This paper argues that the UK’s new critical third party rules are a solution in search of a problem. A smarter, more focused regulatory approach is necessary to avoid overregulation, reduce redundant compliance burdens arising from overlapping jurisdictions, and prevent regulatory capture.
What are your thoughts on the UK financial regulators new rules? Let's discuss!
The UK's Financial Conduct Authority (“FCA”) has confirmed “ new rules aimed to bolster the resilience of technology and other third parties providing key services to financial firms”.
While the intention to strengthen operational resilience is commendable, these rules risk imposing undue burdens on financial institutions and are a massive overreach to pull firms they may not currently regulate into their oversight.
We would do well to more thoroughly engage the FCA, Bank of England (“BoE”), and the Prudential Regulatory Authority (“PRA”) when they open up proposed actions for comment from the industry.
2/ Smarter Regulation, Not More Regulation
Regulation serves as a vital tool for maintaining the integrity and stability of financial markets. However, the efficacy of regulation is not determined by its quantity.
Overregulation will stifle innovation, increase operational costs, and create regulatory fatigue.
The regulators should focus on crafting smarter regulations that are proportionate to the risks involved and consider existing regulatory obligations.
As the FCA itself notes, financial firms and financial market infrastructures are subject to existing outsourcing and operational resilience rules.
In addition, most of these firms have a European presence which brings them into the European Union’s Digital Operational Resilience Act (“DORA”) sphere of influence.
3/ DORA
The European Union's Digital Operational Resilience Act (“DORA”), “aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption”.
The introduction of the FCA's new rules creates a dual regulatory environment where firms must navigate both UK and EU requirements. This overlap leads to:
The industry foresaw this overlap and the regulators sought to address it on page 32 here.
Except they didn’t.
They looked at it through the aperture of collaborating with international regulators instead of relief for those already subject to DORA.
4/ Scopeless Risk
The UK financial regulator’s new rules grant themselves significant autonomy to determine what constitutes a critical third party, thus granting them the power to regulate said party.
The good news - they lay out all the assessment criteria.
The bad news, the assessment is entirely subjective.
Perhaps the more eagle-eyed reader can find some numerical or statistical criteria for assessment in the document. This author could not.
In short, if the FCA, BoE, and/or PRA ‘assess’ your firm is a critical third party to the UK financial system, you now are subject to their oversight. This lack of precise assessment criteria presents several concerns:
Moreover, such autonomy raises the possibility of regulatory powers being weaponized against specific sectors or companies.
In extreme cases, regulators might impose stringent requirements or penalties on entities they disfavor, whether due to political pressures or subjective judgments, undermining the principles of fairness and impartiality.
And I could not find guidance on an appeal process for entities that felt they were unjustly categorized.
5/ Conclusion
While enhancing operational resilience is a legitimate goal, these new rules will inevitably have negative consequences for the financial industry.
Overregulation, especially when overlapping with existing EU regulations like DORA, imposes significant burdens without necessarily improving systemic stability.
The broad and undefined scope of the new rules grants excessive autonomy to regulators, risking arbitrary enforcement and potential misuse of power.
These rules should not have been published without much greater scrutiny from the private sector.
I am surprised at the lack of pushback..