Supply Chain & Third-Party Risk
Written by
Last editedMay 20261 min read
Payment providers rely on a network of subcontractors and technology partners. Understanding who those third parties are, how they are managed, and what happens if one fails is an essential part of your due diligence. Regulators including the FCA and the EU Digital Operational Resilience (DORA) framework are increasingly mandating this level of scrutiny for financial services supply chains.
| # | Question | Explanation / what to look for |
|---|---|---|
| 1 | Can you provide a list of all material third parties, including cloud providers, subprocessors, and outsourced services, that are involved in delivering the services in scope? | You need to know who is actually providing the service. A single vendor relationship may involve a chain of subcontractors. Regulators increasingly require this level of transparency, and you cannot assess supply chain risk without it. |
| 2 | For each material third party, can you provide their legal name, jurisdiction, and the specific services they perform? | Entity-level disclosure is necessary for your own due diligence and for meeting regulatory requirements. Jurisdiction matters for data sovereignty; the services performed determine the risk profile. |
| 3 | Do any of your outsourced services involve offshoring or cross-border data transfer, and if so, to which countries and under what legal basis? | Offshoring introduces additional risk: different legal frameworks, data protection regimes, and geopolitical considerations. Understand the full geographic footprint of the supply chain. |
| 4 | Can you describe your pre-contract due diligence process for onboarding new third-party vendors? | The rigour of vendor onboarding tells you a great deal about the provider’s risk culture. Ask whether they conduct security assessments, financial due diligence, and reference checks before signing with new suppliers. |
| 5 | How do you assess and manage the ongoing security and performance of your third-party vendors after onboarding? | Vendor risk does not end at onboarding. Understand whether vendors are subject to regular re-assessment, audit rights, and contractual obligations to notify the provider of material changes. |
| 6 | What does your overarching third-party risk management framework look like, and what governance structures oversee it? | A mature third-party risk management framework includes a risk register, clear ownership, defined escalation paths, and board-level oversight. Ask how the framework is documented and what committee reviews it. |
| 7 | How do you ensure adequate oversight of your vendors’ own subcontractors (fourth-party risk)? | Fourth-party risk (your provider’s vendor’s vendors) is increasingly regulated under regulators’ rules. Understand whether contractual flow-down requirements are in place. |
| 8 | How do your third-party arrangements align with applicable regulations, including DORA, FCA operational resilience requirements, and relevant EBA guidelines? | These guidelines impose significant requirements on financial entities and their ICT service providers. Understand whether the provider has assessed their supply chain against obligations and what gaps exist. |
| 9 | Do you have a Modern Slavery Act statement, and how do you ensure your supply chain is free from modern slavery and labour exploitation? | For larger organisations, supply chain human rights due diligence is a legal and reputational requirement. A provider who can point to a published Modern Slavery Act statement and a credible supply chain audit process is lower risk. |
| 10 | How do you ensure the security of data that is processed or accessed by your third-party vendors? | Vendors with access to your payers’ data represent a significant attack surface. Ask what contractual security requirements are imposed on vendors, how compliance is verified, and what happens when a vendor fails to meet standards. |
| 11 | What mechanisms are in place to ensure that your third parties notify you promptly of material security incidents or operational failures that could affect your platform? | Contractual notification obligations are necessary but not sufficient. Ask how quickly vendors are expected to notify, what constitutes a notifiable event, and what the escalation path is when notification does not occur. |
| 12 | Does your business continuity plan explicitly cover scenarios where a material third party fails or is unavailable? | A BCP that does not address third-party failure is incomplete. Understand which third parties are covered, what the recovery strategy is for each, and how quickly services can be restored if a key vendor fails. |
| 13 | Do you maintain documented substitution plans and exit strategies for critical suppliers, including cloud providers? | Concentration risk in the supply chain is a key concern for regulators. Ask whether the provider has tested their ability to switch to an alternative cloud provider or critical vendor, and over what timescale. |
Sample RFP
Our sample RFP includes all of the questions in this guide and more. You can download it and use it as a template for creating your own.
Note: The questions suggested on this page are intended as a starting place for writing your own RFP. They're provided for general information only: they're not intended to be prescriptive or to provide legal advice. We suggest working closely with your management to develop an RFP that is tailored towards the specific requirements of your business.
