Aravo Pattern - Header

Third-Party Risk Management Guidance, Regulations & Standards

In the world of third-party risk management, organizations need to navigate a complex and expanding web of guidance, standards and regulations. Here, you can explore an overview of major industry standards and regulations that can help you ensure third-party compliance and build a more resilient business.

Regulators have made clear that third parties should attest to and align to your compliance, ethics, and risk management standards and obligations. Aravo enables customers to easily capture, update, manage and retain third party attestations and certifications with these regulations and other ethics and compliance standards. 

Financial Services

 Financial Conduct Authority (FCA), UK

Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions

Published in July 2014, this document provides a list of questions for financial services firms to consider when evaluating or engaging with third parties for technology services which are critical to firms’ operations. The questions cover the decision to use an outsource provider, the selection of a provider, and ongoing maintenance of the relationship with the provider, among other issues.

Read the guidance

Cyber and Technology Resilience: Themes from cross-sector survey 2017/2018

A survey, released in November 2018, of 296 firms by the FCA highlighted key areas of regulatory development going forward. Firms acknowledged challenges in managing their third parties. For example, third-party issues, such as an IT failure at an important supplier, accounted for 15% of the operational incidents reported to the FCA — this was the second highest root cause. As well, only 66% of large firms and 59% of smaller firms understood their third-parties’ response and recovery plans.

Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services

Published in July 2018 after a consultation period, the guidance includes a list of areas that UK-based financial services firms should consider when engaging with third-parties to provide IT services. The FCA wants firms to consider international standards, legal and regulatory obligations, risk management, the oversight of the service provider, data security, access to the third-party’s premises, business continuity, and other issues.

SYSC 8.1 Outsourcing

SYSC 8.1 Outsourcing sets out requirements for firms to manage the risks associated with outsourcing activities, including those involving third-party service providers.

“Outsourcing of important operational functions must not impair materially the quality of a firm’s internal control and the ability of the FCA to monitor the firm’s compliance with all obligations under the regulatory system.”

Read the full guidance

Source Regulation

SYSC 13.9 Outsourcing

SYSC 13.9 Outsourcing is a regulatory requirement under the FCA rules, which aims to ensure effective risk management when firms outsource operational activities to third-party service providers.

“Outsourcing may affect a firm’s exposure to operational risk through significant changes to, and reduced control over, people, processes and systems used in outsourced activities.”


 Financial Conduct Authority (FCA), UK

Insurance Act 2015 (UK)

This act modernizes insurance contract law in the UK and introduces reforms to enhance consumer protection and clarify insurers’ and policyholders’ rights and obligations.

Financial Services and Markets Act 2000 (FSMA)

This primary legislation regulates financial services, including insurance, in the UK. It establishes the regulatory framework for insurance companies, intermediaries, and other financial institutions.

The information contained on this page is for reference and informational purposes only.  As such, Aravo expressly disclaims any and all legal and professional liability associated with the content and any suggestions and/or recommendations provided therewith.

Our Expertise
Who We Help

Learn More About Our Partners

Interested in partnering with Aravo?