"The new regime promulgated under the Financial Services Bill will have limited effect on bank outsourcings."
Legislation which will enact the Government's reform of the regulatory architecture of UK Financial Services regulation is currently making its way through Parliament and is due to be implemented by the spring of 2013. Under the proposed changes the FSA will cease to exist in its current form, and as mentioned in the ECM Update for Q1 (see here) three new bodies will be established: the Financial Policy Committee, the Prudential Regulation Authority ("PRA"), and the Financial Conduct Authority ("FCA"). Systemically important firms, such as banks and insurers, will be dual-regulated by both the PRA and the FCA who will share regulatory responsibility.
The new regulatory structure will have limited direct impact on outsourcing. While it is noted that section 158A of the Financial Services & Markets Act 2000, which requires the FSA to produce guidance on outsourcing by investment firms and credit institutions, will lapse, this will not affect the guidance which is already in place. The most significant change in the regulation of outsourcing is most likely to arise from:
- the fact that two regulators will now potentially be interested in the same outsourcing;
- the generally more intrusive regulatory attitude which is already in evidence; and
- in particular, the developing regulatory approach to outsourcing risk.
Dealing with these points in turn. Many firms which undertake large outsourcings will be dual-regulated and, while in these cases the PRA will be the lead regulator, it is not yet clear whether the PRA or the FCA will take the lead role in assessing the risks relating to an outsourcing. In particular, while the recent FSA consultation paper, CP12/24, suggested that with regard to dual-regulated firms many of the notifications to the FSA pursuant to SUP15 would be required to be made to both the PRA and the FCA, it has not yet been made explicit whether notifications in relation to critical or important outsourcings would need to be made by dual-regulated firms to both regulators.
The FCA and the PRA will both be more proactive in relation to the management of risk in financial services businesses, including risks which arise in relation to material outsourced services. While, broadly, the PRA will adopt a judgement-led approach which will involve taking a "big picture" view of the risk presented by a firm, especially in relation to financial soundness, the FCA will adopt a pre-emptive approach, seeking to obtain a deeper understanding of underlying commercial and behavioural drivers in a business and taking action to avoid poor outcomes for consumers. In the context of outsourcing, this could mean taking a particularly rigorous approach to operational risk in any outsourcing which could impact consumers.
With regard to the developing regulatory approach to outsourcing risk, a recent case in point is the FSA's attitude to the use of cloud computing in outsourcing and its reluctant concession that it may not be able to have the same access rights, provided for in SYSC, as it would normally expect where information is held, or functions undertaken, in Cloud IT solutions - SYSC 8.1.8R(9) provides that a firm, its auditors, the FSA and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the FSA and any other relevant competent authority must be able to exercise those rights of access.
Regulatory considerations in connection with financial services outsourcings seem set to become yet more complex.