Case Study 33.2: Third-Party ICT Risk — When Your Cloud Provider Is Your Regulatory Problem

Overview

Organisation: Verdant Bank (fictional UK challenger bank; Maya Osei is Chief Compliance Officer) Setting: Verdant's core banking platform is hosted by a UK cloud provider also used by 12 other FCA-regulated financial institutions. The provider suffers a major outage. The FCA designates the provider as a Critical Third Party under the Financial Services and Markets Act 2023 CTP regime. Verdant's contract with the provider contains none of the provisions DORA Article 28 or the CTP rules require. Key principle established: Regulated firms cannot outsource regulatory accountability for operational resilience to their technology vendors, regardless of what any service agreement says.

The Situation

Verdant Bank is a seven-year-old UK challenger bank serving approximately 97,000 retail and SME customers through a digital-only proposition. Verdant holds a full banking licence from the PRA and FCA. Its Dublin branch — serving 12,400 Irish and EU retail customers — was established in 2023 and falls within DORA's scope from January 2025.

Verdant's core banking architecture is almost entirely cloud-hosted. In 2021, the bank made a strategic decision — widely applauded at the time — to host 90% of its core systems on the platform of a UK-headquartered cloud provider, NexaCloud Ltd. The choice was driven by NexaCloud's financial services specialism, its UK data residency, and its substantially lower cost compared to the US hyperscalers.

What Verdant did not know — and had not assessed — was that NexaCloud had made the same pitch to 12 other FCA-regulated financial institutions. By 2025, NexaCloud hosted core banking or payment systems for 13 UK financial institutions in aggregate, representing a significant concentration of regulated financial services on a single third-party infrastructure.

Maya Osei had been in post as CCO for eleven months when the NexaCloud outage occurred. She had flagged the concentration risk in her first Board risk report. The response had been that NexaCloud's platform was operationally excellent, that the existing contract was comprehensive, and that a migration would take two years and cost more than the bank's annual technology budget. The flag was noted. No action was taken.

The absence of an audit right, an exit plan, and tested recovery capability from the NexaCloud environment — gaps Maya had identified but not escalated with sufficient force — would define the regulatory consequences of the outage.

The Outage

On a Tuesday morning in March 2025, NexaCloud's UK primary data centre experiences a cooling system failure that triggers an automated emergency shutdown of its compute cluster. The shutdown affects all 13 financial institution clients simultaneously. NexaCloud's secondary data centre — intended as the failover — experiences a software configuration conflict triggered by the primary failure, and fails to activate correctly for approximately 90 minutes.

For Verdant, the impact is immediate and severe:

  • Core banking systems (account balances, transaction processing, customer authentication): unavailable from 09:14 AM until 11:47 AM — 2 hours and 33 minutes.
  • Payment processing (domestic bank transfers, Direct Debits, standing orders): unavailable from 09:14 AM until 3:22 PM — 6 hours and 8 minutes.
  • Customer portal (web and mobile banking app): intermittently unavailable until 4:45 PM.
  • Regulatory reporting systems: unavailable until 2:30 PM.

Three of Verdant's declared important business services breach their impact tolerances:

  • Retail payment processing (impact tolerance: 4 hours): breached at 1:14 PM, 4 hours into the outage.
  • Account access and authentication (impact tolerance: 2 hours): breached at 11:14 AM, though restored at 11:47 AM — a 33-minute breach.
  • SME payment processing (impact tolerance: 4 hours): breached at 1:14 PM in parallel with retail payments.

Approximately 97,000 customers are unable to access banking services during peak hours. Approximately 23,000 payment instructions — including 1,400 time-sensitive business payroll transfers — are queued and delayed. Several SME clients report missed payroll obligations as a direct consequence.

The FCA CTP Designation Process

The FCA's response to the NexaCloud outage is not just supervisory — it is structural. Because 13 FCA-regulated firms are simultaneously affected by a single provider's failure, the FCA opens a Critical Third Party assessment under the Financial Services and Markets Act 2023 (FSMA 2023) CTP regime.

The FSMA 2023 CTP regime, developed jointly by the FCA, PRA, and Bank of England, allows regulators to designate cloud and technology providers as Critical Third Parties when their failure or disruption could threaten the stability of, or confidence in, UK financial services. Designation is made by HM Treasury on the recommendation of the regulators, and subjects the CTP to direct regulatory obligations including minimum resilience standards and regulatory testing.

NexaCloud serves 13 regulated firms simultaneously, hosting core banking or payment systems for each. The aggregate customer exposure is approximately 1.1 million retail and SME customers. This concentration meets the threshold criteria for CTP assessment.

The FCA writes to NexaCloud to begin the designation assessment process. It simultaneously writes to all 13 affected financial institutions, including Verdant, to request documentation of their third-party risk management arrangements, their contractual rights over NexaCloud, and their tested recovery capabilities from the NexaCloud environment.

