Last November, UK regulators confirmed a swathe of new rules to strengthen the resilience of the UK financial sector. The new regulatory framework came into force on January 1, 2025, and organizations doing business in the country face growing pressure to keep up.
However, increasing regulation across the technology sector has, either directly or indirectly, resulted in a number of roadblocks. The broader trend has already led to legal challenges, such as Apple’s dispute over encryption laws. While that’s not related to financial oversight, it exemplifies the growing tensions between regulators and tech providers – something that fintechs must also navigate.
Third-party tech companies – including fintechs – have become a backbone in the delivery of modern financial services. However, their rapid growth, combined with the relative lack of oversight when it comes to highly sensitive financial data, has drawn increasing regulatory security. The new framework builds on – rather than replaces – existing outsourcing and operational resilience regulations to cover tech providers that work with financial services organizations.
Most notably, the regulatory regime extends to what EU and UK legislators designate ‘critical third-party providers’ (CTPs), which broadly includes any technology companies that are essential to the financial systems. However, although the new legislation has come into force, the list of organizations designated as CTPs has yet to be finalized. Moreover, even when it is, it will surely expand to include new companies. Three government bodies in the UK have been chosen to assess and recommend CTPs for official designation – they are the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA), and the Bank of England.
Designated CTPs will include companies that provide core technology infrastructure, such as banking-as-a-service, fraud prevention, and payments processing.
What does this mean for fintech firms?
While the US has far more fintech companies than any other country, the UK comes in at second place. Moreover, many US fintechs are expanding – or plan to expand – into the UK market. Given the historically lighter regulatory environment in the US, fintechs expanding into the UK or EU must prepare for heightened scrutiny.
Those likely to be designated as CTPs will face direct regulatory oversight, while others will still be affected through increased compliance demands from financial institutions. With a stronger emphasis on operational resilience, data protection, and incident response, financial services organizations will seek further assurance from their third-party technology providers. This also means fintechs may need to reassess their own partnerships to ensure compliance throughout their supply chains.