importantly, providers must report incidents promptly to regulators and affected firms. This includes cyber attacks, power failures or major outages. The framework aligns closely with international benchmarks, mirroring EU standards.
For our clients, the message is clear: responsibility for operational resilience and third-party management remains unchanged. While this regime adds regulatory scrutiny, it doesn’t diminish your duty to monitor outsourcing or supply chain risk. The regulators will advise HM Treasury on which providers should be designated subject to these rules, but firms remain directly accountable for risk management.
To ensure you remain compliant and resilient as these new requirements roll out, act now:
- Review your third-party contracts and risk policies against the new regulatory expectations.
- Engage proactively with service providers about incident reporting and assurance processes.
- Use our specialist compliance consulting to audit your third-party resilience and prepare for rule changes.
Contact us to talk about preparing for the new operational resilience critical third parties rules. Protect your firm’s stability and sector reputation as new standards go live.
