UK CTP regime to shape financial institutions’ IT contracting

We expect the new CTP regime to have implications for services contracts with financial institution customers, as well as for the internal running of the business of the affected CTPs. Financial institutions should prepare for this and expect CTPs to be considering the implications of their new status when negotiating contracts.

The CTP regime in brief

The financial sector is increasingly reliant in its daily operations on outsourced technology and third-party service providers. In that context, the Bank of England, Prudential Regulation Authority and the Financial Conduct Authority have moved collectively to introduce new rules to try and ensure sector stability and operational resilience.

The regulators’ supervisory statement released on 12 November targets third-party service providers deemed ‘critical’ to the financial sector as a whole (CTPs). The new regime, which formally takes effect on 1 January 2025 but which will only have a practical impact on businesses after the Treasury designates CTPs as subject to the new rules, will impose new governance and transparency standards on CTPs.

The CTP regime builds on, but is distinct from, operational resilience obligations UK financial institutions are already subject to. While the CTP regime will not introduce new rules directly on financial institutions that are customers of CTPs, it is likely to have implications for contractual negotiations with CTPs. We explore some of these implications below.

Transparency

The CTP regime explicitly directs CTPs to be transparent in their dealings with their customers, to help customers best manage and mitigate their own risk. This may make CTPs more willing to agree to increased reporting and transparency obligations in material services arrangements.

The new regulatory requirements also mandate that CTPs engage in certain reflective exercises to analyse and evaluate their own operations. Resource mapping, supply chain analysis and self-assessments are just some of the reports that CTPs are required to provide. Financial institutions could seek to obtain these from CTPs as part of their own reporting, to the extent that they are not already covered by standard reporting obligations.

CTPs will also be required to designate a certain individual or individuals in their organisation as key points of contact for the regulators, responsible for managing communications concerning matters of compliance and of their firm’s operations and resilience. Financial institutions may wish to consider designating these individuals as key personnel within the contract, and having access to these personnel in governance forums.

Testing

CTPs will be required to periodically review, update and test their business continuity and disaster recovery, or incident management, procedures. Financial institutions will likely already seek to have input or consultation on these procedures in the context of material services arrangements, but the regulatory context for CTPs carrying out review and testing may help institutions secure these rights in the contract.

Under the new regime, CTPs will also be required to engage in pooled incident management playbook exercises with a portion of their customer base. Financial institution customers may wish to obtain a contractual right to be offered a place in these exercises, as this could afford them the best opportunity to provide feedback for and input on the resilience procedures and plans of the CTPs that they are relying on.

Additional notification requirements

The regulatory status of third-party service providers is dynamic under the CTP regime, with the designation of a provider as a CTP being both service- and context-dependent. We expect financial institutions to include obligations in the contract for a service provider to notify when CTP status is given or removed, as well as when specific services provided by a CTP are designated as critical.

Material services arrangements will already have provisions requiring the service provider to notify when certain operational resilience-related events occur, such as the occurrence of an operational incident. The CTP regime introduces additional circumstances in which the customer may wish notification – for example, where there are changes to the leadership structure of the CTP or if enforcement action of any kind has been taken against the CTP by regulators. This will help financial institutions manage and mitigate their own risk and, since CTPs are already required to notify the regulators, bringing financial institution customers into the loop when they are made should not cause significant challenges for CTPs.

Implications of CTPs being regulated

CTPs may place obligations on their customers to ensure regulatory compliance. For example, we expect CTPs to seek mutual rights to disclose confidential information to regulators. While this is reasonable, financial institutions will want to assess CTP requirements to ensure they do not go beyond what is needed for regulatory compliance.

CTPs are also subject to a regulatory duty to map resources used by them in the provision of all critical services that they provide. Sometimes these resources may be provided by customers as dependencies under a services agreement. If that is the case, CTPs may negotiate harder for these dependencies and the remedies, should the dependency not be met by the customer. Financial institutions will need to consider the effect of this in the context of specific services arrangements.

Standardisation of CTP commercial offerings

We may see CTPs trying to introduce increased standardisation in their contracts, such as in relation to management information reporting. Given CTPs will be facing an increased regulatory burden, they may wish to minimise the extent to which they provide bespoke reporting to customers. Customers will need to assess whether the standard reporting meets their needs or whether they need to push for more bespoke obligations in the context of the service.

Impact on smaller providers

Markets for the provision of third-party services will, following the introduction of the CTP regime, be split into those providers that have been designated a ‘CTP’ and those who have not. The regulatory guidance explicitly states that CTPs cannot use their CTP status as a selling point to potential customers, but it is possible that enhanced resilience requirements may in any case make them more attractive in the market. It may be that non-CTP providers voluntarily enhance their own offerings in line with the CTP requirements to remain competitive. Customers – including financial institutions – will welcome this.

Co-written by Blair Dunbar-Smith of Pinsent Masons.