The Financial Conduct Authority (FCA)1 guidance on outsourcing to the “cloud” and other third-party IT services was published in July. It sets an interesting standard for all financial markets participants and their third-party suppliers.
Third-party IT services, and the use of the ‘cloud’ have gained momentum in the industry since the crisis of 2008. With continued pressure on budgets and a focus on core businesses, many regulated firms have looked for ways of leveraging the cloud and outsourcing services to organizations that specialize in providing them. But one of the key FCA guidelines is that regulated firms cannot pass off their regulator responsibilities to their third-party providers.
New Definitions for Outsourcing
With regard to outsourcing, the FCA began with three new definitions for the types of outsourcing:
- Critical or Important – where a system failure would compromise a firm’s obligations under the regulatory system
- Material Outsourcing – where a system failure would cast serious doubt on the firm’s continuing satisfaction of the compliance threshold.
- Important Operational Functions – relating to the Electronic Money Regulations 1022 and the Payment Services Regulations 2009.2
IPC, as a provider of critical and important material, has for many years been one of the leaders in providing the standards for the provision of services working in partnership with our clients. I’m pleased to say that a great deal of how we run our business and deliver our services is reflected in the FCA guidance. I am confident that we, at IPC, are already delivering what is needed. However, we will look at all of our internal processes and how we deliver to our customers to make sure we continue to meet these requirements moving forward.
Furthermore, the FCA has mentioned several international standards that should be applied to outsourcing. Although the guidelines document has been in the works for many months, it is interesting to see the UK regulator taking a very global approach. Where a global standard is available the regulator suggests that the standard should be applied to the service being outsourced. I expect we will see more of this view in many of the post-Brexit UK government institutions.
Additionally, several new ideas were brought forward in the FCA guidelines document, such as outsourcing not increasing risk and having an exit strategy from any outsourced functions. Over the next few months, we will be looking at these to see how we can deliver on the needs for our clients.
An Extensive Checklist for Reducing Risk
The depth of the advice given is in 13 sections and contains more than 60 specific recommendations for how regulated firms should handle the outsourcing of different functions.
IPC is able to assist clients to meet the new guidelines across the lifecycle of any solution. We start by assisting with the business case, creating the solution, covering the legal and data protection aspects of such services as well as relevant risk assessments. We also look into the future and make sure that new rules and regulations can be anticipated. While engaged with clients, we provide the right level of access and security combined with change management and exit planning for when the service might cease or evolve into the next generation.
As mentioned at the beginning, there is one item that is an undercurrent of the FCA’s advice: Regulated firms cannot pass off their regulator responsibility to third-party providers. Regardless of the services outsourced, the regulated firm still carries the responsibility for its actions, not only in its conduct in the financial markets but in the appointment of third parties.
Finally, any outsourcing is change and both the change and the outsourcing should “avoid undue operational risk.” Our experience is that the start and end of solutions are where the risks are highest. Our team – with its diverse and deep expertise – is always aware of the need to plan for any event that might bring risk to a client’s solution, which makes us a strong partner for adhering to these new guidelines when outsourcing to cloud services.
To learn more about how IPC services comply with this guidance, please contact Robert.powell@ipc.com
To download this blog, click here
A bit of background from my perspective: The early days of guidance from the regulator could be described as terse. The authority offered a guide to the principles being applied, rather than detailed discussions of the issues being tackled and the problems that might be encountered and solved. This was, of course to be expected in the heavily principles-based approach taken in those days.
In contrast, latest guidance gives very good, and very specific, advice about what to look out for when deploying these kinds of services. I’m sure it will become the reference for much of the outsourcing that takes place in the financial markets, regardless of the service that is being outsourced.
The guidance also lays out how firms and vendors should approach the qualification of each of the services and gives clear definitions of critical or important, material outsourcing and important operational functions. The latter being specific for electronic money institutions.
1 The Financial Conduct Authority is a United Kingdom-based financial regulatory body, but operates independently of the UK government, and is financed by charging fees to members of the financial services industry. The FCA regulates financial firms providing services to consumers and maintains the integrity of the UK’s financial markets. It focuses on the regulation of conduct by both retail and wholesale financial services firms.
2 Definitions are from the Financial Conduct Authority’s Finalized Guidance of July 2016.