Third-party risk management: the FCA's evolving expectations
Third-party and outsourcing risk has moved from a back-office compliance matter to a board-level strategic concern over the past five years, driven by a combination of high-profile supply chain incidents, growing regulatory expectations, and the increasing concentration of financial sector infrastructure in a small number of critical technology providers. The FCA's expectations for third-party risk management are distributed across multiple sourcebook chapters — principally SYSC 8 (outsourcing), SYSC 13 (operational risk), and the FCA's Dear CEO letters to specific sectors — but are increasingly being consolidated and sharpened in response to industry developments.
The foundational principle is that outsourcing does not transfer regulatory responsibility. A firm that outsources a regulated function retains full accountability for ensuring that the function is performed in accordance with FCA requirements. This means that the due diligence conducted before entering an outsourcing arrangement must be substantive — including assessment of the service provider's financial stability, operational resilience, data security practices, and regulatory compliance track record — and that ongoing oversight must be sufficient to detect deterioration. The FCA's supervisory findings have repeatedly identified firms that treat initial due diligence as the end of the compliance process, without conducting meaningful ongoing monitoring.
The FCA's guidance on cloud outsourcing (FG16/5, updated in the context of SYSC 8 obligations) addresses the specific challenges of cloud services, where contractual arrangements may restrict the firm's access to audit, where sub-processor chains may be long and opaque, and where standard contracts from large providers may not include the protections that regulated firms require. Firms using hyperscale cloud providers (AWS, Azure, GCP) for material functions should review whether their contracts include the minimum provisions recommended in FG16/5, and should assess their exit planning against the operational resilience framework — a cloud dependency that cannot be exited within the impact tolerance for an important business service is a vulnerability that requires active risk management.
Concentration risk — the risk that a large proportion of the industry is dependent on a small number of critical service providers — is a growing concern for both the FCA and the Bank of England. The Systemic Risk Survey and the Financial Policy Committee's work on critical third parties has highlighted the systemic risk implications of this concentration. The Critical Third Parties (CTP) regime, introduced in the Financial Services and Markets Act 2023, gives the FCA and PRA powers to directly oversee firms designated as CTPs — primarily large cloud and data providers. Individual regulated firms should consider their own exposure to designated CTPs as part of their concentration risk assessment.
Register maintenance and annual review
Firms should maintain a complete register of all outsourced and third-party arrangements, classified by materiality, and should conduct annual due diligence reviews of all material arrangements. Where contracts are approaching renewal, the review should be completed before renewal to allow commercial leverage where gaps are identified. The register should be reviewed by the board or a board committee at least annually.