The Ever Expanding Regulatory Perimeter

Outsourcing, Operational Resilience & Supervision of Supply Chains

Peter Howitt

Managing Director

 

2026: The year of X-Ray Regulatory Vision

2026 is not merely another year of business as usual for the governance of financial services across the European and British regulatory landscape.

For the Boards of Electronic Money Institutions (EMIs), banks, and other licensed financial institutions operating in Gibraltar, the United Kingdom (UK), and the European Union (EU), the era of writing policies and filling compliance gaps has given way to an era of unyielding supervisory assurance and enforcement.

Redrawing the Financial Supply Chain

For decades, the standard playbook for business growth has been clear: focus on your core competencies and outsource the rest. Handing off non-essential functions to specialist third parties allows firms to improve efficiency, reduce costs, and concentrate on what they do best. This logic has been a cornerstone of corporate strategy, and the financial services sector has embraced it as enthusiastically as any other.
 
However, for banks, insurers, payment firms, and e-money issuers, this has not become a source of regulatory concern. A wave of new regulations focused on outsourcing, consumer protection, and operational resilience is systematically supervising how firms delegate key tasks in IT, marketing and the distribution of financial services. Regulators are unequivocally clear that a firm’s legal and ethical obligations extend far beyond the firm and deep into the complex web of its supply chain.
 
This new reality requires a fundamental shift in mindset for  business leaders and boards. The intricate chains of suppliers, service providers, and technology partners that underpin modern finance are no longer just contractual relationships—they are extensions of the regulated firm itself.
 
This article reveals some of the most impactful new rules of engagement that leaders in the financial sector must understand to navigate this expanded perimeter of responsibility.
 

Responsibility is Non-Transferable

The foundational principle of the new regulatory landscape is absolute: a financial firm remains fully accountable for complying with all its regulatory obligations, regardless of any outsourcing arrangement. Boards and senior management cannot delegate their responsibilities. This is not a new idea, but it is now being enforced with unprecedented rigour.
 
This principle is a core theme in guidance from the UK’s Prudential Regulation Authority (PRA),  the European Banking Authority (EBA), The UK Financial Conduct Authority (FCA) and the Gibraltar Financial Services Commission (GFSC).
 
The strategic imperative for the board is therefore to fundamentally recalibrate its oversight model. The question is no longer whether a third party is contractually liable, but whether the firm’s own governance framework can evidence direct, continuous, and effective control over that third party’s operations as if it were an internal division.
 
This principle of non-transferable accountability is being operationalised through new supervisory techniques that render supply chains transparent.
 

Operational Resilience – The Core Mandate for 2026

Operational resilience isn’t a document, it’s a rehearsal for disaster

Operational resilience has ascended to the top of the prudential hierarchy, serving as the regulatory mechanism through which firms demonstrate their ability to withstand shocks—be they cyber-attacks, technology failures, or third-party outages—without causing intolerable harm.
 
The regulatory approach to operational resilience has undergone a fundamental shift from reactive planning to proactive, demonstrable testing.  It is no longer enough to have a business continuity plan sitting on a shelf – firms must prove they can withstand severe disruption.
 
This new framework is built on two key concepts. First, firms must identify their “important business services”—those services whose disruption would cause intolerable harm to consumers or risk to the financial system. Second, they must set “impact tolerances” for each of these services, defining the maximum acceptable level of disruption over a specific timeframe.
 
The most critical requirement is what comes next: firms must conduct rigorous scenario testing against “severe but plausible” disruptions—such as a major cyber-attack or data centre failure—to prove they can continue to deliver their important business services within those predefined tolerances.
 
  • The UK’s operational resilience transition period concluded on 31 March 2025, shifting the onus onto Boards to demonstrate rigorous adherence to Impact Tolerances.
  • In the EU, DORA has moved from its initial application in January 2025 to a mature phase of mandatory reporting and advanced threat-led penetration testing (TLPT).
  • For Gibraltar, mid-2026 brings a hard deadline for its own Operational Resilience regime.

