The Financial Conduct Authority has published a document setting out a list of points for financial services firms to consider when preparing for and evaluating third-party technology banking solutions.
Where a third-party provides services which are critical to a regulated firm’s business operation, it will be considered an outsource service provider (“OSP“) and the firm will be subject to certain regulatory obligations as a result.
Primarily firms must meet the FCA’s “appropriate resource” and “suitability” threshold requirements set out in COND 2.4 and 2.5 respectively, and comply with the general outsourcing requirements set out at SYSC 8.1. The FCA document reminds firms of the overall aim of the regulatory objectives with regards to outsourcing, namely that:
- firms must appropriately manage and remain responsible for the operational risk associated with its use of third-parties; and
- the arrangements with third-parties must not impair the regulator’s ability to regulate the firm.
The publication addresses six main areas for assessment by firms considering the use of third party technology, each of which is then further defined by reference to a series of questions for firms to ask themselves as a checklist of their own “thinking” in connection with satisfying their regulatory objectives. The six principal areas cover:
- the rationale behind the decision to outsource the delivery of critical technology services;
- the selection of the OSP and the solution;
- oversight and governance of the OSP, including service levels;
- operational elements, including support and maintenance, quality and incident management;
- service protection, including security, disaster recovery and testing; and
- data protection.
The document makes clear that the questions are not-exhaustive (either of the points that firms should consider in preparing third party arrangements, or of the points that the regulator(s) will consider when assessing an application for the delivery of regulated services), so of course each firm will need to consider its own specific requirements, internal operation and other relevant issues. However, the document will be helpful in structuring that process, and also potentially useful in identifying the “right” terms to be included in any relevant contract.
The document is available at http://www.fca.org.uk/static/documents/barriers-to-entry-third-party-technology-considerations.pdf