Alpha FMC

Operational Resilience: Critical Third Parties to the UK Financial Sector

Keith Aylwin, Richard Holland, Ben Chapman

Introduction and background

The draft Financial Services and Markets Bill (“FSM Bill”) put to Parliament in July proposes a framework to manage the risk to markets and firms arising from Critical Third Parties, or CTPs. Such CTPs are generally suppliers of IT or business process outsourcing (BPO) services where either an individual firm, or multiple firms, rely on the services delivered to such an extent that a material concentration of risk has been created. The Bill is intended to provide the regulatory authorities with additional powers to ensure that minimum standards of delivery risk are met, overseen, and governed appropriately.

Over the years the IT and BPO outsourcing market has responded to the increasing demands of regulation and good practice. Firms utilizing these services have significantly increased their oversight and governance of outsource service partners (OSPs) and many additional protections in respect of regulation, and “best” or “market” practice have been incorporated into outsourcing contracts. Such protections have included provisions in respect of service delivery resilience, usually in the form of BCP provisions, and provisions to facilitate the transfer back of service in the event of supplier failure or potential failure.

This service delivery resilience was clearly tested in full at the onset of, and throughout, the COVID-19 pandemic. Generally, firms responded well to the position but it also provided a further level of focus on the need to maintain delivery resilience and on the concentration risks that exist in the outsourcing market.

Outsourcing and how concentration risk has arisen

So how and why has the concentration risk arisen?

The requirements regulated firms have of outsourcers have been ever more demanding and competitive over the past 5 to 10 years. The competitiveness of the markets in which firms operate, plus the changing regulatory and legislative landscape, has resulted in firms seeking to pass further cost, regulatory, and delivery risk to OSPs. To deliver to these requirements, the OSPs have had an ongoing requirement to develop and evolve their propositions and solutions. This investment combined with increased overheads associated with ensuring legislative, regulatory, and contractual compliance and the overall competitiveness of the market, has put significant pressure on OSPs’ margins.

To combat these pressures OSPs have had to develop business models based on:

  • Replicable propositions or “utility” type solutions that reduce long-term implementation costs
  • Growth – the need to spread the costs arising from market pressures across a contract portfolio has become a requirement as opposed to a “nice to have”
  • A longer-term view on margin recognition and delivery
  • An acceptance that significant ongoing investment is required to support growth, delivery risk, and market/regulatory/legislative change

The market entry costs for new OSPs have increased substantially and new market entrants have had to accept and commit to a long-term business model. Those that have not delivered this commitment have failed and effectively closed to new business at substantial costs.

Such pressures and requirements for success have naturally resulted in a relatively small number of, generally, global suppliers that are prepared to invest and commit over the long-term and, accept that, successful growth is a prerequisite to a successful P&L. As a result, firms looking for credible OSPs have been faced with a relatively focused list and this, over time, has driven the concentration risk that the FSM Bill now seeks to provide a framework to manage more effectively.

What the Bill might mean for OSPs that are CTPs?

Firms that end up being designated CTPs should, in theory, be well prepared for the consequences of the Bill. The requirements of their clients and the market, the learnings from operating through the pandemic, and the likely global structure of the CTPs, should mean that resilience is already high. There will naturally be a challenge from clients and their regulators to push resilience standards higher still but CTPs should be well placed to meet this challenge. Those that are not could face a significant investment requirement which could ultimately result in further concentration risk arising.

A clear consequence of the Bill will be regulators and firms seeking further assurance and evidence that CTPs meet the level of resilience standards required by reference to the type and extent of the services delivered. There could be a “bow wave” of resilience testing requirements from firms to the relevant CTPs and, given the market implications in particular, regulators are more likely to oversee the resilience standards of CTPs directly. Indeed the draft Bill supports a direct approach to supervision of CTPs by the regulators.

Another potential development could be the need for OSPs to develop service propositions that enable the smooth, efficient, timely transition of services to other suppliers. Default contractual provisions already exist to enable such transitions but these could be significantly enhanced through the need to reduce barriers to transition as part of managing concentration risk. Ultimately this could also be seen as a USP by savvy CTPs.


The introduction of the draft FSM Bill is a natural evolution of how the market has developed and the need to manage the concentration risk that has arisen. However OSPs that are impacted by the Bill should generally be well-placed to manage the impact. Clearly, there will be a significant increase in their oversight by their client firms on the issue and they will need to embrace the consequences which will drive further resilience and service quality generally as well as, potentially significant, changes to their propositions and solutions.

The FSM Bill could also further increase the barriers to market entry for new suppliers through an additional investment requirement. This will however depend on how the initial CTPs respond to the requirements – poor compliance with requirements could result in sanctions from regulators, a need to reduce the concentration risk and firms seeking out alternatives. Ultimately it creates a further risk to CTPs’ long-term strategies that they will need to respond to.

Assuming the Bill receives Royal Assent, OSPs will need to be well prepared for the consequences and respond proactively. Delivery resilience is also likely to move front and center for any firms considering major outsourcing decisions and, naturally, this should mean OSPs respond with enhanced sales propositions driven by this new competitive angle.

All of which, if realized, should be good news for the markets and the end consumer.

How can Alpha help?

The Alpha UK team has a high proportion of resources who have been practitioners within the UK Financial Services market but have now developed consultancy careers. This includes individuals who have been supplier side within the regulated outsourcing sector. Alpha can mobilize this expertise to:

  • Support firms or potential CTPs in developing a plan to manage the impact of the Bill on their business
  • Perform assurance reviews for firms or CTPs to help assess their readiness for the impact of the Bill
  • Perform assessments of firms’ major suppliers to provide evidence of readiness in support of the firm’s supplier oversight functions
  • Manage programs to assess CTPs’ operational resilience against the expected standards and implement the changes required to stand up to regulatory oversight

Please contact us here for any enquiries.

About the Authors

Keith Aylwin

Keith is a Director at Alpha FMC who brings extensive global experience with 25 years in the Insurance industry. He has successfully led engagements covering Strategy Development, Core Technology Change, Target Operating Model design and implementation, Process Improvement & Re-engineering, Business Process Management, and Distribution. Before joining Alpha, Keith led EY’s Life & Pensions Technology practice, focusing on strategy and delivery of technology enabled business change programs within Financial Services. Keith also built EY’s Life & Pensions BPO advisory capability, leading over 90% of the client-side advisory activity in recent years.

Richard Holland
Associate Director

Richard is an Associate Director at Alpha FMC and brings 30+ years of extensive global experience in Financial Services of which 20 have been spent in BPO. He has successfully established, grown and exited BPO businesses operating at Board level, and has had FCA regulatory status since 2005. On multiple occasions, he has successfully led major transformation programs, designed share value creation between supplier and client whilst enhancing the experience for the end customer.

Before joining Alpha, Richard was CEO of Atos’s UK regulated BPO business focussed on all aspects of delivery, development, risk and regulatory management. Prior to Atos Richard led Serco’s private sector outsourcing business in the UK, and managed its exit following Serco’s decision to withdraw from the private sector.

Ben Chapman

Ben is a Manager in Alpha’s Pensions & Retail Investments practice, with 9 years of Financial Services consulting experience, including working alongside BPO and platform providers on large strategic initiatives. Prior to joining Alpha, Ben spent 7+ years as part of Accenture’s Financial Services Strategy & Consulting practice, working across a wide range of strategy and transformation programs at FS clients.