Banks and other financial institutions increasingly use third-party vendors. Rising costs, regulatory requirements and other forces drive such trends. But there are points of vulnerability. This article examines the territory.

When there are problems with third-party services – a highly relevant wealth management topic in this era of outsourcing – it is clearly a serious matter requiring a careful response. To explore this topic is Roman Eloshvili (pictured below), founder and CEO of XData Group, a B2B software development company developing solutions for banks and fintechs. The firm was founded in 2022 and is based in Tallinn, Estonia.

The editors are pleased to share these views; the usual editorial disclaimers apply to views of guest writers. If you wish to enter the conversation, please do so: email tom.burroughes@wealthbriefing.com and amanda.cheesley@clearviewpublishing.com.

Roman Eloshvili
 
Throughout 2025, payment freezes and outages have been hitting the financial industry, and each one has only increased exposure to a structural problem. Namely, the growing dependence of banks and financial institutions on third-party vendors.

While most high-profile publicised cases concerned retail and mass-market platforms – such as the incidents with Capital One in January or PayPal in October – the underlying issue here is just as relevant for private markets and wealth management firms.

Private banking operates on a whole different level of user expectations. Ultra-high net worth clients expect seamless execution, immediate access to their portfolios, and absolute confidence that everything will function without interruption. 

Even a short delay in settlements can damage client relationships, yet the infrastructure supporting these services is increasingly placed outside the direct control of these platforms. Rising vendor concentration, limited visibility, and slow incident response times are all pressing matters that need to be addressed.

The reality of private banking exposure
Over the past decade or so, private banks have rapidly expanded their digital capabilities, integrating external processors, data providers, specialised reporting tools, and more. This shift has enabled better service, but it has also created hidden operational blind spots.

The wealth management industry is increasingly reliant on a small number of third-party providers, which leaves them vulnerable. A failure in just one of those intermediaries can create major delays in operations. 

According to the data from the UK’s Treasury Committee, nine of the country’s largest banks suffered over 150 IT failures between 2023 and 2025, resulting in 800+ hours of total downtime. Moreover, a survey among the banks themselves revealed that an average outage cost banks around £600,000 per hour. Put these two figures together, and we get roughly $480 million in losses – and that’s just for the UK alone. The longer this problem persists, the higher the costs will become.

Here’s another example: on 20 October, a global outage at Amazon Web Services caused widespread disruption across multiple industries, including banking, once again demonstrating how issues with cloud vendors can ripple through financial services. It has been argued that such events can easily cost Wall Street firms hundreds of billions in halted operations.

It’s high time we acknowledged that “outage cases” are not merely a technical concern – it is a gap in governance practices. And it has become a recurring problem. 

A growing vulnerability
For years, banks and payment platforms have suffered from too much exposure to third-party risks, outsourcing critical payment rails and parts of their infrastructure while retaining minimal control over them. They cannot monitor vendors in real time and often don’t even understand particularly well what they do. 

They have built a payments ecosystem that they can’t see clearly, nor can they manage the risks that come with that dependency. And when a vendor stalls for whatever reason, customers don’t blame them; they blame the bank – the party they’re directly interacting with. 

The industry can’t – and should not – shrug this off as something unfortunate but inevitable. It’s a serious structural weakness: a single breakdown with a vendor can ripple across countless other platforms and millions of users. 

Client expectations leave no margin for errors
We have already seen how such a setup plays out in practice. A failure at one node can cascade and paralyse entire segments of users. What is even worse is that banks often learn about a problem not through updates from vendors, but because people start writing negative comments in social media, blaming them for the situation.

But unlike mass-market platforms, private banking clients expect immediate explanations. A delayed trade confirmation or a missing portfolio update can’t just be dismissed as a simple “IT inconvenience” – it is unplanned risk exposure, and if managers can’t advise their clients through such situations, you can’t expect those clients to simply wait patiently. 

A failure on the technical front easily translates into reputational threats, as customers may question the firm’s reliability, damaging relationships and long-term trust. And as any banker knows, in financial markets, trust is everything.

We need a shift in mindset
No system is perfect, that’s true. But when providers struggle to respond to problems with the speed and transparency needed of them, we go well beyond technology problems. Despite functioning as critically important infrastructure, these parties operate with limited oversight and accountability. This is a clear signal that many third-party providers are still not prepared to act as de facto financial rails, even though that’s what they have effectively become.

Meanwhile, on the side of banks, the problem of accountability also has its own way of manifesting. Many institutions still rely on limited checklists, vendors’ own reports, and annual audits when it comes to due diligence. That is simply not enough. Those are essentially snapshots that show a picture at any one given moment but then become outdated very quickly. 

The payments infrastructure is highly dynamic, changing daily, if not hourly, and to monitor it effectively, you need real-time data. Without real-time systems in place, checking for overall health signals and incident alerts on the vendor’s side, banks are always on the back foot. Unable to react in time, assess the scope of their own risks, or communicate the situation properly to their clients.

And with vendor concentration increasing and more institutions relying on fewer infrastructure providers, a disruption in just one provider can create a point of failure that will affect an even larger portion of the market in a single hit.

In other words, the risks are growing. And the playbook to manage them needs to change, quickly. Banks need to reassert their role as reliable and trustworthy entities in the financial system, rather than passive observers. Outsourcing parts of their infrastructure to vendors does not mean outsourcing responsibility –they are still fully accountable for their customers’ trust.

Banks need to start thinking less like clients for vendors, and more like regulators. To protect their own reputation and the clients who rely on them, they need to apply a greater level of scrutiny and hold their counterparties to higher standards. Vendor oversight must become a dynamic risk management discipline, with real visibility into their systems, so that banks have a degree of control in how they can respond when something happens.

At the same time, if vendor failures can impact millions of users, then it is only natural that these parties be subject to the same expectations of resilience that the market already places on the institutions these parties support. Regular stress tests and transparent practices must become key elements of their work ethic.

Without industry-level pressure, third-party providers have little incentive to improve and build more robust systems. That outlook must change – and banks must play the core role in changing it.