BoE, PRA and FCA to begin overseeing Critical Third Parties
The Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) will start overseeing the first critical third parties (CTPs) on Monday 13 July 2026, following designation by the Treasury.
CTPs are technology and other service providers whose services underpin the UK financial system. Today, the Treasury has announced its first designations of four global cloud services and technology providers: Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd, and Oracle Corporation UK Limited.
As many firms rely on these services, disruption or failure could affect multiple firms or markets at the same time, potentially impacting UK financial stability and services used by millions of consumers and businesses.
For the first time, the three regulators will jointly oversee these CTPs under a new, proportionate regime, focused on the resilience of the critical services they provide to the UK financial sector. The regulators will work together with the CTPs to address system-level risks and reduce the risk of disruption to the services they provide spreading across the UK financial system.
CTPs must identify and manage risks to their critical services effectively, and maintain open, timely communication with regulators and the firms that rely on them, particularly during major incidents.
Together, these changes support a more resilient environment for firms to operate in, which will, in turn support financial stability and confidence in UK financial markets.
This regime complements, but does not replace, existing outsourcing and operational resilience rules for regulated firms who remain responsible for managing their own third-party arrangements including due diligence, risk management and contingency planning.
Nikhil Rathi, chief executive at the FCA, said:
‘Critical third parties provide essential services which support innovation and growth. At the same time, when the same providers serve thousands of firms, a single failure can reverberate across the financial system. Operationalising this regime strengthens our ability to tackle those risks and improve overall resilience, ensuring the UK remains a safe and attractive place to do business.’
Treasury is responsible for deciding which third party providers are designated as CTPs, and any future designations or de-designations. The regulators will periodically review whether CTPs continue to meet the designation criteria, making recommendations to Treasury, and evaluate the effectiveness of the oversight approach.
