The UK's Critical Third-Party (CTP) regime represents a new dimension of financial services regulation. For the first time, regulators have direct oversight powers over third-party service providers that are critical to the stability and resilience of the UK financial sector. While the regime applies directly to designated third parties — not to the firms that use them — EMIs and PIs must understand the regime and strengthen their own third-party risk management in parallel. This article explains the CTP framework and its implications for payment firms.
What Is the CTP Regime?
The CTP regime, implemented through Policy Statement PS24/16 published jointly by the FCA, PRA and Bank of England in November 2024, gives regulators direct oversight of third-party providers that are designated as critical to the UK financial sector. The regime applies to providers whose services, if disrupted, could pose a systemic risk to the stability of the financial system or cause significant harm to a large number of firms and their customers.
CTP designation is made by HM Treasury on recommendation from the regulators. Designated CTPs will be subject to minimum resilience standards, testing requirements and direct regulatory supervision. The regime is expected to cover major cloud infrastructure providers, core banking technology platforms and other systemic service providers.
Implications for EMIs and PIs
Although the CTP regime does not impose direct obligations on EMIs and PIs, it has significant indirect implications:
Enhanced due diligence. When using CTP-designated providers, firms should incorporate the provider's regulatory status into their due diligence process. Understanding the regulatory expectations placed on the provider helps firms assess the quality of the service and the resilience of the arrangement.
Contractual considerations. Firms should review their contracts with material third-party providers to ensure they include appropriate provisions for service continuity, incident notification, audit rights and exit arrangements. The CTP regime's resilience standards provide a useful benchmark for contractual expectations.
Concentration risk. The CTP regime highlights the concentration risk inherent in the financial sector's reliance on a small number of key technology providers. Firms should assess their concentration risk and consider diversification strategies where practical.
Incident response. When a CTP-designated provider experiences a disruption, the firm must have its own incident response procedures ready. This includes activating fallback arrangements, communicating with customers and regulators, and managing the operational impact.
Strengthening Third-Party Risk Management
Regardless of the CTP regime, the FCA expects EMIs and PIs to maintain robust third-party risk management frameworks. Key elements include:
- Third-party register. Maintain a comprehensive register of all third-party providers, including the services provided, the criticality assessment, the risk rating and the contractual terms.
- Risk-based due diligence. Conduct due diligence proportionate to the criticality and risk of each third-party relationship. Material outsourcing arrangements require enhanced due diligence including financial stability assessment, operational resilience review and regulatory compliance verification.
- Ongoing monitoring. Monitor third-party performance against agreed service levels, track incident history and conduct periodic reassessments of risk and criticality.
- Exit strategies. Maintain documented exit strategies for all material outsourcing arrangements, including transition plans, alternative provider identification and customer communication protocols.
- Board oversight. Ensure the board has visibility of material third-party risks and receives regular reporting on third-party performance and risk indicators.
UK-EU Regulatory Cooperation
The FCA, PRA and Bank of England have signed a Memorandum of Understanding with the European Supervisory Authorities on CTP cooperation. This reflects the cross-border nature of third-party dependencies — many providers serve firms across both the UK and EU. For EMIs and PIs operating in both jurisdictions, this means regulatory expectations are converging, and firms should aim for a consistent approach to third-party risk management across their UK and EU operations.
What Firms Should Do Now
- Identify your material third-party providers and assess their criticality to your important business services.
- Review contracts with key providers for resilience, audit and exit provisions.
- Assess concentration risk and develop diversification strategies where appropriate.
- Ensure your incident response plans cover third-party disruption scenarios.
- Maintain board-level reporting on third-party risks and performance.
Regulatory Counsel advises EMIs and PIs on third-party risk management, operational resilience and regulatory compliance. Contact us for a free initial consultation.
Frequently Asked Questions
No — the CTP regime applies directly to designated critical third-party providers. However, payment firms must strengthen their own third-party risk management in parallel.
Major cloud infrastructure providers, core banking technology platforms and other systemic service providers whose disruption could pose systemic risk.
Not necessarily. The CTP regime is designed to improve the resilience of designated providers. Firms should focus on strengthening their own third-party risk management regardless of whether their providers are CTP-designated.
The UK CTP regime and EU DORA both address third-party risk in financial services. The UK and EU regulators have signed a cooperation agreement to coordinate oversight of cross-border providers.