1A critical third party must have in place sound, effective and comprehensive strategies, controls, processes and systems that enable it to comply with the rules in CTPS.

1The strategies, processes and systems required by CTPS 4.1.1R must be proportionate to the nature, scale and complexity of the critical third party’s activities.

1A critical third party must ensure that its governance arrangements promote the resilience of any systemic third party service it provides, including by:

1. (1)

   appointing one or more individuals who:

   1. (a)

      are employees of the critical third party or members of its governing body; and

   2. (b)

      possess the appropriate authority, knowledge, skills and experience,

   to act as the central point of contact with the regulators in their capacity as authorities having oversight functions;

2. (2)

   establishing clear roles and responsibilities at all levels of its staff who are essential to the delivery of a systemic third party service, with clear and well-understood channels for communicating and escalating issues and risks;

3. (3)

   establishing, overseeing and implementing an approach that covers the critical third party’s ability to prevent, respond and adapt to, as well as recover from, any CTP operational incident;

4. (4)

   implementing lessons learned from CTP operational incidents and any testing and exercising undertaken, including but not limited to that undertaken in accordance with CTPS 5 (Assurance, scenario testing and incident management playbook exercise);

5. (5)

   ensuring appropriate review and approval of any information provided to the regulators;

6. (6)

   notifying the regulators in writing of:

   1. (a)

      the names of the individuals appointed under (1);

   2. (b)

      the business address of those individuals; and

   3. (c)

      the email address, telephone number and out of hours contact details for each of those individuals; and

7. (7)

   notifying the regulators of any changes to the information notified under (6) as soon as is practicable.

1A critical third party must manage effectively risks to its ability to deliver a systemic third party service including by:

1. (1)

   identifying and monitoring relevant external and internal risks;

2. (2)

   ensuring that it has in place risk management processes that are effective at managing those risks; and

3. (3)

   regularly updating its risk management processes to reflect issues arising and lessons learned from:

   1. (a)

      CTP operational incidents;

   2. (b)

      engagement with the regulators;

   3. (c)

      new and emerging risks; and

   4. (d)

      any associated testing and exercising, including but not limited to that carried out in accordance with CTPS 5 (Assurance, scenario testing and incident management playbook).

1A critical third party must (as part of its obligation under CTPS 4.3.1R (Requirement 2: Risk management)) identify and manage any risks to its supply chain that could affect its ability to deliver a systemic third party service.

1A critical third party must take reasonable steps to ensure that its key nth-party providers and persons connected with a critical third party that are part of its supply chain:

1. (1)

   are informed of the CTP duties that apply to the critical third party;

2. (2)

   cooperate with the critical third party in meeting those CTP duties; and

3. (3)

   provide the regulators with access to any information relevant to the exercise of their oversight functions.

1A critical third party must (as part of its obligation under CTPS 4.3.1R (Requirement 2: Risk management)) take reasonable steps to ensure the resilience of any technology that delivers, maintains or supports a systemic third party service, including by having:

1. (1)

   (as part of its obligation under CTPS 4.1.1R (Cross-cutting requirement)) sound, effective and comprehensive strategies, processes and systems to adequately manage risks to its technology and cyber resilience; and

2. (2)

   regular testing and exercising of those strategies, processes and systems (including as part of its obligations under CTPS 5 (Information gathering, evidence and testing)) and processes and measures that reflect lessons learned from that testing and exercising.

1A critical third party must ensure that it has a systematic and effective approach to dealing with changes to a systemic third party service, including changes to the processes or technologies used to deliver, maintain or support a systemic third party service, including by:

1. (1)

   implementing appropriate policies, procedures and controls to manage effectively the resilience of any change to a systemic third party service;

2. (2)

   implementing any change to a systemic third party service in a way that minimises appropriately the risk of any CTP operational incident occurring; and

3. (3)

   ensuring that prior to being implemented, any change is appropriately risk-assessed, recorded, tested, verified and approved.

1A critical third party must:

1. (1)

   within 12 months of being designated by the Treasury, identify and document:

   1. (a)

      the resources, including the persons (including key nth-party providers), assets, supporting services and technology, used to deliver, support and maintain each systemic third party service it provides; and

   2. (b)

      any internal and external interconnections and interdependencies between the resources identified under (a) in respect of that service; and

2. (2)

   thereafter regularly update the process conducted under (1).

1A critical third party must manage effectively CTP operational incidents including by:

1. (1)

   implementing appropriate measures to respond to and recover from CTP operational incidents in a way that minimises the impact, or potential impact, on the stability of, or confidence in, the UK financial system;

2. (2)

   setting an appropriate maximum tolerable level of disruption to each systemic third party service;

3. (3)

   maintaining and operating an incident management playbook, the first version of which must be in place within 12 months of the critical third party being designated by the Treasury, which sets out the plans and procedures to be followed by the critical third party in the event of a CTP operational incident in order to:

   1. (a)

      respond to and recover from the CTP operational incident; and

   2. (b)

      facilitate effective communication with, and support to, the regulators and affected firms (individually and collectively); and

4. (4)

   cooperating and coordinating with the regulators and affected firms in response to CTP operational incidents, including through collective incident response frameworks.

1A critical third party must have in place appropriate measures to respond to a termination of any of its systemic third party services (for any reason), including by putting in place:

1. (1)

   arrangements to support the effective, orderly and timely termination of that service, and (if applicable) its transfer to another person, including the firm the service is provided to; and

2. (2)

   provision for ensuring access to, recovery and return of any relevant firm assets to each firm it provides that service to and (where applicable) in an easily accessible format.