A central theme for all three jurisdictions in 2026 is the transition from “implementation” to “assurance.” In prior years, Board discussions centred on project plans, gap analyses, and policy drafting.

In 2026, the supervisory question changes fundamentally from: “Do you have a plan?” to “Does your plan work under stress?”

Regulators are expected to utilise their full supervisory toolkit to ensure that firms have a firm grip on all their outsourced service providers. 

Board Action: Embracing the Assurance Mindset

Boards must transition their internal audit and risk committees from reviewing simple completion status to actively reviewing the efficacy of testing outcomes. The assurance phase demands that Boards:

  • Actively Challenge Management: Question the reality of the firm’s resilience using data derived from severe but plausible scenario testing, not just theoretical risk appetites.
  • Insist on Quantitative Metrics: Demand management information (MI) that reports on tolerance breaches and test pass/fail rates, moving beyond generic system uptime reports.
  • Ensure Remediation is Validated: Verify that remediation plans for identified vulnerabilities are fully executed and validated by repeated scenario testing.

UK

For UK operations, firms are no longer allowed “reasonable efforts.” They must demonstrate, through empirical evidence, that they can remain within their set Impact Tolerances for every identified Important Business Service (IBS).

  • Impact Tolerance Breaches: A breach of impact tolerance in 2026 is a reportable regulatory breach. Boards must scrutinise MI to report on these breaches, which are distinct from traditional recovery time objectives (RTOs).

  • The Annual Self-Assessment: The firm’s Operational Resilience Self-Assessment is a critical governance milestone. While there is no singular statutory deadline, best practice dictates that Boards schedule its approval to coincide with the anniversary of the March 2025 deadline. This document is the primary evidence of the Board’s oversight and must explicitly detail the methodology, testing results, and a concrete remediation plan for any weaknesses.

Gibraltar: The July 2026 Deadline

For Gibraltar-based entities, 2026 is also the year for full implementation. The Financial Services (Operational Resilience) Regulations 2023 established a transition period that culminates in a hard compliance deadline of July 2026.

 

By 13 July 2026, firms must have:

  1. Full Mapping: Fully mapped all people, processes, technology, facilities, and information necessary to deliver their Important Business Services (IBS).
  2. Rigorous Testing: Conducted rigorous scenario testing to prove they can remain within impact tolerances.
  3. Vulnerability Resolution: Addressed and remediated any vulnerabilities identified during the mapping and testing phases.

The GFSC has announced thematic reviews, which will intensely scrutinise the rationale behind IBS identification and the rigour of scenario testing.

 

The European Union: DORA’s Advanced Assurance

For EU operations, 2026 marks the move into the advanced assurance phase of DORA, following the application date of 17 January 2025.
  • The Register of Information (ROI): The submission window for the annual ROI, detailing every contractual arrangement with ICT third-party service providers, opens on 1 January 2026 and closes on 21 March 2026. The data within will be used by European Supervisory Authorities (ESAs) to designate Critical ICT Third-Party Providers (CTPPs), and an ROI revealing high concentration risk could trigger immediate supervisory intervention.
  • Threat-Led Penetration Testing (TLPT): The first waves of regulatory-mandated TLPTs—adhering to the TIBER-EU framework—are expected to commence in late 2026. Boards must approve the scope of the test and, critically, the remediation plan for any vulnerabilities discovered. The true value lies not in a “clean” report, but in a report that identifies weaknesses and tests the firm’s response capabilities.
The regulatory demand is now for “provable resilience.” Boards must demand evidence from severe but plausible scenario tests that prove the firm can maintain its most critical services through a crisis.
 
Board members must be able to answer crucial questions: “What have we tested, what broke when we tested it, and what is our certified tolerance for failure?”
While these resilience mandates hold firms accountable for their entire value chain, regulators have recognised a critical vulnerability that individual firms cannot solve alone: the systemic risk posed by the handful of tech giants upon which the entire sector depends. 
 

Critical Third Parties (Major Cloud, AI & IT providers)

In a seismic shift for the financial services supply chain, regulators are no longer limiting their oversight to the firms they license.
 
