R. Raphael and Sons plc (Raphaels) has been fined £1.9 million by the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) for failing to manage its outsourcing arrangements adequately. The FCA and the PRA are currently paying close attention to "operational resilience" in outsourcing arrangements, due to a number of significant technology outages in the financial services sector in recent years. The fine follows the publication of the new EBA Guidelines on Outsourcing earlier this year, which apply from 30 September 2019. This is an issue that financial services firms should pay close attention to, in both new and existing outsourcing arrangements.
Raphaels is a small retail bank offering financial services, including prepaid card and charge card programmes in the UK and Europe. These card services are provided with the assistance of a third party card processor. This third-party processor carries out services that are critical to the operation of the card programme (e.g. authorising and processing card transactions).
The third-party processor suffered an incident on Christmas Eve 2015, following a technology malfunction. The incident had widespread impact, with the third-party not being able to provide authorisation and processing services for more than eight hours. During this period, 3,367 customers were unable to use their prepaid cards and charge cards and, in total, the card processor was unable to authorise 5,356 card transactions at ATM machines, point of sale terminals and online.
The FCA and the PRA noted that the outsourcing agreement between Raphaels and the third party was not fit for purpose. For instance, Raphaels did not have adequate processes in place to understand how its card programmes would be supported on the occurrence of a "disruptive event". The FCA also criticised the inadequate oversight and governance of its outsourcing arrangements.
"Raphaels' systems and controls supporting the oversight and governance of its outsourcing arrangements were inadequate and exposed customers to unnecessary and avoidable harm and inconvenience. There is no lower standard for outsourced systems and controls and firms are accountable for failures by outsourcing providers."
Sam Woods, Deputy Governor for Prudential Regulation and Chief Executive Officer of the PRA, stated:
"Firms' ability to manage outsourcing of any critical activities is a vital part of maintaining their safety and soundness. Such outsourcing is an important part of a firm's operational resilience, and particularly so in the case of Raphaels given the level of reliance on outsourcing in its business model."
As a result, both regulators found Raphaels had failed to manage its outsourcing arrangements appropriately. They identified a number of contraventions of the financial regulations and found the firm had breached the:
- FCA Principles for Business 2 (due skill, care and diligence) and 3 (systems and controls) and provisions of Chapter 8 of the FCA's Senior Management Arrangements, Systems and Controls Sourcebook (SYSC 8); and
- Fundamental Rules 2 (due skill, care and diligence), 5 (effective risk strategies and risk management) and 6 (systems and controls) of the PRA Rulebook.
As a consequence of these failings, Raphaels was fined £775,100 by the FCA and £1,112,152 by the PRA (a combined fine of £1,887,252). Raphaels agreed to resolve its failings and therefore qualified for a 30 per cent reduction in the fines imposed by both regulators. Without this discount, the combined fine imposed by the FCA and the PRA would have been £2,709,574.
The fine reflects an increasing regulatory focus on "operational resilience" in outsourcing. There are four key points to note:
- BCDR assessment: Financial services firms must ensure that, if functions that are critical or important are outsourced, thorough due diligence is conducted both prior to engaging the service provider and during the term of the agreement. It is particularly important to assess the adequacy of the service provider's business continuity and disaster recovery (BCDR) arrangements. To minimise the length of outages, the BCDR plan should specify a time period within which systems should be recovered (i.e. include an appropriate recovery point objective (RPO) and recovery time objective (RTO)). The regulators also criticised the inadequate disaster recovery testing processes. This meant that no contingency plans were in place to deal with a major IT incident. Had Raphaels assessed the BCDR arrangements, then it is possible that it would have found them to be inadequate and required changes, or chosen a different service provider. The outage that led to the fine could then have been avoided.
- Service level agreements: One of the SYSC 8 requirements is the need to establish methods for assessing the standard of performance of the service provider. Both the FCA and the PRA criticised Raphaels for not having adequate service levels in its agreement. Service levels are important not only for specifying the acceptable performance of the service provider but also for providing a process for regularly and comprehensively monitoring such performance. This is particularly relevant where the firm's own outsourcing policy requires appropriate service levels to be in place, as was the case here.
- Governance: Firms cannot fully transfer the responsibility for an IT incident to an outsourced service provider. Firms must appropriately manage the risk of outsourcing through their policies and procedures. It is insufficient for a firm's outsourcing policy to merely recite the regulatory obligations. The policy must provide practical guidance to staff on how to apply these requirements and appropriate training should be provided. It is especially important that financial services firms provide guidance on how to identify critical outsourced services, including how they could be distinguished from non-critical services. In addition, both the Board and Executive Committee of a financial services firm play important roles in managing the risk of an outsourcing agreement. It is critical that these bodies are consulted in relation to specific outsourcing risks and tolerance levels to ensure that appropriate risk controls are in place.
- Outsourcing a regulatory priority: "Operational resilience" is a subject that the FCA and the PRA are likely to continue to pay close attention to and outsourcing and technology arrangements will be a key focus area. In its 2018/19 Business Plan, the FCA highlighted "assessing the risks of outsourcing and third-party providers" as one of its priorities. The FCA and the PRA published a discussion paper on "operational resilience" in July 2018 and are expected to publish a consultation paper on this subject later this year. This will provide further guidance on outsourcing agreements. This follows the publication of the EBA Guidelines on Outsourcing in February 2019, which apply from 30 September 2019. This regulatory focus should not dissuade financial firms from outsourcing. Rather, firms should assess the adequacy of their current outsourcing agreements and take the steps required to ensure appropriate policies and procedures are in place in respect of future outsourcing agreements.