| UK & Europe | Articles
The recent multi-million pound fine imposed by the FCA will cause firms to take a fresh look at the control and governance of their outsourcing arrangements. The fine has been introduced as a part of new measures to make sure there’s a robust oversight framework and clarity around responsibilities.
With this enforcement action, and in several other less public cases, the FCA has raised concerns that firms are failing to make sure they have “clear and adequate systems and controls” to oversee the activities of third parties.
Specific issues identified by the FCA
Firms need to remember they can’t outsource their compliance responsibilities. The FCA provides a useful refresher course in what these responsibilities are and how they can be handled. It covers four main areas.
- Control and monitoring
Outsourced activities must be properly organised by the firm, with suitable risk management. Throughout the life of the outsourcing arrangement the firm must monitor that the third party is doing the job properly. The starting point is a thorough understanding of what activities have been outsourced and to whom.
- Allocation of responsibility
Even when an activity like IT or service delivery is outsourced, the firm retains responsibility for it and must put an appropriate senior manager of its own in charge – someone with the right expertise and resources to understand and mitigate the risks.
This requirement is part of the FCA’s Senior Managers & Certification Regime (SM&CR), under which firms must identify and allocate responsibilities to suitable individuals. The FCA suggested in the final notice of the recent case that, had SM&CR been in place, it could have helped the firm by clarifying responsibility for the outsourced activities. This should motivate firms to make sure that SM&CR becomes embedded in the business.
- Conduct risk controls
A suitable framework for conduct risk must be put in place early in the outsourcing process and then enforced. This is not a new requirement for the insurance sector, however, some firms have become complacent and forgotten to revisit their frameworks regularly to check they are still fit for purpose.
- Ensuring compliance
Systematic risk assessment and monitoring will help make sure that third party administrative processes meet regulatory requirements. It’s not enough to discuss compliance or even write it into the outsourcing contract. If you outsource, you must do your own rigorous monitoring of any third party.
Creating a robust outsourcing oversight framework
The FCA highlights the need for strong governance and accountability when outsourcing important aspects of the business. If this applies to you, consider putting in place an outsourcing governance framework that addresses the entire outsourced relationship lifecycle. The framework should cover the following:
- Identify why the outsourcing is required
- Explain the approach to due diligence and onboarding of the third party and demonstrate that it has been done
- Outline how the ongoing relationship will be monitored, ensuring regulatory compliance. This can include:
- Clear customer focused Service Level Agreements (SLAs)
- Contracts with clearly defined responsibilities
- Specific conduct risk metrics
- Governance meetings where the agenda is focused on the customer and not the commercials
- Clarify how the relationship will be terminated
The board and senior management must take ownership of the development of the framework. Doing this now and applying it to all existing and future outsourced relationships is a lot easier than having to explain to the regulator whose fault it is when an outsourced relationship leads to poor customer outcomes.
How we can help
Bovill has deep experience of supporting clients to make sure that regulatory aspects are properly managed during outsourcing. We can help you understand your outsourcing requirements and their regulatory implications, then deliver the associated organisational change and test the resulting systems and processes. We can also carry out a health check to see whether existing outsourcing deals are being managed and monitored in a way that safeguards compliance and minimises risk.
Get in touch to explore how we can work together.
