The importance the financial regulators place on effective oversight and management of outsourcing arrangements has been highlighted by both the PRA and the FCA in the fines they have imposed totalling £1,887,252 on R.Raphael & Sons plc (the “Bank”) for failing to manage its outsourcing arrangements properly.
Effective management of outsourced functions has been a key priority for the UK regulators for a number of years as firms increasingly rely on outsourced services for critical operational functions (see "Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions" July 2014, and the FCA finalised guidance for firms outsourcing to the cloud and other third-party IT services (FG16/5 updated July 2018)). Most recently both regulators stressed the importance effective management of outsourced activities has on ensuring operational resilience in their joint discussion paper (BoE/PRA DP01/18 / FCA DP18/04) which introduced the concept of setting impact tolerances for key business services to define the amount of disruption that could be tolerated. This paper reminds Boards and senior management that they should assume that individual systems and processes that support business services will be disrupted, and increase the focus on back-up plans, responses and recovery options which should extend to those of the outsourced providers. This enforcement action shows how this risk crystallised and serves as a timely reminder to firms of the steps they need to take.
The enforcement action against the Bank
The Bank issued prepaid cards and charge cards in the UK and Europe and contracted with outsourced service providers to provide services critical for the performance of its payment services division. These included the management of the Bank’s Card Programmes by Card Programme Managers (an outsourced third party) and the authorisation of payment transaction requests from Card Payment Systems on behalf of the Bank.
A technology incident took place on 24 December 2015 at a Card Processor resulting in the complete failure of all services it provided to the Bank for three Card Programmes. No effective disaster recovery or business continuity arrangements were put in place. This failure lasted over eight hours, 3,367 of the Firm’s customers were unable to use their prepaid cards and charge cards during this time on Christmas Eve. In total, the Card Processor could not authorise 5,356 customer card transactions attempted at point of sale terminals, ATM machines and online (worth an aggregated value of £558,400). This also prevented customers from viewing their card balances online.
The regulators having carried out a joint investigation found that the cause and duration of this incident reflected shortcomings in the Bank’s understanding of the business continuity and disaster recovery arrangements of the Card Processor. The Bank had no adequate processes for capturing and assessing information regarding these arrangements, particularly how they would support the continued operation of the Card Programmes during a disruptive event. The absence of any adequate processes for capturing and assessing information about the Card Processor’s business continuity and disaster recovery arrangements exposed the Bank and its customers to a serious risk of harm.
The specific failings
In particular the Regulators found that:
- The Bank’s board articulated the risks and tolerance levels the Bank was willing to accept through its Board Risk Appetite and Tolerance Statement and the Bank’s business divisions produced Divisional Risk Appetite and Tolerance Statements. However, these statements failed to adequately record the appetite for and tolerance levels in relation to its use of outsourcing of critical services. This prevented the Bank from being able to determine when its use of outsourcing exceeded the level of risk it was able to tolerate.
- The Bank’s outsourcing policy offered no guidance to staff on how to identify critical outsourced services. This meant that contractual arrangements with Card Programme Managers failed to include appropriate service level agreements. The arrangements in place with the Card Processors and Card Programme Managers were not in line with the Bank’s own requirements.
- The Bank and the payment services division’s business continuity plan failed to address business continuity in relation to outsourced activities. Its business continuity and disaster recovery planning focussed only on services performed directly by the Bank notwithstanding its heavy reliance on outsourced services and the interdependence between those services and the services it performed and its ultimate responsibility for the effective provision of outsourced services.
- The Bank’s processes for initial due diligence of Card Programme Managers and Card Processors involved inadequate consideration of their business continuity and disaster recovery plans.
- The Bank did not focus operational reviews on Card Processors, monitor reviews or require them to complete annual due diligence forms. The Bank was dependent on Card Programme Managers who would identify outsourcing risks in relation to the Card Processors. The Bank failed to have any control over the annual due diligence Card Programme Managers carried out.
- The Bank’s monitoring arrangement for the Card Programme Managers did not require it to consider business continuity matters and no guidance was provided to the Bank’s staff for any monitoring review which should consider these matters. Consequently, the business continuity plans of Card Programme Managers were not reviewed against clear requirements of the Bank, creating a risk that they would not align with its requirements. The Bank’s “operational reviews” made inadequate inquiry into the business continuity arrangements of Card Programme Managers and took inadequate account of arrangements at the Card Processor.