Under powers granted by the Financial Services and Markets Act 2023, UK financial regulators have established a new regime for “Critical Third Parties” (CTPs), granting them direct statutory powers to oversee the technology and service providers deemed critical to the stability of the financial system.
 
This means that for the first time, major cloud companies and other key technology providers can be directly supervised by financial regulators like the Bank of England and the PRA. They will be required to meet minimum resilience standards and are subject to information requests, skilled person reviews, and enforcement action. This is a landmark change because it directly addresses the systemic concentration risk created by the entire financial sector’s reliance on a small number of powerful tech giants.
 
The strategic implication is that third-party risk is no longer a bilateral negotiation between firm and supplier but a trilateral relationship with a regulator also a key counterparty. For firms, this provides a new layer of assurance, but it also means their critical suppliers are now subject to direct intervention that could reshape service delivery, pricing, and contractual terms in ways previously unimaginable.
 

Consumer Duty

The new Consumer Duty also impacts all firm’s distribution chains and business partners involved in the construction or delivery of financial services products. See here for a detailed overview of the Consumer Duty regime for UK and Gibraltar firms.

Consumer Duty Compliance for Gibraltar and UK Payment Service Providers

Regulators Now Have “X-Ray Vision” Into Your Supply Chain: The New Perimeter

Regulators are surgically excising ambiguity about where responsibility lies in complex value chains through a “look-through” supervisory approach. This includes on-site inspections of any material outsourced functions such as financial crime controls but also looks at how the adequacy of the business partner’s governance frameworks. 
 
Under this model, the authorised firm is held fully accountable for the entire ecosystem operating under its licence, including the actions of its partners and their subcontractors. This approach is particularly critical in complex structures like the BIN Sponsorship model, where a licensed sponsor provides its licence and scheme access to third-party Program Managers, making the sponsor unequivocally accountable for the entire ecosystem operating under its name.
 
In some cases, UK and Gibraltar firms seeking to use new categories of service provider within their core infrastructure or distribution supply chain may find that this also triggers a material change notification on the basis that is might impact their ability to continue to meet the threshold conditions for authorisation:
 
  • In Gibraltar, under Section 83A of the Financial Services Act 2019, regulated firms have a mandatory obligation to obtain the GFSC’s consent for any “material change” to their business plan, financial resources, or corporate governance arrangements and even if a proposed relationship does not meet this threshold firms are still required to notify such arrangements under the 12th Core Principle (open and cooperative dealing);
  • In the UK under SYSC 13.9.and SUP 15.3, firms are generally required to notify the regulator when they intend to enter into or significantly change a material outsourcing arrangement and for changes that impact resources, management, supervision or integrity.
 
The message from regulators is unambiguous: the perimeter of responsibility is expanding. It is pushing outwards from the regulated firm into its supply chain and downwards into the operational details of its partners. The corporate veils that once separated a firm from its suppliers are becoming increasingly transparent to supervisory scrutiny.
 
This evolution demands more than just stronger contracts and better due diligence. It requires a cultural shift where third-party risk management is elevated to a core strategic function, owned and understood at the board level.
 
The critical question for firms is no longer “Who does this work for us?” but “How do we prove we are in control of our entire, end-to-end value chain, from our boardroom to the data centre?”
 
Answering that question is the new benchmark for operational excellence and the ultimate determinant of which firms will be trusted to operate in this new, supply chain transparent era.
 
 

News & Insights

December 15, 2025

Gibraltar E-Commerce & VAT

Mandatory VAT Defences:Mastering the Two-Item Rule and managing the Fixed Establishment Trap.

Scales and gambling chips on one side
November 25, 2025

UK Gambling Law Update: Voluntary Code of Practice for Free Draw Operators

Since its initial publication, the landscape surrounding the UK Gambling White Paper, particularly concerning illegal lotteries, prize competitions, and free draws, has continued to evolve…We will delve into the latest developments and their potential impact on businesses and consumers, offering a current perspective on the ongoing efforts to refine gambling regulations and ensure a fairer, more transparent environment for all.

More >>