Third-party resilience under PS21/3: What the FCA wants you to prove - and the simplest way to prove it

If you’re a UK financial services firm, the next major outage your customers face might not be your fault. But if it’s your supplier, the FCA will still hold you responsible.

The next major operational disruption could spark in the data centre of a payment processor, cascade from a cloud platform update, or emerge from a sub-contractor you didn’t even know was in your supply chain - until the failure reaches your customers.

The FCA’s PS21/3 Building operational resilience standard (now embedded in the Handbook as SYSC 15A) has moved third-party resilience from an operational headache to a board-level accountability. The regulator now expects UK financial services firms to prove that these suppliers can deliver during severe disruption.

The regulator’s position is blunt: outsourcing the work does not outsource the accountability. But meeting the standard - and proving it - doesn’t have to be complex.

Why third-party resilience is now a regulatory flashpoint

Firms in scope - from major banks to smaller insurers and investment managers - are required to identify their important business services (IBS), map the people, processes, technology, facilities, and third- and fourth-party suppliers that support them, set impact tolerances, and test those tolerances against severe but plausible scenarios.

The deadline has already passed for having frameworks in place, and the FCA’s supervisory lens is now firmly on execution and evidence. Resilience must be demonstrated, not assumed.

This shift comes after a wave of incidents - from cloud outages to payment platform disruptions — where the root cause sat outside the regulated entity, but the operational and reputational fallout landed squarely inside it. 

It also coincides with the joint FCA/PRA Critical Third Parties (CTP) regime, which gives UK regulators direct oversight powers over certain ‘systemically important’ suppliers. But this doesn’t let firms off the hook. Even if a third party is regulated as a CTP, your firm remains responsible for managing the risk and for demonstrating resilience.

The regulator’s concern is simple: if a single supplier can put your important business services out of action, you must be able to show - in advance - that you can absorb the shock and stay within your impact tolerance.

The weak links regulators find

When the FCA tests third-party resilience, it’s often not the big name vendors that break first.

It’s the secondary services - the software plug-in no one’s touched in three years, the data feed with a single point of contact, the regional support centre running on an untested recovery plan.

Failures tend to come from:

• Incomplete mapping of IBS dependencies beyond tier-one vendors.

• Over-reliance on supplier self-attestations without independent verification.

• Outdated or unrealistic recovery assumptions in contracts and SLAs.

• Scenario testing that focuses on internal failures, not supplier collapse.

Each of these creates a credibility gap between what’s assumed and what could actually be proved under scrutiny. Ultimately, if you can’t see the full chain, you can’t manage the risk.

Impact tolerances: the metric that matters

Under PS21/3, impact tolerances are the FCA’s hard measure of resilience — the maximum disruption you can absorb before customers and the market experience intolerable harm. When third parties are in the chain, those tolerances must reflect your supplier’s recovery capability, your ability to switch quickly, and the compounded effect of multiple failures. 

Setting them too optimistically creates a false sense of security. Set them too conservatively, and you may discover you’ve been over-investing in low-value contingencies while ignoring bigger risks.

The most effective firms keep impact tolerance management simple - a clear, live record that links every important business service to its dependencies, recovery assumptions, and test results.

From compliance to competitive advantage with Drova

Handled well, third-party resilience can become a strategic differentiator. Firms that can demonstrate fast, confident recovery - and that have evidence ready for the FCA - are better positioned to win client trust and investor confidence.

(Handled badly, it’s an open invitation for supervisory intervention. In the most serious cases, the FCA and PRA have powers to restrict or even halt business activities where operational resilience is judged insufficient.)

Meeting PS21/3 and SYSC 15A obligations isn’t just about passing a regulatory test. It’s about building a living, auditable view of your resilience posture.

Drova removes the complexity from PS21/3 compliance, replacing manual mapping, scattered evidence, and guesswork with a single, connected view you can put in front of the regulator.

Drova’s Operational Resilience solution helps you:

• Map every IBS and its third- and fourth-party dependencies in a single, connected view.

• Set and monitor realistic impact tolerances with supplier-specific context.

• Run severe-but-plausible scenario tests that include third-party failure — with results translated into board-ready insights.

• Maintain evidence that aligns with FCA expectations and can be surfaced instantly in a self-assessement report.

Get the clarity, confidence, and proof to meet the standard, and turn resilience into a competitive strength. Start today risk-free on a 14-day free trial.