When the Chain Breaks: Operational Resilience and the Third-Party Dependency Problem in APAC

The assumption that critical business services can always be sustained through outsourced relationships is being tested, and APAC is where the fault lines are most exposed.

The Resilience Illusion

For much of the past two decades, financial institutions across the Asia-Pacific region have pursued an outsourcing model premised on efficiency, scalability, and cost optimisation. Core banking platforms, payments infrastructure, data processing, cloud hosting, and customer-facing technology have increasingly been delegated to a web of third-party providers: global hyperscalers, regional fintechs, managed service firms, and specialist vendors. The implicit assumption embedded in this model is that resilience can be purchased: that by contracting with well-resourced, systemically capable providers, a firm effectively inherits their continuity posture.

That assumption deserves serious scrutiny.

Operational resilience, as it has evolved in regulatory thinking and industry practice, is not simply about recovering from disruption. It is about ensuring that essential business services can continue to be delivered, to the customers and counterparties that depend on them, even when things go wrong. The critical distinction is that resilience is an outcome, not a property of any single entity. And when the delivery of essential services depends on third-party relationships, that outcome is no longer entirely within a firm's control.

In APAC, the complexity of this problem is uniquely acute.

A Region of Concentrated Dependencies

APAC is not a monolith. It is a mosaic of jurisdictions: Singapore, Hong Kong, Australia, Japan, India, and beyond, each with its own regulatory architecture, market structure, and risk topology. Yet beneath this diversity lies a striking concentration: a small number of global technology providers underpin an enormous share of the region's financial services infrastructure.

The hyperscaler market in APAC, dominated by a handful of US and Chinese providers, represents a concentration risk of the first order. When a single cloud provider experiences a regional outage, the ripple effects can cascade across dozens of institutions simultaneously, each individually compliant with their own business continuity obligations, yet collectively exposed to the same point of failure. The 2023 outage affecting a major cloud provider's Asia-Pacific nodes offered a preview of what systemic third-party failure looks like in practice: widespread, simultaneous, and not easily resolved by invoking contractual SLAs.

But cloud is only the most visible layer. Payments messaging networks, market data vendors, KYC and sanctions screening utilities, and core banking platforms present the same structure: essential services, delivered by third parties, with limited substitutability and long dependency chains that few firms have fully mapped.

The question that regulators are increasingly asking, and that boards should be asking, is not whether any individual firm has a business continuity plan. It is whether essential services would actually continue to be delivered if a critical third party failed.

Regulatory Frameworks: Convergence and Divergence

Across APAC, regulators have moved with notable urgency to close the gap between outsourcing oversight and genuine resilience assurance. Yet the frameworks they have built reflect both common concerns and meaningful divergences that create compliance complexity for firms operating across multiple jurisdictions.

The Monetary Authority of Singapore's updated guidelines on outsourcing and technology risk management set a high bar: firms must identify critical outsourced services, conduct due diligence on providers, and, critically, maintain the ability to exit or substitute arrangements without unacceptable disruption to essential services. The HKMA's Supervisory Policy Manual similarly requires that outsourcing not impair a firm's ability to meet its regulatory obligations or deliver services to customers. APRA's CPS 230, which came into force in 2024, represents perhaps the most comprehensive articulation of the principle in the region: material service providers must be subject to end-to-end resilience testing, and firms must be able to demonstrate they could manage a provider failure without breaching impact tolerances.

The common thread is clear: regulators are no longer satisfied with contractual protections and audit rights. They want evidence of actual resilience, the capacity to sustain delivery when the contract cannot be relied upon.

What diverges is the definition of materiality, the scope of testing requirements, the treatment of intragroup arrangements, and the expectations around sub-contractor visibility. For a regional bank operating across Singapore, Hong Kong, and Australia, navigating these differences while maintaining a coherent group-level resilience posture is a non-trivial challenge. The risk is not merely compliance failure; it is that firms optimise for the most prescriptive individual framework while missing the cross-jurisdictional dependencies that no single regulator has full visibility of.

The Geopolitical Dimension: The Risk That Isn't in the Contract

If regulatory fragmentation is the known complexity, geopolitical risk is the underappreciated one.

APAC sits at the intersection of the world's most consequential geopolitical fault lines. The Taiwan Strait, the South China Sea, the technological decoupling between the United States and China, and the growing assertion of data sovereignty laws across the region all have direct operational implications for firms whose third-party relationships span these divides.

Consider the data localisation trend. Jurisdictions across APAC, India, Indonesia, Vietnam, China, have enacted or are enacting requirements that restrict cross-border data flows and mandate local storage or processing. For firms relying on regionally centralised cloud infrastructure, or whose third-party providers aggregate and process data across jurisdictions, compliance with these requirements is not a legal formality. It is a fundamental architectural question: can your critical services actually be delivered within the jurisdictional constraints that are now legally required?

More acute still is the scenario, increasingly discussed in risk management circles, if not yet widely stress-tested, of a technology provider being caught in the crossfire of geopolitical sanctions or export controls. If a firm's core infrastructure depends on software, hardware, or services that become subject to US or Chinese export restrictions, the continuity of essential services cannot be guaranteed by contract. The counterparty may simply be unable to perform.

How many firms have genuinely war-gamed this scenario? How many have assessed which of their critical third-party relationships carry geopolitical exposure, and what the substitution pathway looks like if that exposure crystallises?

The Visibility Problem

Underlying all of these issues is a more fundamental problem: most firms do not have adequate visibility into their third-party dependency landscape.

Concentration risk cannot be managed if it cannot be seen. A firm may have assessed each of its tier-one providers individually and found them satisfactory. But if five of those providers all rely on the same underlying infrastructure, or the same sub-contractor, or the same data centre operator, the firm has effectively assumed the same risk five times over, without knowing it.

Sub-contractor chains in APAC are particularly opaque. The region's technology supply chain involves layers of regional system integrators, local managed service providers, and specialist vendors whose own dependencies are rarely disclosed and almost never tested. The contractual right to audit a sub-contractor is not the same as actually understanding what that sub-contractor does, who it depends on, and what would happen if it failed.

This is the question that regulators, boards, and risk committees should be pressing: not whether the contract contains the right clauses, but whether the firm genuinely understands the topology of its essential service delivery, end to end, including the parts it does not directly control.

The Uncomfortable Reckoning

Operational resilience in the context of third-party relationships ultimately forces a reckoning with a tension that has been papered over for years: the efficiency gains of outsourcing and the resilience requirements of essential service delivery are not always compatible.

Concentration in third-party markets creates systemic risk that individual firms cannot resolve through their own governance frameworks. Geopolitical exposure creates contingencies that no contractual structure can fully hedge. Regulatory fragmentation creates compliance demands that cannot be met by treating each jurisdiction in isolation.

None of this means that the outsourcing model is broken. But it does mean that the model requires a fundamentally different approach to risk management, one that treats third-party dependencies not as a procurement and compliance matter, but as a core question of institutional resilience strategy.

Whether the industry, and the regulators overseeing it, are moving fast enough to close that gap is the open question that the next disruption will answer.

This article was prepared for oprisk.ai. The views expressed are analytical and intended to stimulate discussion among risk management professionals.

The views expressed in this article are those of the author in his personal capacity and do not represent the views or positions of TD Bank Group or any of its affiliates.