Your SaaS supply chain is a compliance time bomb, and the Financial Conduct Authority is running out of patience. By Q3 2026, embedded third-party software will face the same scrutiny as your core banking systems. The FCA's Operational Resilience rules (PS21/3) took effect March 2022, but the rubber hits the road when regulators start issuing Section 166 skilled person reviews. If your vendor security assessment process still resembles a spreadsheet and a thirty-minute call, your board will face consequences that go beyond a fine — they will face business disruption.
The FCA Is Looking at SaaS — Not Just Outsourcing
Let's be precise. The FCA does not enforce NIS2 or DORA — those are EU directives that apply to EU-based entities. UK-regulated firms operate under the FCA's Senior Managers and Certification Regime (SM&CR), the Operational Resilience framework, and SYSC 8 (outsourcing). Since 2022, SYSC 8 has required firms to assess concentration risk, termination rights, and exit strategies for any material outsourced function. But here is the gap most UK CISOs miss: the FCA has widened its definition of "material outsourcing" to include SaaS applications handling client data, trade execution, or regulatory reporting.
Consider a typical wealth management firm. It runs CRM (Salesforce), document management (DocuSign or iManage), client portal software, and AML screening tools — all SaaS. None of these are written off as "non-material" anymore. The FCA's 2024 thematic review on operational resilience found that over 60% of firms still could not demonstrate how they would continue critical functions if their CRM provider went dark for 72 hours. This is not a hypothetical. It is a regulatory gap that will be tested in Q3 2026 when the FCA begins targeted reviews on third-party dependency mapping.
Gap 1: Your Software Vendor Security Assessment Is Not a Checklist — It Is a Liability
The first gap is the most common: treating vendor due diligence as a procurement form. Many UK firms still use a 10-question PDF that asks "Do you have ISO 27001?" and stops there. That is insufficient. A certificate from a body that may have rubber-stamped an audit three years ago tells you nothing about the vendor's current patch cadence, their incident response maturity, or whether they have a secure SDLC implementation that prevents code injection in their shared-tenancy SaaS platform.
The FCA expects you to assess the resilience of the service, not the compliance of the vendor's brochure. Here is what a proper software vendor security assessment must include for an FCA-regulated firm:
- Access control architecture: Does the vendor enforce MFA for all admin users? Can they attest to logical segregation of customer data in a multi-tenant environment?
- Incident notification SLA: Can the vendor confirm a security incident affecting your data within four hours? Do they have a contractual obligation to notify the FCA on your behalf?
- Business continuity testing: When did the vendor last run a tabletop exercise that actually failed? Ask for evidence of tests that broke, not just pass reports.
- Sub-processor chain: Who does the vendor's vendor use? If they host on AWS, is your data in eu-west-2 or us-east-1? The FCA wants to know where your data physically resides.
Our fractional vCISO consultants regularly find that firms accept SaaS vendor responses without verifying them against the vendor's actual SOC 2 Type II report or penetration test results. Do not take their word. Demand proof.
Gap 2: You Cannot Map a Vendor You Cannot Monitor
The second gap is operational blindness. Most UK firms do not have real-time visibility into which SaaS applications their employees are connecting to corporate data. Shadow IT is not a start-up problem — it is the dominant mode of software adoption in mid-market financial services. When a compliance officer signs up for a new record-keeping tool on a personal credit card and starts processing client emails through it, you have just created an unmanaged outsourcing arrangement.
The FCA's approach here is pragmatic but unforgiving. Under SYSC 8.1.1R, you must maintain a register of all outsourcing arrangements and assess them for materiality. If a SaaS tool processes personal data, it falls under UK GDPR and DPA 2018 obligations regardless of whether procurement approved it. The ICO can fine you up to substantial ICO enforcement action or 4% of global turnover for a data breach caused by an unauthorised SaaS vendor.
We recommend deploying a cloud access security broker (CASB) or a SaaS management platform that integrates with your identity provider. This is not about blocking productivity — it is about discovering what is already running. Once you have a complete inventory, apply the SaaS security checklist to every application that accesses or stores regulated data. If a tool does not meet the checklist criteria, block it or remediate it within 30 days. Document the exception process for the FCA.
For firms with limited budget, start with CloudAuditX. Our multi-cloud auditing platform runs a non-intrusive scan that maps your SaaS and cloud exposure. You will get a list of every connected application, their data residency, and their authentication posture — without deploying agents or disrupting operations.
