The Bank of England’s 2026 Letter Exposes a Critical Blind Spot for UK Banks 

When the Bank of England writes directly to UK deposit-takers, the message is rarely subtle. Its 2026 priorities letter is no exception. While the document spans capital, governance and risk management more broadly, one section stands out for technology, legal and operational resilience teams alike: third-party dependency and preparedness for service failure.  In clear terms, the Bank is signaling that assurances from suppliers are no longer sufficient. Firms are expected to understand their full dependency chain, prepare for disruption, and maintain tested, executable contingency and exit plans. For many banks, that expectation exposes a blind spot that has been easy to overlook until now. 

From third-party reliance to operational fragility 

On page 4 of the letter, the Bank notes that firms are becoming increasingly reliant on a small number of third parties (and those parties’ own suppliers) to deliver important business services. This concentration is not new, but the regulatory tone has shifted.  The emphasis is no longer on whether contracts exist or whether suppliers claim resilience. Instead, firms are expected to demonstrate that they can maintain services during disruption, even where a supplier fails, withdraws support, or becomes insolvent.  Crucially, the letter makes clear that firms should not rely solely on third-party assurances. Where possible, banks are expected to conduct their own testing and validation to ensure services can be maintained during disruption.  That represents a materially higher bar than many existing arrangements were designed to meet. 

The stressed exit problem few banks have fully solved 

Most banks can point to exit plans on paper. Far fewer can demonstrate how those plans function under real stress.  Stressed exit planning is not about an orderly migration over several years. It is about what happens in the interim: the period between a service failing and a replacement being live. This is where many continuity strategies struggle, particularly when software underpins critical services.  Replacing a core application, risk platform, trading system or customer-facing service is rarely immediate. In many cases, there is no realistic short-term alternative supplier. Yet the expectation set out in the letter is that services must continue while exit plans are executed.  This temporary stage is where the gap between regulatory expectation and practical control becomes most visible. 

Concentration risk and the limits of supplier substitution 

The Bank of England’s letter explicitly highlights concentration risk arising from increased reliance on a small number of critical third parties and their sub-outsourced providers. In software-driven services, this risk is embedded in how critical systems are built and operated, rather than something that can be quickly fixed.  In many cases, there is no genuine short-term substitute for a critical software supplier. Systems may be deeply integrated, highly customised, or dependent on proprietary architectures, cloud configurations, or AI components that cannot be replicated quickly. Even where alternative suppliers exist in theory, switching under stress may be commercially, technically or operationally unrealistic.  Concentration risk, in this context, is not simply about vendor count. It is about dependency depth, switching friction, and the time required to regain control if a supplier fails. 

How software escrow reduces the impact of concentration risk 

Software escrow does not remove concentration risk, nor does it create an alternative supplier. What it does is shrink the operational impact of that risk when disruption occurs.  By securing contractual access to the assets required to operate, maintain or transition a system, software and SaaS escrow reduces exposure to a single point of failure. It preserves optionality at the moment it matters most, allowing services to be maintained while longer-term exit or replacement strategies are executed.  In practical terms, this can: 
  • Reduce the duration and severity of disruption following supplier failure 
  • Support controlled, regulator-aligned stressed exit rather than emergency replacement 
  • Prevent concentration risk from becoming an immediate continuity crisis 
Regulators are not expecting firms to eliminate concentration risk entirely. They are increasingly focused on whether firms can withstand its consequences. 

Why assurances and SLAs fall short 

Supplier SLAs, resilience statements and audit reports all have a role to play, but they do not address a fundamental issue raised by the Bank’s letter: control.  If a supplier becomes unable or unwilling to support a system, assurances are no longer actionable. Without enforceable contractual rights to access and deploy the underlying assets required to operate that software, firms may find themselves unable to maintain services, regardless of what was promised.  This challenge is amplified where AI-enabled software is involved, as trained models, configuration logic and inference pipelines may be just as critical to continuity as application code. 

Where software escrow fits into stressed exit planning 

Software escrow is not a replacement for exit planning, nor does it solve concentration risk on its own. Its value lies in addressing a specific and often overlooked problem.  During the temporary stages of stressed exit, software escrow provides a proportional mechanism to preserve continuity while longer-term plans are executed. By holding source code, build artefacts, deployment documentation and, where appropriate, environment data alongside critical AI components such as trained models, model weights, configuration files and inference pipelines with an independent third party, software and SaaS escrow gives firms enforceable rights to step in if a supplier can no longer perform.  Importantly, this aligns with the Bank’s emphasis on independent testing and validation. Deposits can be verified and evidenced, helping firms demonstrate that access rights are real rather than theoretical.  This is why software escrow is repeatedly referenced across operational resilience guidance. It addresses a narrow but critical regulatory expectation: maintaining services during disruption without forcing premature or unrealistic migrations. 

A governance issue, not just a technical one 

The implications of the 2026 letter extend beyond technology teams. Legal, procurement, risk and compliance functions all play a role in closing the gap it exposes.  Contracts must support executable exit, not just termination. Dependency mapping must extend beyond first-tier suppliers. Evidence of testing and control must be available, not assumed. Continuity mechanisms must be proportionate, capable of bridging the gap between failure and recovery.  For many banks, this requires revisiting long-standing assumptions about how software risk is governed.  Turning regulatory expectation into practical control.  The Bank of England’s 2026 priorities letter does not mandate specific tools. What it does is clarify expectations: firms must understand their dependencies, prepare for failure, and avoid relying solely on supplier assurances.  For organisations that depend on third-party software to deliver important business services, the blind spot is rarely awareness. It is the absence of practical, tested mechanisms that function when stress becomes reality.  Addressing that gap now is far less costly than discovering it during a live incident. 

How The Escrow Company can help 

For over a decade, The Escrow Company has helped organisations worldwide manage third-party software risk through software escrow and software and SaaS escrow solutions designed for regulated, enterprise and government environments.  We work with firms to secure critical software, SaaS and AI assets, support independent verification, and enable proportionate continuity during disruption — particularly where stressed exit planning is required.  If you are reviewing your approach to third-party dependency, concentration risk, or operational resilience in light of the Bank of England’s 2026 priorities letter, we would be happy to discuss how software escrow can support your wider resilience strategy.  Get in touch to speak with one of our specialists.