REFERENCE · §8 · LAST REVIEWED 2026-04-27

ACF §8 — Third-Party Risk

Third-party risk in agent stacks covers every outbound capability the agent invokes during the course of regulated activity — KYC providers, sanctions lists, transaction-monitoring vendors, custodians, payment rails — assessed for availability, data-handling, and counterparty obligations under the firm’s applicable rules.

Distinct from vendor due diligence (§5), which assesses the upstream agent stack itself, this section assesses what the agent calls during execution. An agent-mediated KYC review may invoke a KYC vendor, a sanctions screen, an internal customer record, and a regulator notification API — each subject to data-handling, availability, and counterparty obligations. Maps to FCA SYSC 8, DORA Art. 28-44, MiCA Art. 81 outsourcing.

Regulatory anchors

• FCA SYSC 8
• DORA Art. 28-44
• MiCA Art. 81
• EBA Outsourcing GL
• GDPR Art. 28

What this covers

• Outbound capability inventory per agent class
• Data-handling obligations on outbound payloads
• Availability monitoring on critical outbound calls
• Counterparty contractual posture for agent-driven invocation
• Concentration risk across outbound capabilities

Common gaps

• No inventory of what the agent calls outbound during a session
• Outbound payloads include data the firm has not consented vendor to receive
• Availability of critical outbound dependencies unmonitored
• Vendor contracts pre-date AI use; do not address agent-driven invocation

Related sections

• §5 — Vendor Due Diligence

  Foundation model providers, MCP servers, tool authors — third-party risk for the agent stack.

• §10 — Data Governance

  Training data, prompt caching, retention, and the regulator-facing posture for each.

• §11 — Sanctions & Screening

  Real-time vs. batch screening for agent-mediated transactions.

• §7 — Operational Resilience

  What happens when the agent goes down mid-transaction.

Reference compiled by Sebastian Heine. Editorial perspective at The SHeine Brief.