UK regulators set to crack down on third-party due diligence

Across all industries, critical third parties (CTPs) are essential to the smooth running of their clients’ day-to-day operations, from payroll to supply chain continuity. These integral third-party arrangements come with a range of associated risks, however – as has been highlighted by recent global events.

The pandemic and the war in Ukraine are likely to have exposed some firms to risks they have not even considered yet, including those posed by arrangements with CTPs in sanctioned nation states or former CTPs who still have access to their sensitive data and internal platforms.  

For the financial sector, these risks could have far-reaching implications.  

Post-Brexit reforms and the UK financial sector 

In response, financial regulators around the world have renewed their focus on the third-party due diligence of financial services firms – especially in terms of their operational resilience.  

For the UK, this also means accommodating the requirements of the Financial Services and Markets Bill once it becomes law. Although the main aim of the Bill itself is broad regulatory reform to reflect the UK’s departure from the EU, the UK’s supervisory authorities (the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority) have jointly published a discussion paper looking at what they’ll be able to do with the new powers they’ll enjoy in relation to CTPs. 

The paper proposes a range of measures to, “oversee and strengthen the resilience of services provided by critical third parties.” 

This concern with CTPs is understandable. There are very well-established, large and reputable firms that would be surprised by the scale of the risk they’re exposed to through their CTPs.  

Despite the risks posed by these ‘known unknowns’, and the regulators’ attempts to mitigate against them, some firms continue to fall foul of existing third-party monitoring requirements.

The consequences of ignoring third-party due diligence 

Take, for example, the case of Julius Baer International Ltd (JBIL). In December 2022, the FCA hit the investment and wealth management company with a Final Notice and a fine of more than £18 million.  

The FCA found, among other failures, that JBIL’s third-party risk monitoring policies and procedures were inadequate. As a result, the firm could neither identify potential conflicts of interest, nor could it identify and manage the risks it was exposed to through its third-party intermediaries. 

JBIL’s case highlights not just the consequences of neglecting third-party monitoring, but also the standards to which the supervisory authorities hold firms in the financial sector.  

The regulators recognise that no policy or procedure can completely protect a firm from third-party risk. However, it is equally clear that firms are expected to demonstrate that they are continuously and rigorously monitoring all these relationships. And while that may be a reasonable requirement, it is also a demanding one that – ironically – most firms will be able to meet only with the assistance of a specialist CTP.