U.K. Regulators Begin Oversight Of Four Critical Third-Party Service Providers
The Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) will begin overseeing the U.K.’s first Critical Third Parties (CTPs) from July 13, 2026, following their designation by HM Treasury (the U.K. government’s economic and finance ministry). The move introduces a joint oversight framework for service providers whose operations support the UK financial system.
The first designated CTPs are Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd., and Oracle Corporation UK Limited. The regulators will oversee the resilience of the critical services these companies provide to financial institutions, with a focus on reducing system-wide risks and improving coordination during service disruptions.
The new regime requires designated providers to identify and manage operational risks, maintain resilience and communicate with regulators and affected firms during major incidents. Regulated financial firms will continue to remain responsible for managing their own outsourcing arrangements, including due diligence, risk management and contingency planning. HM Treasury will continue to decide future designations and review the regime with the regulators.




