UK financial regulators to begin overseeing Critical Third Parties announced by Treasury
The Bank of England (the Bank), the Prudential Regulation Authority (PRA) and the FCA will start overseeing the first critical third parties (CTPs) on Monday 13 July 2026, following designation by the Treasury.
CTPs are technology and other service providers whose services underpin the UK financial system. Today, the Treasury has announced its first designations of 4 global cloud services and technology providers: Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd, and Oracle Corporation UK Limited.
As many firms rely on these services, disruption or failure could affect multiple firms or markets at the same time, potentially impacting UK financial stability and services used by millions of consumers and businesses.
For the first time, the three regulators will jointly oversee these CTPs under a new, proportionate regime, focused on the resilience of the critical services they provide to the UK financial sector. The regulators will work together with the CTPs to address system-level risks and reduce the risk of disruption to the services they provide spreading across the UK financial system. This will strengthen system-wide resilience and improve coordination and information sharing across the UK financial sector.
CTPs must identify and manage risks to their critical services effectively, and maintain open, timely communication with regulators and the firms that rely on them, particularly during major incidents.
Together, these changes support a more resilient environment for firms to operate in, which will, in turn support financial stability and confidence in UK financial markets.
This regime complements, but does not replace, existing outsourcing and operational resilience rules for regulated firms who remain responsible for managing their own third-party arrangements including due diligence, risk management and contingency planning.
Sarah Breeden, deputy governor for financial stability at the Bank, said:
'As critical third parties become increasingly embedded in the operations of financial institutions, they can introduce new forms of systemic risk. Our proportionate approach to overseeing these providers will ensure that these dependencies are managed in a way that safeguards financial stability.'
Katharine Braddick, deputy governor for prudential regulation and CEO of the PRA, said:
'By bringing critical third parties into the scope of oversight, we are ensuring that the infrastructure underpinning UK financial services is robust enough to support UK financial stability and confidence. This directly supports the PRA’s objective to promote the safety and soundness of regulated firms.'
Nikhil Rathi, chief executive at the FCA, said:
'Critical third parties provide essential services which support innovation and growth. At the same time, when the same providers serve thousands of firms, a single failure can reverberate across the financial system. Operationalising this regime strengthens our ability to tackle those risks and improve overall resilience, ensuring the UK remains a safe and attractive place to do business.'
Treasury is responsible for deciding which third party providers are designated as CTPs, and any future designations or de-designations. The regulators will periodically review whether CTPs continue to meet the designation criteria, making recommendations to Treasury, and evaluate the effectiveness of the oversight approach.
The Bank, PRA and FCA will continue to work closely with Treasury, the financial services industry and designated CTPs as the regime is implemented, while supporting innovation, and UK growth and competitiveness.
Notes to editors
- The regulations will come into effect on Monday 13 July 2026. Please refer to the government’s website for Treasury’s press release and CTP regulations published.
- You can find more information on the regulators’ oversight regime on FCA’s website and PRA’s website.
- Treasury is responsible for deciding which third party suppliers should fall under the CTP regime, generally based on recommendations from the regulators. The scope of entities under the regime will continue to evolve as further designations are considered.
- Designation under this regime is not the same as authorisation by the regulators. Oversight is limited to the resilience of the services they provide to UK financial firms.
- Financial Services and Markets Act (FSMA) 2000 as amended by FSMA 2023 gave the Bank, PRA and FCA new powers to oversee critical third parties, strengthening the resilience of the services they provide to regulated firms and financial market infrastructures.
- In November 2024, the FCA, the Bank and PRA introduced the final rules and policy for the CTP regime. These came into effect on 1 January 2025 and apply immediately to CTPs once designated by Treasury.
- Alongside the final rules and policy, the regulators published their approach to regulatory oversight and a supervisory statement setting out expectations for CTPs on how to interpret and comply with the regulators’ new rules.
- CTPs may also be regulated under similar regimes in other jurisdictions, including the EU’s Digital Operational Resilience Act (DORA). The regulators have signed a Memorandum of Understanding to support coordination and information sharing on oversight of CTPs.
How it works
Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content — general knowledge won't be enough. Score 70+ to count toward your certificate.
Questions are cached — you'll always get the same 5 for this article.