UK Regulators Put Four Technology Giants Under Direct Resilience Oversight

UK Regulators Put Four Technology Giants Under Direct Resilience Oversight

By
Key Takeaways
  • First Critical Third Parties Designated: HM Treasury designated entities belonging to Amazon Web Services, Google Cloud, Microsoft and Oracle as the first providers covered by the UK regime.
  • Joint Oversight Begins July 13: The Bank of England, PRA and FCA will jointly oversee the resilience of critical services the providers supply to the UK financial sector.
  • Systemic Concentration Risk Targeted: The regime addresses the danger that a failure at a widely used provider could disrupt multiple firms or markets simultaneously.
  • Financial Firms Remain Accountable: Existing outsourcing and operational-resilience requirements continue to apply, including due diligence, risk management and contingency planning.
  • Designation Is Not Authorization: Regulatory oversight is limited to the resilience of services provided to UK financial firms and does not constitute broader authorization of the designated companies.
Deep Dive

Britain’s financial regulators will begin overseeing four of the world’s largest technology providers on Monday, extending their reach into the cloud infrastructure that banks and other financial institutions increasingly rely on to keep operating.

HM Treasury has designated Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd and Oracle Corporation UK Limited as the first companies covered by the UK’s Critical Third Parties regime. The designation regulations take effect July 13.

The Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority will jointly oversee the resilience of the critical services those companies provide to the UK financial sector. It is the first time the three regulators have directly supervised third-party technology providers on that basis.

The logic is less complicated than the machinery built around it. When thousands of financial institutions depend on the same handful of providers, an outage ceases to be one company’s technology problem. It can spread across firms and markets, interrupt services used by millions of consumers and businesses, and become a threat to financial stability.

“When the same providers serve thousands of firms, a single failure can reverberate across the financial system,” FCA Chief Executive Nikhil Rathi said.

Regulating the Dependency

The regime is aimed at risks that individual financial institutions cannot fully manage on their own. A bank may understand its contract with a cloud provider and prepare for a disruption. It cannot easily see how thousands of similar relationships combine into a concentration of risk across the financial system.

Regulators will now work directly with the designated providers to identify and reduce those system-level vulnerabilities. The companies will be expected to manage risks to their critical services and maintain timely communication with regulators and the firms that depend on them, particularly during major incidents.

“As critical third parties become increasingly embedded in the operations of financial institutions, they can introduce new forms of systemic risk,” said Sarah Breeden, the Bank of England’s deputy governor for financial stability. She said the regulators’ approach would seek to ensure those dependencies are managed in a way that protects financial stability.

Katharine Braddick, deputy governor for prudential regulation and chief executive of the PRA, said the oversight would help ensure that the infrastructure beneath UK financial services is robust enough to support financial stability and market confidence. That, she said, directly supports the PRA’s objective of promoting the safety and soundness of regulated firms.

The supervision is deliberately limited. Designation as a Critical Third Party does not amount to authorization by the Bank, PRA or FCA, and the regulators will not oversee every part of the four companies’ operations. Their attention will remain fixed on the resilience of services supplied to UK financial firms and financial-market infrastructure.

Firms Remain Accountable

The arrival of direct oversight does not allow banks, insurers or other regulated firms to hand their third-party risk obligations back to the regulators. Existing outsourcing and operational-resilience rules remain in force.

Financial institutions must continue conducting due diligence, managing the risks created by their outside providers and preparing contingency plans for service interruptions. The new regime sits above those responsibilities rather than replacing them: firms remain accountable for their own arrangements, while regulators gain a view across providers whose reach extends through much of the market.

That distinction matters because the designation addresses a problem created by accumulation. Each outsourcing decision may appear manageable when examined alone. Taken together, thousands of those decisions can leave a large part of the financial system dependent on the performance of the same company.

The legal powers underpinning the regime were introduced through the Financial Services and Markets Act 2023, which amended the Financial Services and Markets Act 2000. The Bank, PRA and FCA published their final rules and policy in November 2024. Those measures took effect on Jan. 1, 2025, but apply to providers only after HM Treasury designates them.

A List That Could Grow

HM Treasury is responsible for deciding which providers fall within the regime and whether any should later be removed. Its decisions will generally draw on recommendations from the regulators.

The Bank, PRA and FCA will periodically review whether designated providers continue to meet the relevant criteria. They will also assess how well the oversight framework is working and make recommendations to the Treasury as further designations are considered. The first four names reveal where the government sees the clearest concentration of risk. All are major cloud or technology providers whose services have become deeply embedded in financial operations. They are unlikely to be the last companies examined.

The UK framework also forms part of a broader regulatory response to financial institutions’ reliance on outside technology. Some providers may face comparable supervision under the European Union’s Digital Operational Resilience Act. UK and EU regulators have signed a memorandum of understanding to coordinate and exchange information when overseeing critical third parties.

For the Bank, PRA and FCA, Monday brings the harder part. The rules have been written, the powers granted and the first providers named. Regulators must now determine how to supervise infrastructure they do not operate, supplied by companies whose scale and technical reach can exceed that of the firms depending on them.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.

Oops! Something went wrong