It is approaching a year since the implementation period ended for compliance with new regulations on outsourcing and third-party risk management, but banks are still being told to pay closer attention to their reliance on technology supply chains.
A recent letter from the Bank of England’s Prudential Regulation Authority (PRA) reinforces its position: trusting your suppliers to be resilient is simply no longer enough.
Accountability is moving closer to the top of the organisation
In its 2026 supervision priorities, the PRA cautions banks against relying solely on supplier assurances and stresses the need to test and validate contingency, exit and stressed exit plans. It also highlights concentration risk, sub-outsourcing and dependency chains as areas of growing concern.
These expectations are not new in themselves, but the emphasis is different. Supervisors are indicating that resilience will now be judged on evidence rather than intent.
For boards and senior executives, that shift has practical consequences, too. Accountability is moving closer to the top of the organisation, particularly where disruption exposes gaps between what entities believe is in place and what actually works.
From assurances to evidence
Most banks have long included third-party risk management clauses in supplier contracts and collected resilience statements as part of procurement. On paper, this can appear comprehensive. Historically, these measures have often depended on self-attestation and rarely tested broad commitments.
Supervisors are now challenging that model. Where firms are able to validate resilience themselves, they are expected to do so. That means exercising stressed exit plans, running disruption scenarios and understanding whether services can genuinely be maintained when a supplier fails or deteriorates.
Outages increasingly affect multiple firms and persist longer than anticipated
This matters because resilience incidents are no longer isolated events. Outages increasingly affect multiple firms simultaneously and persist longer than anticipated. In that environment, contractual assurances offer little comfort when recovery depends on actions that have never been tested.
For finance and assurance functions, this shift is crucial because resilience failures quickly translate into control weaknesses, audit challenges and governance questions that sit well beyond the remit of IT or procurement teams.
The blind spot
A recurring blind spot in supervisory reviews is limited visibility beyond direct suppliers. Many banks have a good understanding of their immediate third parties but less insight into the vendors who those suppliers depend on in turn.
These fourth-party dependencies often only surface during an incident. Firms discover that critical services rely on shared cloud platforms, common software components or niche providers they neither contract with nor actively assess. This can result in fourth-party concentration risk, where multiple services ultimately depend on the same underlying provider. By that point, options are constrained and recovery is slower – and it is already too late.
Supervisors are probing whether stressed exit plans have been exercised end to end
The PRA’s renewed focus on sub-outsourcing reflects this reality. Understanding dependency chains is central to determining whether exit or substitution is possible under stress, rather than a theoretical exercise carried out in isolation.
Stressed exit plans
Stressed exit planning has featured in regulatory frameworks for some time but it has not always been treated as an operational capability. Supervisors are now probing whether stressed exit plans have been exercised end to end and whether they can be executed without unacceptable disruption.
That includes practical questions: are alternative providers viable and available; are contracts in place; and have data, systems and people been considered together rather than separately? Where firms cannot answer those questions with confidence, regulators are increasingly pushing for remediation.
As a result, stressed exit planning is becoming a board-level issue. Failed exits carry financial and reputational consequences, and in some cases draw direct regulatory scrutiny.
Concentration risk
Another theme running through the PRA’s priorities is concentration risk. As firms converge on a smaller number of technology and service providers, the impact of a single failure increases. From a supervisory perspective, this raises the risk of correlated disruption across the sector. One outage at a widely used provider can affect multiple institutions simultaneously, escalating an operational incident into a systemic concern.
Acknowledging concentration alone is not enough. Regulators are asking firms to demonstrate how they would respond if a dominant provider failed, degraded or withdrew support, even where alternatives are limited or costly.
Execution gaps
Many remediation programmes triggered by recent reviews point to the issue of weak execution: contracts that are too vague to enforce, supplier negotiations that stall, and exit plans that have never been run in practice all undermine resilience.
In response, some firms are beginning to formalise resilience mechanisms within their control frameworks rather than relying on contractual wording alone, and banks are increasingly classifying measures such as software escrow as key controls. This allows software escrow to be embedded into governance, risk and compliance reporting. That shift reflects a broader recognition that resilience must be demonstrable and auditable, not simply documented.
Supervisory expectations are likely to flow down into adjacent sectors
Intragroup outsourcing presents a particular challenge. Regulated entities often assume internal providers are managing resilience appropriately, without requesting evidence. Yet accountability remains with the regulated firm, and supervisors are increasingly asking for proof that internal arrangements meet the same standards as external ones.
A wider shift
Although the current focus is on banks, the implications will likely extend further. As supervisory expectations rise in financial services, they are likely to flow down the supply chain and into adjacent sectors.
Critical suppliers and technology providers will face greater scrutiny, and finance leaders will be expected to demonstrate that resilience is embedded into governance and procurement. The PRA’s message is clear: contingency, exit and stressed exit plans should be maintained and tested before disruption exposes their weaknesses.