Gap 3: Your Secure SDLC Implementation Does Not Include the Vendor's Pipeline
The third gap is the hardest to fix because it requires a cultural shift. Most UK CISOs focus on their own secure SDLC implementation — static analysis, dependency scanning, and code review for internally built applications. That is necessary. But it is not sufficient for FCA compliance. The regulator expects you to assess the security of the software supply chain, not just the final shipped product.
If your CRM vendor pushes a code update every two weeks without automated security testing in their CI/CD pipeline, that is a risk you inherit. If their container images contain known critical vulnerabilities in a base layer they last updated eighteen months ago, that is your regulatory problem, not theirs. The FCA does not care whose code broke — they care that your client data was exposed.
Here is what a regulator-grade vendor SDLC assessment looks like:
Verify the Vendor's Secure SDLC Implementation
- Static application security testing (SAST): Do they scan every commit? Ask for the last quarter's scan summary showing severity counts and closure rates.
- Dynamic application security testing (DAST) and penetration testing: When was their last external pen test? Who performed it? Were exploitable findings remediated within the agreed SLA?
- Software composition analysis (SCA): Do they have a dependency scanner that catches known vulnerabilities in open-source libraries? The Log4j debacle should have taught everyone this lesson.
- Change management and release gates: Can they provide a deployment report that shows every code change that went to production in the last 90 days, with associated security approvals?
This is not theoretical. One of our ISO 27001 certification clients — a UK payment services firm — discovered during a vendor assessment that their card tokenisation provider had no SAST in their pipeline. The provider's security team did not even know what SAST was. Our client exercised the contractual exit clause within 30 days and migrated to a provider with a verifiable secure SDLC. That move likely prevented a PII breach that would have triggered an FCA investigation and a potential Section 166 review.
Building Your SaaS Security Checklist: A Practical Framework
Start with this five-layer SaaS security checklist that maps directly to FCA operational resilience expectations:
- Discovery: Run a scan using our free compliance scanner or CloudAuditX to identify every SaaS application accessing your tenant.
- Classification: Categorise each application by data type (customer, employee, financial, regulatory). Assign a criticality score based on whether the service supports an "important business service" as defined by PS21/3.
- Assessment: For high-criticality vendors, perform a full software vendor security assessment covering access controls, incident response, BC/DR testing, and SDLC maturity.
- Contractual hardening: Update your vendor agreements to include specific SLAs for incident notification (four hours or less), data portability (complete export in machine-readable format within 48 hours), and audit rights (on-site or remote evidence review).
- Continuous monitoring: Re-assess critical vendors annually and any vendor after a significant security event. Use a vendor risk management platform to track evidence expiry dates.
Document every step. The FCA will ask for your third-party risk register, your last six months of vendor assessments, and your board-level reporting on SaaS resilience. If you cannot produce these within five business days, you are not compliant.
Common Mistakes That Will Fail an FCA Review
We have seen several patterns repeat across UK financial services firms of all sizes:
- Treating certification as a checkbox: ISO 27001 does not cover operational resilience. A vendor can be certified and still collapse under a ransomware attack. Assess the service, not the certificate.
- Ignoring contractual exit rights: Many SaaS agreements lock firms into annual contracts with no mechanism for termination on security grounds. Negotiate a "material security failure" clause today, not when the breach happens.
- Assuming SMB vendors can scale: A fintech start-up with a great product may have zero incident response capability. The FCA expects you to size your vendor's maturity against your own risk appetite, not against the market.
How Pyralink Delivers FCA-Ready SaaS Security
Pyralink Innovation Ltd, led by Michael Adedeji (CISM, CISA, CC, MSc Data Science), specialises in operational resilience for UK-regulated firms. Our consultants have hands-on experience building vendor assessment programmes that pass FCA scrutiny — not theoretical frameworks from textbooks.
Our CloudAuditX platform provides automated multi-cloud and SaaS discovery. Run a free scan to see your full cloud exposure in under an hour. For firms needing ongoing oversight, our fractional vCISO service starts at £497 per month and includes vendor risk management, policy updates, and board reporting. We carry £5 million professional indemnity insurance because we stand behind our advice.
We also support ISO 27001 certification, compliance programme management, and full third-party risk assessments. Every engagement is delivered by certified practitioners who have been in the room when the regulator asks hard questions.
The Q3 2026 timeline is not a scare tactic — it is the natural next step after the FCA's 2024–2025 focus on critical third parties. Start your SaaS security assessment now, while you have time to remediate before the letters arrive.