In the FCA's words, the perimeter report is designed to clarify some of the regulatory perimeter's complexities, explain what the FCA is up to and highlight where it sees gaps in legislation and the potential for harm.

It is a seemingly innocuous report which comes on the heels of the Business Plan and might be easily overlooked however, given the speed of technological change and the digitalisation of financial services, it is always worth knowing what is going on in the regulatory brain.

Many fintech firms rely heavily on unregulated outsourced service providers to enable them to provide a frictionless end to end service for customers who access their products and services online and through apps and telephony channels.  With a buoyant market in the acquisition of successful smaller fintechs and, in some cases, simply through rapid growth, we are now seeing certain providers increase their market share and becoming dominant.  In some sectors, the majority of the market is supported by a small number of third party service providers.  While outsourcing agreements provide step in rights and the ability to transfer to from one provider to another, for years there has been a softly-whispered concern that, in the event that one of those third party providers falls over, there simply won't be the bandwidth for the others to step in or the ability for firms themselves to bring activities in house with all that that entails.  

Many third party providers are not regulated firms - they don't need to be - but that doesn't mean that their activities are not crucial to the provision of services that fall within the regulatory perimeter.  As a result, the the FCA's approach is through what it calls "indirect" supervision.  Ultimately, this means that the FCA can (and does) lean on the authorised firm to ensure that unregulated third party service providers do not allow customer detriment or risks to the financial system to arise.

This has a knock-on effect for unregulated third party service providers who provide services to authorised firms who, as a result of the operational resilience requirements, can expect to see more and more challenge around how, when and where they supply services which result in them needing to be far more agile so that they are able to cater to the different expectations and risk appetites of a number of clients.

What I find most interesting is that this topic has now surfaced in the Perimeter Report.  The perimeter, set by the Government and Parliament, sets out what the FCA can and can't regulate.  The regulatory perimeter is not static - it changes over time to include new products and services and to deal with new risks.  Could it be that, in time, significant third party service providers might be brought within the regulatory perimeter if the risks of having unregulated providers in the supply chain prove too great?  Watch this space.