The Concentration Concern
Regulators including the FCA, PRA, and Bank of England have flagged concern about the financial services industry's growing dependence on a small number of AI model providers. If many firms rely on the same underlying AI systems, a failure or vulnerability at one provider could have systemic implications.
For SMEs, this creates a tension: the most capable AI comes from large providers, but dependence on those providers creates risk.
Understanding Third-Party AI Risk
Types of AI Provider Relationships
Direct API Access:
- Using OpenAI, Anthropic, Google AI directly
- Maximum capability, maximum dependence
- Data flows to provider
- Pricing and availability controlled by provider
Embedded AI:
- AI features in existing software
- Less visible dependence
- Still subject to provider changes
- May cascade through supply chain
Specialist Financial AI:
- Credit scoring providers
- Fraud detection services
- AML screening tools
- Regulatory-aware but still third-party
What Could Go Wrong
Operational:
- Service outages affecting your operations
- Performance degradation
- Capacity constraints during peaks
- Geographic availability issues
Commercial:
- Pricing changes
- Terms and conditions changes
- Service discontinuation
- Provider acquisition or exit
Compliance:
- Provider compliance failures
- Data handling changes
- Regulatory actions against provider
- Cross-border complications
Security:
- Provider security breaches
- Model vulnerabilities exploited
- Data exposure
- Malicious model manipulation
Third-party AI risk is particularly acute in financial services because of the regulatory focus and systemic risk concerns. The FCA expects firms to actively manage this risk.
Regulatory Expectations
FCA Perspective
The FCA expects firms to:
- Understand their third-party AI dependencies
- Conduct appropriate due diligence
- Have contingency arrangements
- Monitor provider performance
- Maintain accountability for outcomes
Operational Resilience
New operational resilience requirements apply:
- Important business services identified
- Impact tolerances defined
- Third-party dependencies mapped
- Testing and planning conducted
AI providers supporting important services need resilience consideration.
Senior Manager Accountability
Senior managers remain accountable:
- Can't outsource responsibility
- Must understand dependencies
- Required to oversee arrangements
- Liable for compliance failures
Due Diligence Framework
Before Adoption
Technical Assessment:
- How does the AI work?
- What data is required?
- What security controls exist?
- What's the reliability track record?
Operational Assessment:
- Service level commitments
- Support arrangements
- Change notification processes
- Geographic considerations
Commercial Assessment:
- Pricing structure and stability
- Contract terms
- Lock-in provisions
- Exit arrangements
Compliance Assessment:
- Provider's regulatory status
- Compliance with relevant standards
- Data protection arrangements
- Incident notification provisions
Questions to Ask
| Area | Key Questions |
|---|---|
| Security | What certifications? How is data protected? What's the breach history? |
| Availability | What's the SLA? What's actual performance? What's the redundancy? |
| Data | Where is data processed? Is it used for training? Who can access it? |
| Compliance | What regulatory oversight applies? How are changes managed? |
| Continuity | What if the provider fails? What's the exit process? |
Red Flags
- No security certifications
- Poor or no SLA
- Vague data handling terms
- No exit provisions
- History of significant incidents
- Lack of transparency
- Resistance to due diligence
Major AI providers generally have good security. The risk is often more about dependence and exit than about provider competence.
Resilience Planning
Reducing Single Points of Failure
Multi-Provider Strategy:
- Use multiple AI providers where practical
- Avoid dependence on single source for critical functions
- Build switching capability
- Accept some cost/complexity trade-off
Hybrid Approaches:
- Combine cloud AI with on-premises capability
- Use AI to augment rather than replace
- Maintain manual fallback for critical processes
- Build internal expertise
Contingency Arrangements
For Service Interruption:
- Identify impact on your operations
- Define response procedures
- Test contingency arrangements
- Communicate with stakeholders
For Provider Failure:
- Understand data portability
- Identify alternative providers
- Maintain documentation for switching
- Consider exit costs in planning
Monitoring
Ongoing Assessment:
- Track service performance
- Monitor provider news and developments
- Review contracts periodically
- Update risk assessments
Early Warning:
- Watch for provider difficulties
- Note changes in service quality
- Track industry developments
- Maintain provider relationship
Contractual Protections
Key Terms to Include
Service Levels:
- Availability targets
- Performance metrics
- Consequences for failure
- Measurement and reporting
Data Protection:
- Processing limitations
- Security requirements
- Breach notification
- Data return/deletion
Change Management:
- Advance notification of changes
- Right to terminate on material change
- Version control where relevant
- Testing arrangements
Exit:
- Data portability provisions
- Transition assistance
- Post-termination obligations
- Reasonable notice periods
Negotiation Reality
Large Providers:
- Standard terms often non-negotiable
- SMEs have limited leverage
- Focus on understanding rather than changing
- Consider terms in adoption decision
Specialist Providers:
- More room for negotiation
- Custom terms possible
- Build relationship for flexibility
- Document agreed variations
Documentation Requirements
What to Document
Provider Assessment:
- Due diligence conducted
- Risk assessment
- Approval decision and rationale
- Ongoing monitoring plan
Operational Arrangements:
- How AI is used
- Integration with your systems
- Responsibility allocation
- Incident response
Review Schedule:
- Regular review cadence
- Trigger events for early review
- Documentation requirements
- Accountability for review
Demonstrating Compliance
When regulators ask, you should be able to show:
- You understand your AI dependencies
- You've conducted appropriate due diligence
- You have contingency arrangements
- You're monitoring ongoing
- Someone is accountable
Documentation isn't bureaucracy—it's evidence that you're managing risk responsibly. In regulatory review, documented thinking carries weight.
Proportionate Approach
Risk-Based Assessment
Not all third-party AI requires the same scrutiny:
| Use | Risk Level | Approach |
|---|---|---|
| Document automation | Lower | Basic due diligence |
| Customer chatbot | Medium | Standard assessment, monitoring |
| Credit decisions | Higher | Comprehensive assessment, ongoing oversight |
| Fraud detection | Higher | Detailed scrutiny, multiple controls |
SME Practical Reality
- You can't negotiate with OpenAI like a major bank
- Perfect alternatives may not exist
- Some concentration is unavoidable
- Focus on understanding and contingency
The goal isn't eliminating risk—it's managing it appropriately.
Need help managing third-party AI risk? We help financial services SMEs implement appropriate governance for AI provider relationships.
Book a consultation to discuss your specific risk management needs.
