The New Joint Standard on Third-Party Supervision: What Regulated Entities Need to Know
Navigate Compliance - Strategic Compliance Ecosystems - Drive growth, build trust, and unlock opportunity - Money Laundering and Organised Crime

Regulators have tightened their expectations around how financial institutions manage outsourced service providers, cloud vendors, fintech partners, and external contractors. The recently issued Joint Standard on Outsourcing and Third-Party Risk now formalises the Third-Party Supervision Requirements that all regulated entities must meet to ensure operational resilience, customer protection, and regulatory accountability.

In this blog, we unpack what the Joint Standard means, why it matters, and how organisations can start embedding the Third-Party Supervision Requirements into their governance frameworks.

Why Third-Party Supervision Matters More Than Ever

Financial institutions today operate within interconnected digital ecosystems. Core functions such as onboarding, data hosting, payments, AML screening, cybersecurity, and cloud services often rely on external providers. This increases exposure to:

  • Cyber breaches
  • Data loss
  • Operational downtime
  • Compliance failures
  • Customer harm
  • Reputational damage

The Joint Standard elevates these risks by establishing strict Third-Party Supervision Requirements that ensure regulated entities retain full accountability — even when activities are outsourced.

Key Elements of the Joint Standard

1. A Risk-Based Approach to All Third-Party Relationships

Institutions must classify, assess, and monitor the risk level of each third-party provider. The Third-Party Supervision Requirements emphasise proportional oversight — meaning high-risk or material outsourcing must be governed with stronger controls, enhanced due diligence, and structured reporting.

2. Strengthened Governance and Board Accountability

Boards and executive committees must demonstrate:

  • Clear oversight of outsourcing activities
  • Accountability for third-party risk
  • Regular monitoring of performance and resilience
  • Reporting mechanisms aligned to the Third-Party Supervision Requirements

You can outsource the function — but never the responsibility.

3. Comprehensive Pre-Contract Due Diligence

No outsourcing arrangement may be initiated without rigorous due diligence, covering:

  • Cybersecurity
  • Data protection
  • Operational resilience
  • Subcontracting layers
  • Compliance history
  • Financial stability

This forms a critical part of the Third-Party Supervision Requirements to prevent blind reliance on vendors.

4. Robust Contract Management

Contracts must clearly outline:

  • Roles and responsibilities
  • SLAs and KPIs
  • Data handling obligations
  • Termination and exit rights
  • Audit and inspection rights

Regulators expect contracts to directly reflect the Third-Party Supervision Requirements.

5. Ongoing Monitoring and Assurance

Outsourcing oversight is not a once-off process — it must be continuous. This includes reviewing performance, auditing controls, monitoring incidents, validating cybersecurity posture, and assessing compliance. The Joint Standard requires institutions to show real evidence of meeting the Third-Party Supervision Requirements, not simply documentation.

How Organisations Can Prepare

To meet the Third-Party Supervision Requirements, institutions should begin by:

✔ Conducting a comprehensive TPRM gap assessment

✔ Building or uplifting their third-party risk frameworks

✔ Enhancing due diligence and contracting processes

✔ Implementing ongoing monitoring and vendor scorecards

✔ Strengthening technology, cyber, and data oversight

✔ Training teams on regulatory expectations

Early preparation reduces future remediation costs, strengthens resilience, and builds trust with regulators.

How Navigate Can Support You

Navigate helps regulated entities implement the Third-Party Supervision Requirements with end-to-end support across:

  • Third-party risk assessment & gap analysis
  • Policy and framework development
  • Outsourcing register & risk classification methodology
  • Contract review and SLA uplift
  • Data governance & cybersecurity alignment
  • Vendor monitoring dashboards
  • Board & Exco training
  • Full programme and project management for regulatory rollout

Strengthen Your Third-Party Supervision with Navigate

Navigate is a licensed FSCA compliance practice, QCTO-accredited training provider, and specialist project management & resourcing firm.
We help regulated organisations build resilient, compliant, and future-ready ecosystems.

👉 Book a TPRM Readiness Session
📩 info@navcompliance.co.za
🌐 https://www.navigatecompliance.io

Categories

Navigate isn’t for everyone.
We are built for institutions who see compliance not as a constraint, but as a competitive advantage.