All businesses buy in services of some kind, but most financial firms also rely on ‘outsourcing’ some functions to external service providers, such as hosting services ‘in the cloud’ or answering customer calls. Such ‘outsourcing’ poses potential risks, for both regulated firms and their unregulated service providers, that need to be managed, particularly where the outsourced function is ‘critical’ or ‘important’.
Various financial regulators have produced guidelines for outsourcing arrangements, especially across borders. Even after Brexit, UK regulators require firms to comply with the European Banking Authority’s 2019 Guidelines on Outsourcing Arrangements of 25 February 2019 (EBA Guidelines) and the European Securities and Markets Authority’s Guidelines (ESMA Cloud Guidelines). This is partly because those guidelines relate to EU laws that have been retained as part of UK law, as explained in guidance from the Prudential Regulation Authority’s Supervisory Statement and the Financial Conduct Authority.
The regulators’ key concerns are that firms do not delegate management responsibility, alter their client obligations or undermine the conditions of their regulated status. This means their outsourcing arrangements should not create undue operational risks or impair internal controls, regulatory supervision or the orderly wind-down of their regulated business activities.
In this article, Simon Deane-Johns explains why the key functions of regulated financial firms need to review arrangements for outsourcing by the end of 2021.
EBA Guidelines on outsourcing arrangements
The EBA Guidelines in particular affect banks, building societies, certain investment firms, e-money and payment institutions (but not firms who only provide account information services). Initially, they applied from 30 September 2019 to outsourcing arrangements started, reviewed or amended on or after that date. Firms were given until 31 December 2021 to review any pre-existing ‘critical or important’ outsourcing arrangements for compliance with the guidelines.
While FCA authorised firms do not have to report on the progress of their review of legacy arrangements, they should conduct that review at the first appropriate contract renewal or revision point and inform the FCA if any review has not been finalised by 31 March 2022.
Reviewing outsourcing agreements
The kind of provisions that regulated firms may need to add if they do not already feature in new or legacy outsourcing agreements include:
- The obligation on the Service Provider to:
- notify the firm in writing in advance of proposed changes to where data will be stored or processed or any planned sub-contracting or changes, with the right of the firm to object;
- ensure the firm’s data can be accessed in the case of the Service Provider’s insolvency or cessation of operations;
- report any significant problem, events or any development that may have a material impact on the Service Provider’s ability to effectively provide the services to agreed service levels or in compliance with regulatory requirements (including internal audit reports);
- insure against certain risks to certain levels of cover;
- implement and test adequate business contingency plans;
- co-operate with the firm’s regulator (or receiver/liquidator) and those appointed by them, with full access to business premises, devices, systems, networks, information and data used for providing the services, personnel and Service Provider’s external auditors; and
- comply with appropriate IT security standards, data and system security requirements, and update the firm on its compliance with such requirements on an ongoing basis.
- The firm’s right to monitor the Service Provider’s performance on an ongoing basis.
- The Service Provider’s acceptance of certain regulators’ powers to prevent various financial ‘crisis prevention measures’ being treated as triggers for enforcement, insolvency or termination of the outsourcing agreement.
- Accepting, and not restricting, regulators’ information-gathering and investigatory powers.
- Granting the firm unrestricted rights of inspection and audit relating to the services to enable monitoring and to ensure compliance with regulatory and contractual requirements and the right to carry out security penetration testing to assess the effectiveness of security measures and processes.
- Conditions on which a Service Provider may sub-contract a critical or important service, designed to ensure the sub-contracting is adequately supervised and that the firm and regulators have the same contractual rights of access and audit as those granted by the Service Provider.
- Termination rights where there are impediments to performance of the services or instructions from regulators.
- Orderly transition arrangements on expiry or termination.