Third-Party Risk,
Managed Properly

The Financial Conduct Authority's supervisory statement SS2/21 on outsourcing and third-party risk management made it clear that regulated firms cannot outsource their regulatory obligations. When a bank, insurer, or asset manager relies on a third party to deliver a critical or important function, the FCA holds the regulated firm responsible for the outcome. The PRA's expectations under SS2/21 require firms to maintain a register of all outsourcing and third-party arrangements, assess concentration risk, and have documented exit strategies for critical suppliers.

Operational resilience requirements, which came fully into force in March 2025, add another layer. Firms must identify their important business services, set impact tolerances, and demonstrate that they can remain within those tolerances during severe but plausible disruption scenarios — including the failure of a critical third-party supplier. This requires not just knowing who your suppliers are, but understanding the dependencies between them, the services they support, and the risks they introduce to your operational resilience framework.

My Supplier List provides the structured assessment and continuous monitoring framework that financial services compliance teams need. Every supplier is assessed across five risk pillars: Financial health (including CCJ checks and credit monitoring), Compliance status, Operational capability, Cyber risk posture, and ESG commitments. For critical and important suppliers, the platform supports enhanced due diligence workflows with deeper assessment questionnaires, more frequent review cycles, and automated alerts when risk indicators change.

The platform's contract management module tracks key contractual terms including termination provisions, service level agreements, and data processing arrangements — giving your compliance and procurement teams a single view of every third-party relationship along with the documentation regulators expect to see during supervisory visits.