The FCA’s new material third party regime: Financial services firms need to act now
Many financial services firms believe they have a good understanding of their critical suppliers. The FCA's new material third party (MTP) regime may prove otherwise.
In summary:
- From March 2027, the FCA’s new material third party regime broadens the range of third party notifications to cover not just material outsourcing but also material non-outsourcing arrangements
- As well as cloud and managed service providers, the regime can cover a wider range of critical technology and data dependencies, including cyber security providers, critical SaaS platforms, payment providers and AI services
- Understanding third-party risk under the new MTP regime will require firms to look beyond contractual relationships
- The best firms will not view this as a reporting exercise but an opportunity to build a more resilient operating model
From March 2027, firms in the UK will be required to identify, assess and report a far broader range of third-party dependencies than traditional outsourcing registers capture. Cloud providers, critical software-as-a-service (SaaS) platforms, cyber security services, AI solutions and data providers may all fall within scope if disruption could impact customers, operational resilience or market stability.
For many organisations, the challenge is not regulatory reporting; it is uncovering hidden dependencies, understanding concentration risk, and demonstrating that the business could continue operating if a critical supplier failed. What has historically been viewed as a procurement, technology or compliance issue is rapidly becoming a board-level resilience challenge.
What's changed at the FCA?
Historically, the regulatory focus has centred on material outsourcing arrangements. Under the new rules, however, firms must consider both outsourcing and non-outsourcing third-party arrangements where disruption could materially impact customers, operational resilience or market stability.
The new regime significantly broadens the scope of reportable arrangements and aligns the UK’s approach more closely with international frameworks such as DORA and broader third party risk management practices.
Under the new rules, firms must consider both outsourcing and non-outsourcing third-party arrangements.
What constitutes a material third party?
A third party arrangement is considered material if disruption could cause intolerable harm to customers, threaten the stability or resilience of the UK financial system, or prevent the firm from meeting regulatory obligations or operational resilience requirements.
The FCA expects firms to evaluate materiality based on factors such as:
- The impact on regulated activities and “important business services” (IBSs)
- Operational resilience implications
- Data protection and cyber risk exposure
- Business continuity requirements
- Substitutability and exit feasibility
- Dependency on the supplier and wider supply chain
Material third parties and operational resilience
The FCA’s MTP regime should not be viewed as a standalone supplier risk exercise. In practice, it is an extension of the existing operational resilience agenda.
Most firms have spent significant time identifying important business services, setting impact tolerances, and mapping the people, processes, technology and facilities required to deliver them. For many firms this has revealed that a significant proportion of those resources sit outside the firm and within third party elements of their supply chain. This creates a risk that is further amplified by the MTP regime, because it is now asking firms to answer a more challenging question: Whether they understand which third parties are critical to maintaining their important business services within impact tolerance, and whether they are confident those dependencies can withstand disruption.
Considering that question raises some challenges, including:
- Important business services that are mapped only to direct suppliers, with limited visibility of subcontractors and fourth-party dependencies
- Multiple IBSs that rely upon the same cloud, data or technology provider, creating concentration risks that are not always well understood
- Exit plans that may exist contractually but that have never been tested under realistic disruption scenarios
- Understanding supplier risk at an individual vendor level but with a lack of a firm-wide view of dependency across all business services
- Critical technology, AI and data providers that may have been onboarded outside formal procurement channels, leading to gaps in governance and oversight
The most mature firms are beginning to treat supplier dependency mapping as a core component of operational resilience rather than a procurement or vendor management activity.
The expanding scope of third party risk
While cloud and managed service providers are obvious candidates, the regime also captures a wider range of critical technology and data dependencies.
Examples the FCA would typically expect to be treated as material include:
- Cloud infrastructure and hosting services
- Cyber security providers
- Critical SaaS platforms
- Payment and settlement providers
- AI and machine learning services supporting key business processes
- Market data and analytics providers
The growing reliance on cloud, AI and external data providers means many firms may discover they have substantially more material third-party relationships than previously documented.
Is there sufficient visibility beyond direct suppliers?
Understanding third party risk under the new MTP regime will require firms to look beyond contractual relationships and assess wider supply-chain dependencies, concentration risks and subcontractor exposure. Firms that cannot demonstrate end-to-end visibility of critical dependencies may struggle to evidence that their important business services can remain within impact tolerance during a disruption.
That is a real exposure under the operational resilience requirements.
The growing reliance on cloud, AI and external data providers means many firms may discover they have substantially more material third-party relationships than previously documented.
Two new reporting requirements
The regime also introduces new reporting requirements:
Material third party notifications
Firms must notify regulators when entering into a new material third-party arrangement or making a significant change to an existing one. Examples include changes to service scope, data locations, subcontractors, ownership structures or key risk characteristics.
Importantly, the FCA expects firms to engage early in the decision-making process, before becoming contractually or operationally committed.
Annual material third party register
In addition to notifications, firms must maintain and submit an annual register of all material third-party arrangements. The register requires detailed information covering:
- Supplier details and its Legal Entity Identifier (LEI)
- Service classifications
- Contractual information
- Important business service mappings
- Data residency locations
- Risk assessment outcomes
- Financial and cyber due diligence
- Governance approvals
- Exit planning and substitutability assessments
This provides regulators with unprecedented visibility into third-party concentration and systemic risks across the financial services sector.
The real challenge: data and governance
For many firms, the challenge will not be submitting the template—it will be assembling the information required to complete it accurately.
The regime demands strong coordination across:
- Procurement
- Supplier management
- Technology
- Risk and resilience
- Legal
- Compliance
- Operational resilience teams
Many organisations will need to improve supplier inventories, strengthen materiality methodologies, map suppliers to important business services and enhance governance processes to evidence ongoing oversight.
Executive takeaways
For boards, CEOs, CFOs, COOs and CROs, the new regime raises some key strategic questions:
- Do we know which suppliers are truly critical? Many organisations have strong outsourcing registers but limited visibility of wider technology, data and AI dependencies that may now fall within scope
- Could we continue operating if a key provider failed tomorrow? Regulators will focus increasingly on substitutability, exit planning and operational resilience—not just contract compliance
- Are our important business services fully mapped to third-party dependencies? Businesses will need clear linkage between suppliers, operational resilience frameworks and impact tolerances
- Is governance keeping pace with technology adoption? As cloud, SaaS and AI become embedded within core operations, executive teams must ensure risk oversight evolves as quickly as deployment
- Could a supplier issue become a board issue? The FCA's focus on systemic and concentration risk means failures of major providers could rapidly become a regulatory, operational and reputational challenge.
The most resilient firms will not view this as a reporting exercise. They will use it as an opportunity to strengthen supplier governance, improve transparency across their third-party ecosystem and build a more resilient operating model.
In an increasingly digital and interconnected financial services sector, third-party risk is no longer a procurement or IT issue; it is a boardroom issue that requires focus and cross-business governance.
Building more resilient supply chains
Talk to us to learn more about how your firm may be impacted by the new material third party regime.
Or explore our procurement and regulatory consulting practices.