UK financial regulators to oversee critical tech firms
The Bank of England, PRA, and FCA will begin overseeing four designated Critical Third Parties from Monday, July 13, 2026. HM Treasury has named Amazon, Google, Microsoft, and Oracle as the first technology providers under the new regime.
Four tech giants under new oversight
The Bank of England (BoE), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) will jointly oversee the first Critical Third Parties (CTPs) from July 13, 2026.
HM Treasury (HMT) has designated four global cloud and technology providers: Amazon Web Services, Google Cloud, Microsoft Ireland Operations, and Oracle Corporation UK.
These CTPs are vital to the UK financial system; their disruption could impact numerous firms, markets, and millions of consumers.
The new, proportionate regime focuses on the resilience of critical services provided to the UK financial sector.
Regulators will collaborate with CTPs to manage system-level risks and enhance system-wide resilience.
CTPs must identify and manage risks effectively and maintain timely communication, particularly during major incidents.
This framework strengthens the operating environment for firms, bolstering financial stability and confidence in UK markets.
Regulators stress resilience
Bank of England Deputy Governor Sarah Breeden noted CTPs introduce new systemic risks, with oversight safeguarding financial stability.
PRA Deputy Governor Katharine Braddick emphasized robust infrastructure is crucial for UK financial stability and confidence.
FCA Chief Executive Nikhil Rathi highlighted that a single CTP failure can reverberate across the financial system, making this regime essential for tackling risks and improving overall resilience.
This new oversight complements, but does not replace, existing outsourcing and operational resilience rules for regulated firms, who remain responsible for managing their own third-party arrangements.
HM Treasury designates CTPs, based on regulator recommendations, and will periodically review designations and evaluate the oversight approach.
Necessary step, complex execution
This is a significant step towards formalizing oversight of critical infrastructure for the UK financial system.
While the regime is proportionate, the sheer scale and interconnectedness of the designated providers mean the regulators face a complex, ongoing challenge.
Its true impact will depend on the effectiveness of cross-jurisdictional coordination, especially with the EU's Digital Operational Resilience Act (DORA).