The Financial Conduct Authority (FCA) has published a document setting out a number of considerations for firms who are thinking of using third-party technology or off-the-shelf banking solutions. Our experts, recently awarded European Outsourcing Advisory of the Year 2014 by the European Outsourcing Association, set out below what this means for UK firms.
A UK firm has many choices when designing its operating model and setting its IT strategy: the market for third parties providing technology services to regulated firms is growing exponentially. Regulators - the FCA and the PRA - appreciate that the outsourcing of technology services and indeed outsourcing more generally, can bring significant benefits to authorised firms and their customers. However, they also take the view that, outsourcing gives rise to certain regulatory concerns: firms will invariably have reduced control over the outsourced activity; the ability of regulators to carry out their supervisory powers may be impaired; and, regulators may need to assess the suitability of the service provider and key members of its staff.
FCA’s considerations document
To counter these regulatory concerns the FCA has published guidance to firms in recent years (such as its "Dear CEO" letter in December 2012 outlining its concerns about asset managers' outsourcing arrangements) and it carried out a thematic review of outsourcing in the asset management industry in November 2013.
The FCA’s latest guidance document sets out a non-exhaustive list of considerations for firms deciding whether to outsource critical technology services to a third party. The document notes that the overarching aim of these regulatory obligations is to ensure a firm appropriately manages the operational risk associated with its use of third parties and that its arrangements with third parties do not impair the regulator’s ability to regulate the firm. The FCA identifies the following areas for firms to consider:
- the rationale behind the decision to outsource critical technology services;
- the process relating to the selection of an outsource service provider (OSP);
- the oversight and governance of the OSP;
- the operational aspects of the arrangements;
- service protection, including security measures; and
- certain data protection issues.
Implications for firms and third parties
The document states that a firm must demonstrate, from a business operating model perspective, that it meets the FCA’s threshold conditions described in COND 2.4 and 2.5 (Appropriate Resources and Suitability respectively).
Where a third party is used for the delivery of critical banking services, the outsourcing must also be SYSC compliant (i.e. a firm must be able to demonstrate compliance with the general outsourcing requirements of SYSC 8.1). It is also made explicit that a firm cannot delegate its regulatory responsibilities (and accountability) to a third party.
The document further pitches, in practical terms, what the FCA in its supervisory capacity requires from firms:
- at the time of authorisation, a firm’s regulated activities must be supported by IT services which are effective, resilient and secure and have been appropriately designed to meet expected future, as well as current, business needs so as to avoid risks to FCA objectives;
- the firm must have undertaken sufficient preparatory work to provide reasonable assurance that each OSP will deliver its services effectively, resiliently and securely; and
- the firm has established appropriate arrangements for the on-going oversight of its OSPs and the management of any associated risks such that the firm meets all its regulatory requirements.
The FCA published its document as part of its wider review of requirements for firms entering into or expanding in the banking sector.
The non-exhaustive list of issues that a firm should consider, and demonstrate that it has taken into account, when procuring third party technology represents a helpful checklist of matters that most customers (regulated or not) should have in mind before going to the market for this type of solution. Although the use of cloud technology is not specifically referred to, a number of the issues are particularly pertinent to where a firm is reliant on technology being hosted by a third party, such as whether data can be easily extracted from a service providers system, and consideration needing to be given to the risk of multiple customers sharing the same infrastructure.