The UK's financial landscape is set to undergo a significant shift from July 2026, as the Bank of England, Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) assume oversight of four designated Critical Third Parties (CTPs). These global cloud and technology providers – Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd, and Oracle Corporation UK Limited – underpin a vast array of financial services, including banking and investment activities. The estimated £1.3 trillion in assets managed by these firms demonstrates the magnitude of their influence on the UK's financial sector.
With approximately 75% of the UK's top banks relying on Amazon Web Services, for example, any disruption to its services could have far-reaching consequences for the entire financial system. In fact, a study by McKinsey estimates that a major outage in these CTPs' critical services could lead to losses of up to £1.2 billion over a 24-hour period.
The new regulatory framework will see these three key regulators collaborate to oversee CTPs under a proportionate regime. This approach focuses on the resilience of the critical services provided, ensuring system-level risks are proactively addressed and mitigated. The aim is to enhance overall stability and confidence in UK financial markets by improving coordination and information sharing within the sector.
CTPs will be required to identify and manage associated risks, maintaining transparent communication with regulators and dependent financial firms, particularly during significant incidents. This oversight complements existing operational resilience and outsourcing rules, while placing responsibility on regulated firms for managing their own third-party arrangements, including due diligence and contingency planning.
Sarah Breeden, Deputy Governor for Financial Stability at the Bank of England, highlighted the evolving nature of systemic risk, stating that as CTPs become more deeply embedded in financial operations, they introduce new forms of systemic vulnerability. She stressed that the proportionate oversight approach will ensure these dependencies are managed to safeguard financial stability.