The UK is at the forefront of digital transformation in financial services and, through measures including open banking and regulatory sandboxes, as well as a focus on competitiveness in regulatory objectives, it has delivered an innovative, robust and competitive landscape for financial services firms and consumers. As part of this, advanced technologies, such as cloud computing, have enabled significant benefits that underpin the financial sector landscape, including increased security, flexibility, operational resilience, rapid scalability and reliability.
In the next 12 months the proposed regime for critical third parties (CTPs) to the UK financial services sector will be implemented, bringing material services provided by those advanced technologies into regulatory scope for the first time. The Financial Services and Markets Act 2023 allows HM Treasury to designate a third party as critical in consultation with the Bank of England (BoE), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA). Designated CTPs will then be subject to direct oversight for the first time to “…manage potential risks to the stability of, and confidence in, the UK financial system that may arise due to disruption of services provided by a CTP.”
At AWS, we welcome the risk-based, outcomes-focused regime as set out in the recent consultation paper CP26/23. However, it is important that the implementation does not introduce barriers on how financial services firms choose to use technologies on a location or industry basis that might reduce the scope of digital transformation. This will be particularly important as we look towards a new-wave of innovation enabled by Generative Artificial Intelligence (GenAI).
Regulation can help enable businesses, support customers and protect societies. However, ensuring regulations strike the right balance and meet the objectives of all stakeholders is crucial, especially in highly regulated industries like financial services. Within the UK the CTP regime has the opportunity to deliver on these objectives and develop a regime that is at the forefront of digital transformation as well as international interoperability to support an innovative financial services sector.
In order to deliver this, we believe that changes to the proposed regime could include introduction of the AWS shared responsibility model as an appropriate regulatory concept for operational resilience, emphasising that any information required to be provided to the regulator under the regime will always be on a proportionate, useful, and relevant basis, and avoiding a requirement for regulated firms to adopt a multi-vendor cloud strategy as part of the CTP regime.