With increasing pressures for financial services institutions to keep pace with the levels of innovation in the market, firms have sought solutions from third party service providers. This rising trend in outsourcing continues, notably driven by cost reduction, advances in technology and the requirement for firms to increase agility.
As our series on the regulators’ new operational resilience rules continues Lindsey Domingo at Xcina Consulting Limited provides additional insight for organisations to help them ensure their current and new arrangements are in line with the expectations from the FCA and/or PRA.
In our previous edition on Outsourcing and Third Party Risk Management, we provided an overview of the key milestones behind the new expectations.
Overview of requirements
One of the key requirements is to put in place robust agreements with outsourcing or other material third-party providers.
When outsourcing or subcontracting a material process or function, firms are effectively handing over their business function. They need to obtain contractual guarantees of service levels and mitigate any risk to their business in case the third-party arrangement is not fit for purpose and the business suffers as a result. Similarly, the third party would be accepting responsibility for the business function, and potentially employees of the business, so the provider needs to know exactly what is expected of them, what they are taking on and the pricing of the outsourced or subcontracted services.
Firms need to have a good contract in place so that the provider complies not only with their business requirements but also with the regulators’ requirements. Regardless of materiality, firms must ensure that outsourcing agreements do not limit the regulators’ ability to effectively supervise the firms, including their outsourced and subcontracted activities.
Contractual negotiations usually focus on technical, commercial, and value-for-money considerations. In addition, the FCA states in SYSC 13.9 that, when negotiating with a service provider, a firm should have regard to:
Considerations during contract negotiations
As a minimum material outsourcing agreements should set out the items stipulated by the PRA in supervisory statement SS2/21. These include:
Firms may elect to limit contractual termination rights to situations such as: material breaches of law, regulation, or contractual provisions; those that create risks beyond their tolerance; or those that are not adequately notified and remediated in a timely manner.
The FCA provides additional relevant guidance in SYSC 13.9.6. In implementing a relationship management framework, and drafting the service level agreement with the service provider, a firm should have regard to:
Key elements of outsourcing agreements
The implication is that firms will need to review and, if necessary, repaper existing contracts. All new contracts will need to meet the requirements.
Failure to comply with the regulatory expectations for outsourcing and other third-party agreements can have significant adverse business and regulatory implications.
Case study: R. Raphael & Sons PLC (Raphaels)
On 12th November 2015, the Prudential Regulation Authority (PRA) issued a Final Notice to R. Raphael & Sons PLC (Raphaels) for contravening Fundamental Rule 3 contained in the PRA’s Rulebook and levied a fine of £1,825,950. The PRA took enforcement action against the firm for the following:
Timeline for implementation
Firms must comply with the expectations by 31 March 2022.
There are also transitional arrangements regarding Registers. Banks, electronic money and payment institutions are already required to maintain a register of their Cloud Outsourcing arrangements in line with the European Banking Authority (EBA) Cloud Recommendations (subsequently integrated in EBA Outsourcing Guidelines). Firms in these categories are expected to continue to maintain this Cloud Register until it is subsumed by the Outsourcing Register (originally 31 December 2021 for firms still following the EBA timeline; however, this is no longer required by UK regulators until 31 March 2022).
In summary, firms need to comply by 31 March 2022 in respect of all material outsourcing and third-party arrangements.