The UK critical third parties regime is aimed at systemic risk from service providers whose failure could threaten the financial sector. It is different from ordinary outsourcing rules because designated critical third parties can be subject to direct regulatory requirements. Firms still need to understand their own dependencies and concentration exposure.
Official sources
- FCA PS24/16: Operational resilience critical third parties
- Bank of England policy statement: Critical third parties to the UK financial sector
The FCA policy statement says the rules came into force on 1 January 2025.
What the regime is trying to do
The regime recognizes that a small number of technology, cloud, data, and infrastructure providers can become critical to many firms at once. The failure of one provider can create sector-wide disruption. The UK regime gives regulators tools to oversee designated providers directly while firms continue to manage their own outsourcing and resilience obligations.
What it covers
- designation of critical third parties by HM Treasury;
- direct requirements for designated providers;
- information gathering, testing, incident notification, and resilience expectations;
- firm dependency and concentration visibility;
- coordination with outsourcing and operational resilience frameworks.
Evidence to maintain
- Dependency map showing providers that could create concentration risk.
- Services, systems, data, and business services supported by major providers.
- Contract, resilience, incident, and exit evidence.
- Monitoring records for outages, incidents, advisories, and provider changes.
- Management reporting on concentration exposure.
Common gaps
- Firms know direct cloud providers but not shared subservice dependencies.
- Concentration analysis is high-level and not connected to business services.
- Provider incident evidence does not show which important services were affected.
- CTP regime work is separated from outsourcing and operational resilience records.
How Halbarad helps
Halbarad can help firms map direct and downstream dependencies, show concentration exposure, monitor provider change signals, and connect provider incidents to services, systems, data, owners, and remediation.
Disclaimer
This guide is for general information only and is not legal advice. Review the official regulation, guidance, and supervisory materials, and consult qualified counsel or compliance advisors for your organization's specific obligations.