Understanding Operational Resilience and Third-Party Risk in Financial Services
Operational resilience has become a critical focal point in the management of artificial intelligence (AI) within the financial services sector. This heightened importance stems from the industry’s dependency on a limited number of AI technology providers. According to estimates by the Bank of England, the top three providers supply about 75% of cloud services, 45% of AI models, and 30% of data services to financial firms in the UK. Such concentration undeniably presents substantial systemic risks, where the failure of just one supplier or a significant cyberattack could have repercussions across the entire financial ecosystem.
The Role of Resilience Frameworks
In light of these risks, resilience frameworks are emerging as the primary line of defense against potential threats associated with an AI-centric supply chain. These frameworks help organizations identify vulnerabilities and develop robust strategies to mitigate risks stemming from their reliance on third-party suppliers.
Strengthened Oversight Starting 2026
Beginning in 2026, oversight will take on a dual approach. The first component entails enhanced scrutiny at the corporate level. With the integration of the EU’s Digital Operational Resilience Act (DORA) and the UK’s Operational Resilience Regime, regulatory bodies will commence testing firms for resilience according to these new standards. Expect an emphasis on resilience testing, auditability, transparency, and detailed business continuity plans, with particular attention to the risks associated with reliance on cloud, compute, and foundational models.
Direct Monitoring of Critical Suppliers
The second component focuses on the direct surveillance of critical suppliers. The EU has already identified a primary group of essential information and communications technology suppliers for oversight. These include major cloud and AI service providers, meaning supervisory teams will have extensive inspection authority to ensure compliance with resilience standards.
UK Regulations on Critical Third Parties
In the UK, once the HM Treasury designates certain third parties as critical— a process anticipated to begin in 2026— regulators will be able to enforce rules on these suppliers. This may include the requirement for vendors to provide pertinent information, adhere to regulatory inquiries, and participate in scenario management exercises that involve financial services customers.
Potential Coverage of Large Cloud Providers
Given the extensive role of large cloud providers in supporting financial services, it is likely that many will fall under these regulations. Vendors offering bundled services incorporating cloud infrastructure, AI models, and data could also be encompassed under this oversight, even if their standalone solutions do not meet the critical designation criteria.
Maintaining Corporate Responsibility
While increased supervision may elevate transparency and enforce stricter contractual standards, corporate responsibility remains paramount. Boards will continue to be accountable for ensuring end-to-end resilience and compliance with regulatory requirements. Enhanced supplier oversight will likely lead to greater collaboration between supervisors and financial institutions, necessitating the exchange of test records, joint exercises, and evidence of corrective actions.
Ultimately, the outcomes of vendor assessments will inform supervisory evaluations of individual firms and their AI resilience capabilities. For instance, should regulators require a model provider to tighten controls or adjust a core model, financial service institutions may be compelled to revalidate their results or conduct further resilience tests. This intertwined relationship underscores the importance of proactive engagement and risk management in today’s evolving financial landscape, where operational resilience is more critical than ever.