Statement
The Financial Conduct Authority, Bank of England and Prudential Regulation Authority (UK regulators) have together signed a Memorandum of Understanding (MoU) with the European Supervisory Authorities to enhance cooperation and oversight of critical third parties (CTPs) that fall under the UK’s CTP regime.
The MoU establishes a framework for coordinating and sharing information on the oversight of CTPs under the UK regime and Critical Third Party Providers (CTPPs) under the EU’s Digital Operational Resilience Act (DORA), including during incidents such as power outages or cyber-attacks.
The MoU aims to manage potential risks to financial stability and market confidence, as well as strengthen international cooperation. It will also help reduce duplication and regulatory burden on CTPs and CTPPs.
The UK’s CTP regime complements similar international standards and is designed to be compatible with DORA. The agreement demonstrates UK regulators’ commitment to cross-border cooperation and strengthening operational resilience to support growth and promote market stability.
Background
- In 2024, UK regulators introduced new rules to bolster the resilience of critical third parties providing key services to the financial sector.
- These rules came into effect on 1 January 2025 and apply once a CTP is designated by HM Treasury (HMT).
- HMT is responsible for deciding which third party service providers should fall under the new CTP regime. The rules will require designated CTPs to provide regular assurance, undertake resilience testing and report major incidents.
- The designation process has begun and the regulators will continue to work with HMT throughout the designation process.
- The regime does not reduce the responsibility of financial firms and Financial Market Infrastructures (FMIs) to manage their own operational resilience and third-party risks in line with existing outsourcing rules.