The Financial Conduct Authority (the FCA) has published a checklist of questions to be considered by regulated firms when selecting a provider for the delivery of technology services which are critical to their business operations (the Considerations).
The aim of the Considerations is to assist firms in complying with their regulatory responsibilities. Compliance with the Considerations may have significant operational implications for some firms. The Considerations require firms to do extensive due diligence and presumably have an audit trail of that due diligence. Additionally the Considerations will in practice require the inclusion of a number of specific contractual terms in the agreement with the provider; although the Considerations are phrased as questions it is difficult to envisage how compliance can be achieved without specific contractual provisions being included in the actual contract.
It could be argued that the FCA’s approach is simply codifying good practice. On the other hand it may make it more difficult for some firms to conclude deals for “off the shelf” technology products.
The Considerations demonstrate the FCA’s awareness of the importance of technology in the provision of banking services and the diverse range of services available to firms.
The aim of the Considerations is to ensure that firms only enter into relationships with providers which are effective, resilient, secure and designed to meet the future, as well as current, business needs of the firm.
The Considerations are a non-exhaustive checklist of questions, including a number of which should be asked at the beginning of the procurement process and others covering selection of the provider and issues that a firm should take into account and reflect in the final contract with a provider.
A full list of the Considerations can be accessed here. They include the requirement for a firm to consider:
- the commercial efficacy of the arrangement;
- if the provider is financially and operationally viable;
- data segregation, security and portability and the data protection implications of the relationship, both during the contract and upon termination;
- the compatibility of the services and systems of the provider with the firm’s own systems;
- testing of the solution (including end-to-end testing and penetration testing);
- how changes will be dealt with;
- if references can be obtained in respect of the provider’s work;
- the extent of a concentration risk (how many competitors use the same provider);
- an appropriate exit plan;
- appropriate service levels; and
- support and maintenance arrangements.
The Considerations are in addition to the formal regulatory requirements set out in Condition 2.4 (Appropriate Resources), Condition 2.5 (Suitability) and SYSC 8.1 (General Outsourcing Requirements) of the FCA Handbook.
The Considerations will undoubtedly impact the procurement process of, and ultimately contracts with, providers of operationally critical technology services. Simply agreeing to a provider’s standard terms and conditions is unlikely to be a compliant option.