Q: The FCA just confirmed new operational resilience rules requiring firms to report major incidents involving third parties. What’s the headline here?
A: The headline is that regulators are no longer treating third-party risk as a secondary concern. The FCA’s own data tells the story—in 2025, more than 40% of the cyber incidents reported to them involved a third party. This includes high-profile disruptions like the Cloudflare and AWS outage, which made it impossible to ignore how exposed firms are through their supply chains. These new rules are the regulatory response to that reality, a signal that the era of annual self-attestation as a sufficient control is over.
Q: What specifically is the FCA changing?
A: There are a few things worth noting that are designed to make reporting more consistent and more actionable for both firms and the regulator. First, they’ve created a streamlined reporting framework, developed jointly with the Prudential Regulation Authority (PRA) and the Bank of England, that includes a single reporting portal—a significant improvement for firms managing multiple regulatory relationships. Second, they’ve added clearer guidance on thresholds and definitions, which is something the industry has been asking for. Third, they’ve removed some duplicative requirements for payment service providers and credit rating agencies, which is particularly relevant for fintechs in the payments space that have been navigating overlapping obligations.
Q: Why has it taken this long? Third-party risk isn’t a new problem.
A: You’re right — this isn’t new, but the scale has grown dramatically. Firms are more dependent on third-party providers than ever, resulting in a vastly expanded attack surface. Regulators have also gained greater visibility into how interconnected these failures are, which means that a single cloud provider outage can ripple across dozens of financial services firms simultaneously. We saw this play out in real time with the Cloudflare outage, which hit a disproportionate number of fintech platforms given how heavily that sector relies on shared cloud and API infrastructure. The FCA has been watching these patterns develop, and these rules are its official response.
Q: Most firms still rely on annual vendor questionnaires. Is that approach fundamentally broken?
A: It’s not broken — it’s doing precisely what it was designed to do: get a snapshot of a vendor’s posture at a point in time, check a box, move on. The problem is that today’s threat environment doesn’t pause between assessments. A vendor that was compliant in January can have a material exposure by March. This is particularly acute in fintech, where vendor relationships evolve rapidly — new API integrations, updated data-sharing arrangements, shifting subprocessors — in ways that a once-a-year review will simply never capture. The old model wouldn’t recognize this exposure until next year’s questionnaire came back. With the new rules, the FCA plans to use incident data to “see through firms’ supply chains,” which is a fundamentally different posture than accepting an annual self-attestation.
Q: What does “see through the supply chain” actually mean in practice?
A: It means the FCA intends to use the incident data it collects to map which third-party providers are most embedded in the financial system and which services are most exposed when those providers fail. In fintech, that scenario isn’t hypothetical—a relatively small number of infrastructure providers underpin a significant portion of the market, creating concentration risk that isn’t visible at the individual firm level. If your vendor is also a vendor to 20 other regulated firms and they have an incident, the FCA wants to be able to identify that concentration risk in near-real time and respond at a sector level. For firms, the implication is that their reporting isn’t just about their own posture but about that of a larger group that regulators can act on.
Q: The FCA mentioned they’ll share insights and trends back with the industry. Is that significant?
A: It is, and I don’t think it’s receiving enough attention. While the FCA plans to use the data for oversight, it also plans to share threat intelligence and sector-wide patterns with firms, particularly during tense market conditions. That’s a more collaborative regulatory posture than we’ve seen in the past, and it will incentivize firms to report accurately and completely rather than minimizing disclosures. For fintechs in particular, who have sometimes operated at the edges of regulatory engagement, this creates a real opportunity to be part of the intelligence loop rather than downstream of it. But firms only benefit from this if they have the infrastructure needed to generate clean, timely data in the first place.
Q: Firms have 12 months before the rules take effect in March 2027. How should they be spending that time?
A: Many will update intake forms and add new fields to existing questionnaires. That will get them through the audit, but it won’t close the visibility gap. In fact, firms that treat this window purely as a documentation exercise will be scrambling again when the next regulatory update lands. What they should do is treat the 12-month runway as an opportunity to move from periodic attestation to continuous, evidence-based monitoring. That means pulling signals from the vendor’s actual environment rather than waiting for them to self-report.
The most defensible approach is to build vendor profiles from connected infrastructure. For example, rather than relying on answers that a vendor provides about themselves, integrate directly with the tools and systems vendors already run. This is an important distinction because a profile derived from live signals is evidence. A completed questionnaire, on the other hand, is merely a representation.
For fintechs already operating with real-time data pipelines and modern tooling, this is a natural extension of how they already think about infrastructure. The question is whether they’re applying that same rigor to vendor oversight. The FCA is hosting a webinar on April 29th to help firms understand the new requirements. I’d recommend that as a starting point.
Q: What’s the cost of getting this wrong — beyond the regulatory penalty?
A: The regulatory penalty is really a secondary concern. The primary cost is operational — an unexpected third-party failure affecting services your customers depend on, at a moment when you have no pre-positioned response. For fintechs, where customer trust is often the entire value proposition and switching costs are low, a poorly managed third-party incident can be existential. Eventually, the FCA’s rules will create a paper trail that makes the visibility gap a compliance issue. Until then, this is a business continuity issue, and firms that can’t demonstrate real-time awareness of their vendor posture will suffer reputational and operational damage that takes years to recover from.
Q: Is there a bigger convergence happening across regulations globally?
A: There absolutely is. DORA, the UK Cyber Security and Resilience Bill, and now this FCA update are all communicating the same message — third-party risk is your risk, and firms must be able to demonstrate their posture in near-real time. A vendor’s SOC 2 is no longer sufficient evidence of control. Will it get you in the door? Yes. But what regulators are increasingly looking for is a living profile, a continuously updated picture of vendor posture that reflects the current state of their environment, not a point-in-time audit from six months ago. For fintechs operating across both the EU and UK, that means navigating DORA and the FCA’s new regime simultaneously. The compliance surface is expanding, and the common thread running through all of it is visibility. The firms building for that world now are the ones that will have defensible programs when examiners come knocking.
Q: What’s the single most important thing a compliance or risk leader should take away from this?
A: The FCA isn’t asking for new forms because they want more paperwork. They’re asking because firms need the infrastructure in place to know what’s happening in their vendor ecosystem in near-real time. Get the visibility right, and compliance becomes a byproduct of good risk management. Treat it as a documentation exercise, and you’ll be rebuilding your program every time the regulatory cycle turns.
About Clarence Chio:
Clarence is the cofounder and CEO at Coverbase, the leading AI procurement and risk company that recently raised $20m from top investors to automate 90% of vendor management. Prior to this, he cofounded Unit21, Google-backed company that raised $92m to help top financial institutions combat fraud and money laundering with AI. He has degrees in Computer Science and AI from Stanford, published the book “Machine Learning and Security” with O’Reilly Media, and teaches AI and security at UC Berkeley.
Sponsored Content
