What Third-Party AI Vendor Due Diligence Should Financial Services Firms Conduct?
Quick Answer
Outsourcing to an AI vendor does not outsource your regulatory responsibility. Learn what due diligence financial services firms should conduct.
Detailed Answer
This article is for informational purposes only and does not constitute financial or legal advice. You should consult with a qualified professional before making any decisions about the use of AI in your firm.
What Third-Party AI Vendor Due Diligence Should Financial Services Firms Conduct?
Your AI vendor is not your partner; they are your supplier. And when their technology fails, causing customer harm or a market disruption, the FCA will not be flying to Silicon Valley to hold them accountable. They will be walking down the corridor to your office. Outsourcing the technology does not mean you can outsource the responsibility.
In the rush to adopt AI, many financial services firms are relying on third-party vendors to provide the technology. This makes sense from a resource perspective, but it creates a significant governance challenge. The FCA has been crystal clear: you, the regulated firm, are ultimately responsible for the outcomes produced by the AI systems you use, regardless of who built them.
Standard procurement due diligence is no longer fit for purpose. A cursory look at a vendor's SOC 2 report and a review of their marketing materials is a recipe for regulatory disaster. You need a new, more rigorous approach to AI vendor due diligence.
The Problem with "Trust Us, It Works"
The AI vendor landscape is full of bold claims and black boxes. Vendors will promise you transformative results, but when you ask for the details of how their models work, you are often met with a wall of intellectual property concerns. "Trust us, it works" is not a valid basis for a compliance strategy.
Your due diligence process needs to be able to cut through the marketing hype and get to the heart of the matter: does this vendor's technology align with your regulatory obligations under the SM&CR and the Consumer Duty?
A Framework for Rigorous AI Vendor Due Diligence
Your due diligence process needs to be a deep dive into the vendor's technology, their governance, and their culture. It should be structured around the following key areas:
| Due Diligence Area | Key Questions to Ask Your Vendor |
|---|---|
| 1. Model Explainability & Transparency | Can you provide us with a clear, non-technical explanation of how your model works? What are the key features that drive its decisions? What are the known limitations and failure modes of the model? Can we test the model with our own data in a sandbox environment? |
| 2. Data Governance & Bias Mitigation | What data was your model trained on? How do you ensure the data is accurate, complete, and representative? What steps have you taken to identify and mitigate bias in your training data and your model's outputs? Can you provide us with the results of your bias testing? |
| 3. Performance & Robustness | How do you monitor the performance of your model in a live environment? What is your process for retraining and updating the model? How do you protect the model against adversarial attacks and data poisoning? What are your uptime and reliability SLAs? |
| 4. Security & Confidentiality | How will our data be segregated and protected? What are your data encryption standards, both in transit and at rest? What is your incident response plan in the event of a data breach? Have you conducted third-party penetration testing of your systems? |
| 5. Regulatory Compliance & Governance | How does your technology help us meet our obligations under the Consumer Duty? What is your own internal AI governance framework? Who is the senior individual in your organisation responsible for AI ethics and safety? How will you support us in the event of a regulatory inquiry? |
| 6. Contractual Liability | Does your contract clearly define the roles and responsibilities of each party? What are the liability clauses in the event of a model failure or a data breach? What are the exit terms and how can we ensure a smooth transition if we choose to switch vendors? |
Red Flags to Watch Out For
During your due diligence process, there are several red flags that should give you serious pause:
- A refusal to discuss the details of their model, citing "intellectual property." While you do not need to know the secret sauce, you do need to understand the ingredients.
- A lack of diversity in their data science and engineering teams. This is a significant indicator of a higher risk of algorithmic bias.
- Vague or evasive answers to your questions about bias, fairness, and ethics.
- A contract that is heavily weighted in their favour, with limited liability for them and significant indemnity clauses for you.
The Bottom Line: Due Diligence is a Senior Manager Responsibility
Conducting this level of due diligence is not a task that can be delegated to your procurement team. It requires the active involvement of senior managers from across the business, including risk, compliance, IT, and the relevant business line.
Under the SM&CR, you are responsible for the third-party services used in your area of responsibility. This means you need to be able to demonstrate to the FCA that you have personally engaged with the due diligence process and that you are satisfied that the vendor's technology is safe, effective, and compliant.
If you are just signing off on the procurement team's recommendation without asking these tough questions, you are not just failing to conduct adequate due diligence; you are failing in your duty as a senior manager.
Take the Next Step
If you are ready to move from theory to action, I can help. My AI Audit gives you a comprehensive assessment of your firm's AI readiness, identifying the gaps in your governance, the risks in your current tooling, and a clear roadmap to get you where you need to be.
Book a Discovery Call → or learn more about the AI Audit.