- The Bank failed to respond appropriately when an IT incident occurred in April 2014 at the same Card Processor which was later the subject of the IT Incident. If it had adequately investigated the April 2014 incident, it may have been able to remedy the problems in the Card Processor’s business continuity and disaster recovery arrangements that increased the impact of the IT Incident.
As a result of these findings the FCA, in fining the Bank £775,100, determined that the Bank had breached:
- Principle 2 in respect of the failure to respond the earlier IT incident; and
- Principle 3 and SYSC 8.1.1R because its systems and controls failed to enable it properly to identify when it was relying on outsourcers for the performance of critical functions and was unable to ensure it took reasonable steps to avoid undue additional operational risk, and so its risk management systems were inadequate.
The PRA fined the Bank £1,278,165 for breaches of PRA Fundamental Rules 2, 5 and 6 for failing to appropriately and effectively:
- Manage its outsourcing risk;
- Instruct, oversee and monitor its outsourced service providers; and
- Manage, oversee and monitor its business continuity and disaster recovery arrangements.
Both fines took into account that the Bank had previously been fined by the PRA for failing to, among other things, manage and oversee the risks associated with outsourcing important operational functions albeit that the PRA acknowledged that some progress had been made since then. The FCA also highlighted as aggravating factors the fact that its July 2014 paper had raised concerns around arrangements for outsourced service resilience, disaster recovery and business continuity planning (including the need for alignment between such arrangements) and the Bank’s failure to adequately investigate potential customer detriment and offer redress.
What should firms learn from this?
The message to financial services firms is loud and clear and is echoed by both regulators. For the PRA managing outsourcing risks is a prudential issue going to the safety and soundness of firms as well as a conduct issue for the FCA which risks exposing customer to harm. This is of course also emphasised in the recently published EBA Outsourcing Guidelines.
Firms must ensure they manage their outsourcing arrangements effectively with robust oversight and this is particularly important for firms, like the Bank, that place a high level of reliance on outsourcing in their business models. Effective governance of those third party arrangements is key. This is a critical part of ensuring a firm’s operational resilience and its ability to maintain business continuity when faced with disruption. The Regulators expect firms to ensure they set specific risk appetites and tolerances for outsourcing and ensure staff are able to identify the critical outsourced services and put in place appropriate arrangements both at initial selection and for the on-going oversight and monitoring. Clearly, understanding and assessing the business continuity and disaster recovery arrangements of its outsourced service providers is a major part of this.
This case also highlights the importance of learning from previous incidents and taking appropriate remedial steps to respond to address any issues and thereby limit the risks of it happening again. A point which the Regulators also stressed in their recent joint discussion paper. The failure to do this in this case meant that the firm was fined for Principle 2 as well as Principle 3 by FCA.
Finally, the case reminds firms of the importance of ensuring that when disruption does occur and customers suffer loss or inconvenience as a result, that the firm proactively seeks to put that right and provide redress where appropriate. The FCA also took the opportunity to set out its expectations over the treatment of vulnerable customers indicating that where there was a risk of detriment greater steps had to be taken to contact such customers who were likely to be less able to take action to seek redress themselves. In this case while the Bank did help facilitate access to alternate funds for those customers who contacted them, it did not investigate whether other customers, some of which were likely to be vulnerable, may have suffered any loss, inconvenience or distress.
So this case serves as a good reminder to firms to ensure they have considered and reflected all the regulatory requirements and guidance in their outsourcing arrangements and understand the risks and have taken the steps to mitigate them. Disruptions and incidents will still occur and when the Regulators ask questions firms need to be able to show the both the adequacy of the management and oversight of the outsourced activities and the effectiveness of their response to the incident in addressing any customer detriment, restoring business continuity and learning and evolving as a result. Firms cannot lay the blame on their outsourcer. As Mark Steward, the FCA Executive Director of Enforcement and Market Oversight, said in announcing the action “There is no lower standard for outsourced systems and controls and firms are accountable for failures by outsourcing providers.”