Sarah Pritchard, the Financial Conduct Authority’s first deputy chief executive, has called for a stronger grip on foreign technology companies that provide critical services to UK banks, citing a steady rise in outages and cyber-attacks. She signalled that the City watchdog stands ready to use new oversight powers to reduce the risk of large-scale disruption across the financial system. “We have had very frequent reminders” of the need for “good, strong operational resilience and cyber controls,” Pritchard said, adding that regulators will prioritise the firms that sit behind core banking services and payments infrastructure. Her remarks underline a growing regulatory focus on the third-party providers that underpin day-to-day finance, from cloud computing platforms to payment processors, and reflect concern that incidents at a small number of large suppliers could have wide effects.
The comments were made in the UK on Monday, 17 November 2025.
Regulators target critical third parties as outages intensify
UK regulators have warned for years that a concentrated group of third-party technology providers supports key banking services. When those providers fail, customers struggle to access accounts, payments stall, and businesses face cashflow problems. Recent outages and cyber incidents have amplified those risks, prompting calls for stronger oversight of suppliers that sit outside traditional financial regulation but inside the operational core of banks.
Pritchard’s comments highlight that trend. By focusing on the firms that power cloud hosting, payments processing, and core banking platforms, the FCA aims to reduce the likelihood that a single failure could cascade across multiple lenders. The approach sits within a wider push on resilience, which identifies third-party risk as a systemic issue rather than a narrow technology problem for individual firms to solve.
New UK powers expand oversight of suppliers to banks
Under legislation introduced in recent years, the UK has laid out a regime for “critical third parties” to the financial sector. HM Treasury can designate a service provider as critical, on the advice of the financial regulators. Once designated, the Bank of England, the Prudential Regulation Authority, and the FCA can set resilience requirements, request information, and run tests to check whether those providers can withstand disruption.
These powers allow regulators to look beyond the regulated bank or insurer and examine the resilience of the underlying service, including data centres, change management, and incident response. In practice, that can include scenario testing, targeted reviews, and directions to fix weaknesses. Pritchard’s message suggests the FCA intends to make active use of those tools as incidents accumulate and reliance on external providers deepens.
Why third-party failures carry systemic risk
Banks increasingly rely on a small number of large technology firms to deliver essential services at speed and scale. This reliance lowers costs and improves performance. It also concentrates risk. A disruption at one cloud platform, software provider, or payments processor can hit multiple banks at once, with knock-on effects for consumers and businesses. The risk rises when providers operate across borders, which can complicate oversight and incident management.
Cyber-attacks compound that challenge. Attackers target both financial firms and the vendors that connect to them. The more integrated the ecosystem, the bigger the potential blast radius when a supplier goes offline. Pritchard’s emphasis on “operational resilience and cyber controls” reflects the reality that firms cannot manage this exposure alone. The public expects the financial system to keep working, even when one link in the chain falters.
Operational resilience deadlines sharpen focus
The UK’s operational resilience policy set clear milestones for banks and other regulated firms. Regulators expected firms to identify their important business services, set impact tolerances for disruption, and build the capability to remain within those tolerances. That work reached a key milestone in March 2025, pushing firms to demonstrate that critical services can continue through severe but plausible incidents.
The next step widens the lens. Regulators want to ensure that the third parties supporting those services meet equivalent standards. Mapping dependencies, testing end-to-end processes, and closing gaps across firm and supplier boundaries form part of that effort. Pritchard’s remarks signal that the FCA will link firm-level obligations with direct oversight of critical suppliers, reducing the risk that resilience fails at the vendor level.
Foreign tech firms face closer scrutiny and cross-border tests
Pritchard said the UK should “strengthen” its grip on foreign tech firms that provide vital services to banks. Many of the largest cloud and technology providers operate from outside the UK. That creates coordination challenges during incidents and raises questions about data access, audit rights, and enforcement. UK regulators can work with overseas authorities to align expectations and share information, but they also need direct levers to assure resilience for UK customers.
Closer scrutiny does not automatically mean conflict. Regulators can set clear, technology-neutral standards and rely on routine testing and information sharing. The aim is not to pick winners or dictate architecture, but to ensure that critical services remain available, recover quickly, and protect sensitive data when problems arise. Pritchard’s comments indicate that foreign providers serving UK banks should prepare for more direct engagement with UK authorities.
What tougher oversight could mean for banks and customers
For banks, tighter oversight of critical suppliers may change procurement, contracting, and ongoing assurance. Firms may need stronger audit rights, enhanced data portability, and clearer exit strategies in case a provider fails to meet resilience standards. They may also invest more in multi-cloud designs, back-up systems, and drills that involve both in-house teams and external vendors. These steps can add cost in the short term, but they aim to cut the frequency and severity of outages.
For customers, the payoff should be fewer disruptions and faster recovery when incidents occur. Regulators can also push for clearer communications during outages, with consistent updates and transparent timelines for restoration. The broader public interest lies in preserving trust: people expect to pay bills, move money, and access savings when they need to. Stronger oversight seeks to protect that continuity by ensuring that critical technology works under stress.
How the FCA could act in the months ahead
The FCA can coordinate with the Bank of England and the PRA to identify which providers meet the threshold for critical designation. After designation, regulators can set minimum resilience expectations, require testing, and monitor remediation. They can also align incident reporting so that banks and suppliers escalate problems quickly and regulators can coordinate a response across multiple firms if needed.
Pritchard’s stance suggests a practical path: focus on the most important services first, use data on outages and near-misses to prioritise action, and build cooperative relationships with major vendors. That approach fits the aim of reducing harm without stifling innovation. It also recognises that resilience depends on people, processes, and governance as much as on technology.
Pritchard’s call for a stronger grip on critical technology suppliers marks a clear shift from urging to acting. With outages and cyber-attacks mounting, UK regulators want to test and harden the parts of the system that the public never sees but relies on every day. The powers to oversee critical third parties give the FCA and its peers a more direct role in preventing widespread disruption. If they use those tools well, banks may face tighter contracts and more rigorous testing, while customers benefit from steadier services. The next phase will show how quickly regulators can translate these ambitions into concrete standards and supervision that keep pace with an ever more digital financial system.