In this Q&A, Clarence Chio explains why the FCA’s updated operational resilience rules mark a shift in how regulators expect firms to manage third-party risk. The headline is simple: annual self-attestation is no longer enough when vendor failures can ripple across the financial system in real time.
Q: What is the headline from the FCA’s new operational resilience rules?
A: Regulators are no longer treating third-party risk as a secondary concern. The FCA’s own data says that in 2025, more than 40% of cyber incidents reported to the regulator involved a third party. High-profile disruptions like the Cloudflare and AWS outage made it impossible to ignore how exposed firms are through their supply chains.
The new rules are the regulatory response to that reality. They signal that annual self-attestation, by itself, is no longer a sufficient control.
What the FCA is changing
A streamlined reporting framework
The FCA, PRA, and Bank of England are aligning reporting through a single portal, which should reduce friction for firms managing multiple regulatory relationships.
Clearer thresholds and definitions
The rules give firms more explicit guidance on what must be reported and when, addressing a long-standing request from the industry.
Less duplication for some firms
The FCA removed some overlapping requirements for payment service providers and credit rating agencies, which matters for fintechs navigating multiple obligations.
A supply-chain view of incidents
The regulator plans to use incident data to see through firms’ supply chains and understand where concentration risk is building.
Third-party risk is not new
Financial services firms have relied on third parties for years. What changed is the degree of dependency. Shared cloud, API infrastructure, fintech platforms, payment providers, and operational vendors now sit inside critical services. A single outage can affect many firms at once.
The scale and interconnection are new
The FCA is responding to that interconnected reality. Its goal is not only to collect incident forms from individual firms, but to understand sector-level patterns, common dependencies, and concentration risk as incidents unfold.
Q: Are annual vendor questionnaires fundamentally broken?
A: They are not broken. They are doing exactly what they were designed to do: capture a snapshot of vendor posture at a point in time, check a box, and move on. The problem is that today’s threat environment does not pause between assessments.
A vendor that was compliant in January can have a material exposure by March. That is especially acute in fintech, where vendor relationships evolve quickly through new API integrations, updated data-sharing arrangements, and shifting subprocessors.
Q: What does “see through the supply chain” mean in practice?
A: It means the FCA intends to use incident data to map which third-party providers are most embedded in the financial system and which services are most exposed when those providers fail. If one vendor supports 20 regulated firms and has an incident, the regulator wants to identify that concentration risk in near-real time and respond at a sector level.
How firms should use the 12-month runway
The rules take effect in March 2027. Firms can spend that time updating forms, or they can use it to close the real visibility gap.
Move from periodic attestation to continuous monitoring. Annual evidence is useful, but it cannot be the only signal in a dynamic vendor environment.
Build vendor profiles from live signals. A profile derived from connected infrastructure is evidence. A questionnaire is a representation.
Map critical vendors and concentration risk. Understand which providers are shared across services, customers, regions, and regulated entities.
What is at stake beyond compliance
Operational disruption
The primary cost is a third-party failure affecting services customers depend on, often before the firm has a response plan ready.
Customer trust
For fintechs, where trust is often the core value proposition and switching costs can be low, a poorly managed vendor incident can be existential.
Regulatory paper trail
The FCA’s rules will make the visibility gap easier to document, turning weak operational awareness into a compliance problem.
Shared intelligence
The FCA plans to share insights and trends back with industry, giving firms a reason to report accurately and build better data infrastructure.
The global regulatory convergence
DORA, the UK Cyber Security and Resilience Bill, and the FCA update are pointing firms in the same direction: third-party risk must be demonstrable in near-real time.
Regulatory signal for vendor-risk programs
| Regime or update | Core message | Implication for firms |
|---|---|---|
| FCA operational resilience update | Major incidents involving third parties must be reported more consistently. | Firms need timely vendor, dependency, and incident data. |
| DORA | ICT third-party risk must be governed across the lifecycle. | EU and UK firms need aligned evidence, monitoring, and escalation processes. |
| UK Cyber Security and Resilience Bill | Critical dependencies and digital supply chains are becoming a national resilience focus. | Vendor oversight needs to move beyond paperwork into operational visibility. |
Q: What is the single most important takeaway for compliance and risk leaders?
A: The FCA is not asking for new forms because it wants more paperwork. It is asking because firms need the infrastructure to know what is happening in their vendor ecosystem in near-real time.
Get the visibility right, and compliance becomes a byproduct of good risk management. Treat this as a documentation exercise, and you will rebuild the program every time the regulatory cycle turns.
About Clarence Chio
Clarence is the cofounder and CEO at Coverbase, the AI procurement and risk company that recently raised $20m from top investors to automate 90% of vendor management. Before Coverbase, he cofounded Unit21, a Google-backed company that raised $92m to help financial institutions combat fraud and money laundering with AI. He has degrees in Computer Science and AI from Stanford, published Machine Learning and Security with O’Reilly Media, and teaches AI and security at UC Berkeley.
Read the original FinTech Bloom article: Fintech’s Vendor Risk Blind Spot Just Became a Regulatory Problem.
