| UK & Europe | Articles
The FCA has clarified that it expects UK firms to meet the EBA guidelines for reviewing legacy outsourcing arrangements. If these reviews have not been completed by 31 March 2022, or if issues remain outstanding at that point, you will need to inform the FCA. If you’re found not to be compliant and have not informed the regulator, action could be taken against the responsible individual.
The EBA guidelines, released in 2019, require firms to review ‘critical’ or ‘important’ outsourcing arrangements entered into before 30 September 2019 to ensure these legacy arrangements are compliant. When we asked the audience at a recent event, 80% didn’t fully understand their obligations under the EBA guidelines and the transition post Brexit has added to potential confusion.
The regulators’ update of their expectations FCA: Outsourcing and operational resilience has provided much needed clarity. The FCA has re-iterated that if you have these legacy outsourcing arrangements you should review them at the first appropriate contract renewal or revision point.
Aside from the regulatory obligations, the renewed focus on operational resilience following the pandemic means a review of the risks posed by outsourcing, particularly when it comes to Senior Manager responsibilities, would be a wise move.
Why is the FCA interested in legacy outsourcing?
Legacy arrangements are where firms are most likely to experience outsourcing-related challenges – hence the interest from the regulator. Setting up and managing controls for new outsourcing arrangements, which start with a blank sheet of paper, can be relatively straightforward. But when it comes to renegotiating longstanding arrangements, this become more complex, for example with access rights and sub-outsourcing. It’s important to understand and address these complexities in any outsourcing arrangements.
Business continuity management (BCM)
The guidance warns that whilst on the one hand it is inefficient to rely on outsourcing arrangements in terms of BCM, firms also need to have a good understanding and oversight of their outsourcing providers, and to involve them in the testing of their BCM framework.
Firms need to plan how they can get out of an outsourcing arrangement, if necessary, in a managed way. This applies both to changing an existing provider and recovery resolution – winding down a business in a controlled manner.
The key challenge with sub-outsourcing is quality control, given that the regulated firm may not have been involved in choosing the provider. Firms need to ask themselves potentially difficult questions about their access rights and levels of comfort with regards to sub-outsourcers, particularly when it comes to customer data. In theory most firms would go through a due diligence process before selecting the sub-outsourced service provider, but at Bovill we have found this is not always the case with legacy arrangements.
Addressing your outsourcing risks
At Bovill we have seen outsourcing become an increasingly common part of the business model for financial services firms; newly authorised firms often have lean operations and a heavy reliance on outsourced providers for their infrastructure.
This is particularly true in the Fintech space, where there is significant potential for concentration risk. If multiple firms are using the same outsourcer, the fallout from any issue with that provider becomes far reaching, as we saw with the collapse of Wirecard last year.
Management and control of outsourcing is also a significant challenge for larger established firms such as banks and insurers, many of whom entered into outsourcing arrangements as a cost-cutting exercise several years ago.
If you outsource any part of your business and particularly if you have legacy outsourcing arrangements, establishing responsibility and recognising the risk are key.
The first thing for organisations to realise is that outsourcing is not only the responsibility of the firm concerned, but also of specified individuals under SMCR. If you are the Senior Manager responsible, the buck stops with you in terms of control and oversight of outsourcing providers and ensuring that customers get the right level of service. Individuals in Operating functions need to be aware they will be on the radar with the regulator.
Recognise the risk
Be honest with yourself and your providers. Determine which are your critical activities, with a high dependency on third parties, and then assess if these outsourcing arrangements are sound in terms of the regulatory guidance. Unfortunately, this may result in the identification of risks than cannot be brought within acceptable tolerance levels. We have seen outsource providers (particularly those from overseas jurisdictions) refuse access rights requests. In these circumstances, if you can’t get sufficient assurances, you need to consider the viability of continuing that relationship. If things go wrong with that provider and you don’t have the right assurances, the regulator is going to be entirely unsympathetic.
Investing in a control framework for future longevity
This FCA guidance focuses on critical or important legacy outsourcing arrangements. But outsourcing has always been a critical topic for the regulator because it recognises the inherent risk when activity takes place outside the umbrella of their control. The regulator expects regulated firms to apply their SYSC requirements on outsourcing and their Principles for Business and Code of Conduct expectations for effective management and oversight as a matter of course.
And the focus from regulators on operational resilience puts the spotlight on any potential weaknesses in service delivery provided by third parties. Time and resource spent now to properly review and manage outsourcing arrangements will be a good investment for the future.