In this article, we review the Financial Conduct Authority’s guidance for firms and views on the use of third parties and consider whether regulated firms are right to invest custody of their reputations with third parties, and if they do so, what controls should be in place.
In all industry sectors, firms will outsource or enter into business arrangements as a means of securing expertise, reducing costs or simply to fill an operational gap. These arrangements when connected to financial services can take on a more complicated position. The primary reason is that the use of third parties means that the customer and your services are now entrusted to a third party. Reputation is critical, and many firms in the TMT sector may wish to consider who they entrust their customers to, and what measures are in place to not only protect the interests of the customer, but also to ensure the reputation of their business is not compromised. Within the TMT sector the provision of products which fall under the jurisdiction of the Financial Conduct Authority (“FCA”) is generally not the primary business activity, but rather an important supportive activity to the main trade of the business, but subject to significant regulatory expectations.
Inevitably a firm’s reputation in its market sector is pivotal to its ongoing and future success. Aligned to this is the FCAs’ objective to ensure that a customer receives “good outcomes” throughout the whole customer journey; irrespective of the number of firms that are involved in delivery of the product or service. Whilst the FCA’s SYSC requirements regarding outsourcing are well known, the expectations of the FCA have been further clarified through documents such as the RPPD (‘Responsibilities of Providers and Distributors in the Fair Treatment of Customers’).
We have seen a number a firms put in place proportionate arrangements for governance (whether the third party is a FCA regulated entity or not), and our primary observation is that firms must assess the arrangements in place, as well as the potential for a poor customer outcome if the arrangement did not to work as intended.
The objective of the FCA in relation to third parties is enshrined within its handbook:
PRINCIPLE 3: Management and Control - “A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems”
PRINCIPLE 6: Customer Interests – “A firm must pay due regard to the interests of its customers and treat them fairly”
SYSC 310 : Systems and Controls
SYSC 8: Outsourcing
SYSC 10: Conflicts of Interest
RPPD: Responsibilities of Providers and Distributors in the fair treatment of customers
So aside from the general good business practice of needing to protect a firm’s reputation there are very clear requirements from the FCA in relation to its expectations of firms when they use third parties, of any description.
What is the FCA doing?
Aside from general supervisory activity, the FCA has recently conducted a thematic review considering the use of third parties and outsource providers.
The FCA thematic review within the general insurance sector, (“Principles and their appointed representatives in the general insurance sector”, July 2016), clearly sets out the FCA’s expectations, and firms across the TMT sector would be wise to take on board the views of the FCA and apply the findings (as appropriate) to their businesses. The thematic review report was followed by the FCA issuing a “Dear CEO” letter, in July 2016, in respect of controls in place for appointed representatives.
The FCA is concerned at the increase it has seen in cases in which the introducer has an inappropriate influence on how the authorised firm carries out its business, in particular, where the introducer influences the final customer outcomes. The FCA also has concerns where the authorised firm delegates regulated activities; for example, by outsourcing their processes to unauthorised entities or to other authorised firms that do not have the relevant permissions.
The FCA has set out the steps that firms should undertake to ensure that their relationships with introducers and lead generators meet regulatory expectations.
The key pillars of a good governance arrangement for third parties are:
- clarity of roles and expectations
- detailed due diligence and on-boarding of third parties
- proportionate monitoring of third party activities which impact on your customers and your regulatory obligations
- targeted management information to be able to assess on a continuous basis whether regulatory expectations continue to be met
- arrangements for providing training for third parties
- defined and workable arrangements for ceasing a relationship with a third party
Unfortunately, regulated firms which get it wrong will face regulatory challenge. Further, in the face of systemic issues the FCA could insist on remediation programmes which are understandably costly and detrimental to the day to day operations of a business.
What to do?
The FCA’s guidance on outsourcing makes clear that a firm is expected to take reasonable care to supervise the discharge of outsourced functions. What counts as reasonable is not defined. However, as part of the due diligence process firms should consider how the arrangement will fit with their governance and general organisation, the financial stability of the service provider and the reporting structures in place to ensure the arrangement is operating as intended.
This is important as even where the consumer is engaging directly with the third party they will view it as an extension of their relationship with you. As such firms must be cognisant of the potential reputational damage in the event something goes wrong.
The following list can also be used as a guide against any current relationships you have:
- Is the basis of the agreement clearly defined within the SLA?
- Has the management information required from a third party been defined and agreed?
- What onsite monitoring activity will be conducted?
- What monitoring activity will be conducted by the outsourcer?
- Does the third party firm have the ‘right’ culture? Does their culture align with yours?
- Where the third party is dealing with customers are appropriate controls in place?
- Does the third party take its data protection responsibilities seriously?
- What disaster recovery arrangements are in place?
- Finally, is there a clear exit strategy for if/when the relationship comes to an end?
Firms must assure themselves that the service being provided by the third party does not compromise the firm’s ability to ensure fair treatments of customers.
The FCA press release over the summer regarding introduced business explains that an authorised firm which accepts business from an introducer must meet its regulatory requirements. If customers are given unsuitable advice or information by an introducer, the authorised firm may be held responsible for this and be subject to regulatory action. The FCA is concerned at the increase it has seen in cases in which the introducer has an inappropriate influence on how the authorised firm carries out its business, in particular, where the introducer influences the final product choice. The FCA also has concerns where the authorised firm delegates regulated activities, for example by outsourcing their processes to unauthorised entities or to other authorised firms that do not have the relevant permissions, are not their appointed representatives or potentially do not have the necessary expertise or cultural alignment.
The FCA has set out the steps that firms should undertake to ensure that their relationships with introducers and lead generators meet regulatory expectations including an unsurprisingly robust due diligence and vetting procedure to ensure the introductions have been sourced legitimately and adequate systems and controls are in place to demonstrate you have full and complete ownership of the advice you are providing.
Even prior to this press release, we have seen this as an area of focus for the FCA going back almost 10 years.
Unfortunately if you get it wrong then you will face regulatory challenge, possible censure, fines and reputational damage. Senior individuals within a firm may also be challenged personally if you are a senior manager particularly in relation to the forthcoming extension of the Senior Managers regime to all regulated firms due to be implemented by 2018.
What could the outcomes be on customers? Remediation programmes which could be significant if the issues are systemic? These are some of the risks that will be swept up into the wider governance aspect of a firm. How easy is it to assume that long standing relationships are working simply because they are long-standing? There is likely to be more risk that goes unchallenged on legacy relationships and service provision than new ones which may well have been subject to a more rigorous selection and audit process. Maybe now is the time to follow up on answering the question of who do we trust with our reputation.