Authors: Andrew Moyle, Nicola Higgs, Christian McDermott, and Kirsty Watkins.
The financial services industry is leading the way in outsourcing, with contract values in excess of US$10.7 billion in 2018, causing regulators to focus more than ever on the associated risks. Guidelines on outsourcing arrangements from the European Banking Authority (EBA), which came into effect on 30 September 2019, expand the requirements on institutions in this area, while both the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) are also increasing their outsourcing supervision and enforcement activity.
We discussed the new requirements for financial institutions to maintain a register of outsourcing arrangements, and adhere to more stringent risk assessment and due diligence requirements at our recent event entitled Balancing the Scales: Managing the Risk and Promise of Digitisation in Financial Services.
The concentration risk posed by a small number of outsourcing providers that have become systemically important to the sector was also highlighted as a growing concern for regulators during a panel discussion. The FCA’s 2018-19 business plan identifies data security, resilience, and outsourcing among its eight cross-sector priority areas. The regulator is also looking into the risks posed by outsourcing and third-party providers, with a particular emphasis on concentration risk. Institutions should pay close attention to the direction of travel in outsourcing regulation and learn from recent supervisory activity.
The regulatory focus
Outsourcing remains a key area of focus in the minds of the supervisors, with operational resilience in outsourcing a topic of growing regulatory concern. Typical FCA and PRA supervision activities include supervisory visits, thematic reviews, guidance, and Dear CEO letters.
When it comes to enforcement, regulators are directing attention to the senior managers accountable for outsourcing arrangements and ensuring the appropriate oversight is in place. The FCA will likely flex its enforcement powers in circumstances where there has been an outsourcing failing with evidence of management failure or operational resilience exposure, particularly as a result of unclear reporting lines and weak systems of individual accountability.
The time period of any related security incident and evidence of customer detriment are also critical measures when considering enforcement action, and as action has been taken even for security incidents of short duration there is little room for error. Thematically, the FCA is focused on combating money laundering and financial crime and is under pressure to commence enforcement action where it finds evidence of failings, which can put outsourcing in the spotlight where it is used in areas like KYC and onboarding checks.
How to comply
From a day-to-day compliance perspective, institutions should focus on the basics, which include making sure there is a designated senior member of staff in charge of outsourcing and following a well-drafted and up-to-date outsourcing policy. There should also be a register of all outsourcing arrangements in place (i.e., not just outsourcings that are deemed critical or important), covering both existing and new arrangements. The register should further include certain details with respect to arrangements that have expired.
Some practical tips shared at the event included the suggestion that institutions consider alignment of outsourcing policies with other policies that may sit underneath, such as an information security policy, and look at preparing a rider governance schedule to be incorporated into all contracts.
As global financial institutions face greater scrutiny of their outsourcing arrangements from regulators around the world, additional challenges arise in relation to the interactions between different regulatory regimes. Intra-group arrangements can present issues, with different entities taking different views of what constitutes “critical or important”, for example, while close attention also should be paid to the treatment of branches, the designation of appropriate senior managers (who are physically in a location where oversight is feasible), operational resilience and resolution, and SLA robustness and ownership.
Institutions must also be mindful of monitoring the Brexit impact on intra-group arrangements to ensure the appropriate gap analysis is conducted between jurisdictions if outsourcing is part of Brexit day-one planning. The proportionality principle that is now a key part of the EBA guidelines is not a concept that is easily understood in Germany, for example, and it will be interesting to see how European regulators will start to exercise oversight over traditional outsourcings with which UK regulators are now relatively comfortable.
Finally, when outsourcing to third countries outside of the EU, there remains a clear requirement to comply with EU legislation. Institutions should include in risk assessments a look into the political and security situation in the jurisdiction in which the third-country service provider is based, and to examine the insolvency regime that would apply in the event of a failure of the service provider.
As the regulatory environment develops in relation to outsourcing over the coming months, institutions should start thinking about operational resilience disaster planning and begin testing arrangements against hypothetical scenarios. Doing so can help focus the minds of management on the areas that regulators are concentrating on, while also allowing valuable time to make improvements away from the glare of potential enforcement action.
The next in our series of blogs reflecting on our flagship event: Balancing the Scales: Managing the Risk and Promise of Digitisation in Financial Services will look at cloud compliance.