Third-Party and Outsourcing Due Diligence Under FCA SYSC 8: Requirements and Best Practice

The FCA's Outsourcing Framework

FCA-regulated firms increasingly rely on third-party providers for critical operational functions — from payment processing and core banking technology to compliance monitoring, customer service and IT infrastructure. The FCA recognises that outsourcing can deliver efficiency and expertise, but also introduces risks that must be managed through robust due diligence and ongoing oversight.

The FCA's outsourcing requirements are set out primarily in SYSC 8 (Outsourcing) and reinforced through operational resilience requirements, the Senior Managers and Certification Regime (SM&CR) and sector-specific rules. The fundamental principle is clear: outsourcing an activity does not outsource regulatory responsibility. The firm remains fully accountable for any outsourced function as if it were performing the function itself.

When Does SYSC 8 Apply?

SYSC 8 applies when a regulated firm outsources a critical or important operational function to a third-party provider. The FCA does not define exhaustively what constitutes a critical or important function, but provides guidance indicating that a function is likely to be critical if:

• A defect or failure in its performance would materially impair the firm's continuing compliance with its regulatory obligations
• A defect or failure would materially impair the firm's financial performance
• The function involves core business activities that are fundamental to the firm's regulated services
• A defect or failure would materially affect the firm's ability to deliver services to customers

Common examples include outsourced payment processing, core IT systems, AML/KYC screening, customer onboarding, regulatory reporting, complaint handling and cloud infrastructure.

Pre-Outsourcing Risk Assessment

Before entering an outsourcing arrangement, the firm must conduct a formal risk assessment covering:

Operational risk. What is the impact on the firm's operations if the provider fails, underperforms or ceases to provide the service? Can the function be brought back in-house or transferred to an alternative provider?

Concentration risk. Is the firm relying on a single provider for multiple critical functions? Is the same provider used by a significant number of other regulated firms, creating systemic concentration risk?

Jurisdictional risk. Where is the provider located? Are there cross-border data transfer issues, legal or regulatory barriers, or geopolitical risks?

Data security risk. What data will the provider have access to? How will it be protected? Does the provider meet appropriate information security standards?

Regulatory risk. Could the outsourcing arrangement affect the firm's ability to meet its regulatory obligations? Will the FCA have adequate access to the provider for supervisory purposes?

Due Diligence on the Provider

Pre-appointment due diligence should cover:

Competence and track record. Assess the provider's expertise in the specific function being outsourced. Review case studies, client references and the qualifications and experience of key personnel. Verify that the provider has a track record of delivering similar services to regulated firms.

Financial stability. Review the provider's financial statements for the previous three years. Assess revenue stability, profitability, debt levels and cash flow adequacy. Consider obtaining credit reports or bank references. A provider in financial difficulty may cut corners on service quality or fail entirely.

Information security. Evaluate the provider's information security arrangements, including ISO 27001 certification, SOC 2 reports, data encryption standards, access controls, vulnerability management and incident response procedures. For cloud service providers, assess shared responsibility models and data residency arrangements.

Business continuity and disaster recovery. Review the provider's business continuity plan and disaster recovery arrangements. Verify that they are tested regularly and that recovery time objectives (RTOs) and recovery point objectives (RPOs) are adequate for the firm's needs.

Regulatory compliance. Assess whether the provider is subject to any regulatory requirements in its own right and whether it has adequate compliance arrangements. For providers processing personal data, verify GDPR compliance, including data processing agreements, privacy impact assessments and cross-border transfer mechanisms.

Sub-outsourcing. Identify whether the provider sub-outsources any elements of the service. If so, assess the sub-contractor's capabilities and ensure the firm has visibility and control over the sub-outsourcing chain.

Contractual Requirements

SYSC 8 and FCA guidance require outsourcing agreements to include specific provisions:

• Scope of services. Clear description of the outsourced function, including service levels, performance standards and key performance indicators (KPIs).
• Audit and access rights. The firm's right to audit the provider's operations, access records and inspect premises. The FCA must also have the right of access for supervisory purposes.
• Data protection. Obligations regarding data security, data processing, confidentiality and compliance with GDPR, including a compliant data processing agreement.
• Business continuity. The provider's obligation to maintain adequate business continuity and disaster recovery arrangements.
• Incident reporting. Obligations to report incidents, breaches and service disruptions to the firm promptly.
• Sub-outsourcing controls. Restrictions on sub-outsourcing or requirements for prior approval and adequate oversight of sub-contractors.
• Termination provisions. Clear termination rights, including for material breach, persistent underperformance, insolvency or regulatory concerns. The agreement should include adequate transition arrangements to enable the firm to migrate to an alternative provider or bring the function in-house.
• Exit planning. Provisions for data return, service continuity during transition and the provider's cooperation with any successor provider.

Ongoing Monitoring

Initial DD is only the starting point. SYSC 8 requires firms to maintain ongoing oversight of outsourcing arrangements:

Performance monitoring. Track the provider's performance against agreed SLAs and KPIs. Regular reporting (monthly or quarterly) should include metrics on service availability, incident volumes, response times and quality measures.

Periodic reviews. Conduct formal reviews of the outsourcing arrangement at least annually. Reviews should reassess the provider's competence, financial stability, information security and compliance arrangements. For critical functions, consider commissioning independent assurance reviews.

Incident management. Establish clear processes for the provider to report incidents to the firm, and for the firm to escalate incidents to the FCA where required.

Risk reassessment. Periodically reassess the outsourcing risk assessment, particularly when there are material changes to the provider's business, financial position or service delivery model.

Exit readiness. Maintain and periodically test exit plans to ensure the firm can transition away from the provider within an acceptable timeframe if necessary.

Common Pitfalls

• Treating DD as a one-off exercise. DD must be ongoing, not just pre-appointment. Provider risk profiles change over time.
• Inadequate contractual protections. Failing to include required provisions — particularly audit rights, termination clauses and sub-outsourcing controls.
• Over-reliance on certifications. ISO 27001 or SOC 2 certifications are helpful but not sufficient. The firm must assess whether the provider's actual practices match the certified standards.
• Ignoring concentration risk. Using the same provider for multiple critical functions without assessing the cumulative impact of provider failure.
• Lack of exit planning. Not maintaining viable alternatives or transition plans, creating lock-in risk.

Regulatory Outlook

The FCA and the Bank of England have both signalled increased focus on operational resilience and third-party risk management. The Critical Third Parties regime, introduced by the Financial Services and Markets Act 2023, will bring direct regulatory oversight to certain critical third-party providers for the first time. Firms should prepare for enhanced outsourcing requirements and invest in robust DD, contractual frameworks and ongoing oversight to manage evolving regulatory expectations.