Maya receives the FCA's letter four days after the outage. It asks for the following documentation within 14 days: Verdant's ICT third-party provider register entry for NexaCloud; the service agreement and data processing agreement with NexaCloud; evidence of audit rights and any audit results; Verdant's exit and migration plan from the NexaCloud environment; and test results for any scenario in which Verdant simulated recovery from a NexaCloud failure.

Maya's review of the files takes three hours. The results are not encouraging.

What the FCA Found in Its CTP Assessment

Verdant was not the FCA's only concern — but it was among the most clearly deficient of the 13 affected firms. The FCA's CTP assessment findings, as communicated to Verdant in a supervisory letter six weeks after the outage, identified the following:

Finding 1: No contractual audit right. Verdant's service agreement with NexaCloud contained a standard SaaS audit provision: "NexaCloud may, at its discretion, provide Verdant with the results of third-party security audits conducted on NexaCloud's behalf." This is not an audit right. It is a discretionary disclosure. Verdant had no right to conduct or commission an audit of NexaCloud's systems, security controls, or resilience arrangements. Under DORA Article 30(2)(f) and the FCA's third-party risk management expectations, financial entities must have meaningful audit rights over their critical ICT providers — rights that are contractual entitlements, not vendor courtesies.

Finding 2: No documented exit plan. Verdant had no documented plan for migrating its core banking systems from NexaCloud to an alternative provider or in-house infrastructure. The FCA's operational resilience rules (PS21/3) require firms to understand their dependencies and to demonstrate, through scenario testing, that they can remain within impact tolerances during severe disruption scenarios. A recovery scenario in which Verdant must exit NexaCloud — whether due to NexaCloud's failure, financial difficulty, or regulatory intervention — cannot be tested or managed without an exit plan. None existed.

Finding 3: No tested recovery capability from the NexaCloud environment. Verdant's disaster recovery testing had been conducted entirely within the NexaCloud environment — failing over from the primary NexaCloud cluster to the secondary NexaCloud cluster. This is not a test of recovery from NexaCloud; it is a test of NexaCloud's own resilience. The scenario in which NexaCloud itself fails — as it did during the outage — had never been tested by Verdant. The firm's impact tolerances were set without any empirical evidence of whether Verdant could meet them in a full NexaCloud failure scenario.

Finding 4: No concentration risk assessment. Verdant's ICT third-party provider register listed NexaCloud with a high criticality rating but no concentration risk assessment. The firm had not assessed whether NexaCloud's services to other regulated entities created systemic exposure. It had not considered whether a NexaCloud failure affecting multiple institutions simultaneously would complicate Verdant's own recovery — for example, because NexaCloud's technical response resources would be divided across 13 clients rather than focused on Verdant.

Finding 5: Pre-DORA contracts not updated. Verdant's agreement with NexaCloud predated DORA's application in January 2025. The agreement had not been renegotiated to include the DORA Article 30 mandatory provisions: incident notification timeframes, security requirements, resilience testing obligations, or sub-contractor ICT security requirements. Verdant had a known obligation to remediate its ICT third-party contracts for DORA compliance. The remediation had been scheduled for Q3 2025 — after the outage occurred in March.

Maya's Response

Maya's immediate response, in the 72 hours following the outage, covers the regulatory notification obligations that are within her direct control.

Verdant's FCA PRIN 11 notification is filed at 11:30 AM on the day of the outage — within 2 hours and 16 minutes of the first impact tolerance breach. The notification identifies the three breached important business services, the duration of disruption, the NexaCloud root cause as preliminary, and the customer impact assessment in progress. It is, Maya reflects later, the one thing that went correctly on the day. The notification workflow she had insisted on implementing after reading an FCA Dear CEO letter the previous autumn — the automated compliance dashboard and pre-drafted templates — had done exactly what they were designed to do.

The DORA major incident notification for the Dublin branch follows at 1:47 PM, 29 minutes after the payment processing impact tolerance for EU customers is breached. The initial notification is within the 4-hour classification window.

The ICO GDPR assessment determines that the outage did not result in a personal data breach — the customer data itself remained encrypted and inaccessible to the attacker or any third party; the disruption was an availability failure, not a confidentiality or integrity failure. No ICO notification is required, though the assessment is documented.

The 90-day remediation response begins on day 4.

Maya's remediation programme, presented to the Board at a special meeting 10 days after the outage, commits to four deliverables within 90 days:

Contract renegotiation. Verdant's legal and procurement teams will renegotiate the NexaCloud service agreement to include: a genuine bilateral audit right (Verdant may conduct or commission an annual security audit); mandatory incident notification to Verdant within 4 hours of NexaCloud detecting any incident affecting Verdant's services; resilience testing obligations (NexaCloud must participate in Verdant's annual scenario testing); sub-contractor security requirements; and exit assistance obligations requiring NexaCloud to cooperate with Verdant's migration to an alternative provider with 12 months' notice.

Exit and migration plan. Verdant will produce a documented exit plan for migrating its core banking systems from NexaCloud within 18 months. The plan will include a target alternative provider, a migration sequence prioritised by criticality, estimated timeline, and cost. The plan will be updated annually.

NexaCloud failure scenario testing. Verdant will conduct, within 60 days, a tabletop test of the scenario in which NexaCloud suffers a complete 24-hour outage. The test will assess whether Verdant's manual fallback procedures, partial system workarounds, and customer communication protocols are sufficient to manage within its declared impact tolerances. Results will be reported to the Board and shared with the FCA.

CTP register. Verdant will build and maintain a Critical Third Party register — distinct from its general ICT third-party register — identifying all providers whose failure could affect three or more of its important business services simultaneously. NexaCloud is the first entry. The register will include, for each CTP: contract status (DORA-compliant/non-compliant); audit right status; exit plan status; and last test date.

The Regulatory Lesson

The NexaCloud outage and the FCA's CTP designation response establish a regulatory principle that Maya articulates plainly in her Board presentation: Verdant hosted its core banking systems with NexaCloud. Verdant assumed that hosting its systems externally transferred the operational risk of those systems to the provider. It did not.

DORA Article 28 states the principle with equal plainness: "Financial entities shall remain fully responsible for compliance with, and discharge of, all obligations under this Regulation when using ICT services provided by ICT third-party service providers." The FCA's CTP regime rests on the same foundation. When NexaCloud failed, Verdant's customers were unable to access banking services, Verdant's payment obligations were delayed, and Verdant's important business services breached their impact tolerances. These were Verdant's regulatory failures — not NexaCloud's.

The contractual relationship between a financial institution and its technology providers must reflect this regulatory reality. Audit rights are not a nice-to-have; they are the mechanism through which a regulated firm exercises the oversight it is legally required to conduct. Exit plans are not a contingency; they are the evidence that a firm has genuinely assessed its dependence and has a credible path to continuity. Resilience testing that covers only in-provider failover is not operational resilience testing; it is vendor resilience testing, which is a different thing entirely.

The broader industry lesson from the NexaCloud CTP designation is concentration risk. No single firm's decision to use NexaCloud created a systemic problem. The aggregate decision of 13 firms — each making individually rational decisions about cost, specialism, and UK data residency — created a concentration that the FCA had not mapped and that none of the 13 firms had individually assessed. DORA's concentration risk assessment requirement, and the FCA's parallel expectation that firms assess the systemic implications of their third-party dependencies, exist precisely because individually rational decisions can produce collectively irrational outcomes.

Discussion Questions

  1. Maya had flagged the NexaCloud concentration risk in her first Board risk report eleven months before the outage. The Board's response was to note the risk but take no action, citing migration cost and timeline. As CCO, what escalation options are available to a compliance officer when a risk flag is noted but not acted upon? At what point — and through what mechanism — should Maya have escalated the concentration risk issue beyond the Board, and what would have happened to her senior manager accountability position under SM&CR if the outage had triggered regulatory enforcement against Verdant?

  2. Verdant's disaster recovery testing had been conducted entirely within the NexaCloud environment, testing failover between NexaCloud's primary and secondary clusters. The scenario of NexaCloud itself failing had never been tested. Design a resilience testing programme for Verdant that genuinely tests its ability to remain within impact tolerances during a full NexaCloud failure — not NexaCloud's internal resilience. What would the test scenario look like, who would participate, what would "passing" mean, and how would results be reported to the Board and the FCA?

  3. The FCA's CTP designation of NexaCloud gives the regulator direct oversight powers over a technology company that is not itself an FCA-authorised firm. Analyse the jurisdictional and practical challenges of regulating a technology provider through a sector-specific regime: what can the CTP regime require of NexaCloud that the 13 affected financial institutions individually could not? What are the limits of the CTP regime's powers, and what happens if NexaCloud's services to non-financial sector clients conflict with CTP regulatory requirements?

  4. DORA Article 30's mandatory contract provisions were known to Verdant's legal team before the outage. The renegotiation was scheduled for Q3 2025 but the outage occurred in March. Verdant was in a period of known non-compliance with DORA's contract requirements. If the FCA or Central Bank of Ireland had assessed Verdant's DORA compliance status in February 2025 — one month before the outage — what findings would they have made, and what enforcement options would have been available to them? How should regulated firms manage the period of known non-compliance during a DORA contract remediation programme?

  5. Maya's 90-day remediation programme commits to renegotiating the NexaCloud contract to include an audit right. NexaCloud, as a vendor serving 13 regulated firms simultaneously, may resist adding audit rights for each client individually — the operational burden of 13 separate annual security audits would be substantial. Propose a practical solution to the audit right problem that satisfies DORA and FCA requirements without imposing disproportionate operational burden on the provider. Consider: pooled audits, third-party certification, regulatory-led assessments under the CTP regime, and information-sharing frameworks.