FSA's requirements on outsourcing

Introduction

Although there have for some time been detailed rules and requirements for banks and building societies which outsource various activities, and IMRO firms were subject to guidance on the delegation of functions (see IMRO Reporter 16), it is clear that FSA has a general expectation that all firms which outsource certain functions should ensure that such arrangements are set up in a controlled manner so that they are not exposed to undue operational risk.

Post N2 regime
Post N2, firms which outsource certain functions will be required to comply with a more concrete set of rules and guidance. In addition to Principle 3 (Management and Control) and the requirements of SYSC, when the Integrated Prudential Sourcebook comes into effect, scheduled for January 2004 but now possibly delayed, this will contain a specific chapter dealing with this area (PROR 2).

These draft requirements are of current significance because they reflect what is understood to be FSA’s policy on outsourcing, and address areas of concern which have been apparent in recent - and continuing – enforcement cases involving outsourcing. It is suggested that these draft requirements do no more than set out in detail obligations that already arise under PRIN and SYSC.

What is outsourcing?
Outsourcing commonly involves an authorised firm contracting with the third party (who may or may not be FSA authorised, and may be based in the UK or overseas) for it (the ‘supplier’) to provide certain functions for the authorised firm (the ‘outsourcer’). FSA’s requirements apply with equal force to inter-group outsourcing, although with rather less formality. The outsourcing may be of administrative functions such as:

• accounting
• systems
• “back office administration of retail or wholesale investments
• clearing
• pricing

but may be for the provision of assistance with sales and marketing, or at management level.

Problems with outsourcing
The experience of regulators over the past few years is that outsourcing is vulnerable to risk of non-compliance because of failures of control. It may, for example, not be:

• properly documented
• properly defined
• properly monitored
• competently performed

and management controls may be improperly relinquished to the supplier. There may also be an inadequate information flow from the supplier to the outsourcer.

FSA's policy
FSA’s policy is based on Principle 3 – the requirement for a firm to be organised; the Threshold Condition of suitability, which requires a firm to conduct its affairs soundly and prudently; and the SYSC rules, which require that a firm’s management runs the business with appropriate systems and controls in place.

FSA’s policy focuses on material outsourcing contracts entered into by significant business units. The test is, would weakness or failure in the outsourced activity cast serious doubt on continuing compliance with FSA’s Principles for Business or Threshold Conditions? FSA considers that outsourcing regulated activities will be a material outsourcing, but not custody or appointment of ARs. However, it would be prudent for firms to observe the following requirements in relation to any outsourcing.

FSA's requirements
FSA’s requirements seek to address these issues as follows:

• FSA should be notified of any intended material outsourcing, changes to such arrangements, and material problems if they occur. This reflects FSA’s requirements in SUP 15.3.8.
• A firm must be satisfied that, if it outsources a function (or significantly amends an existing outsourcing), it will remain able to comply with FSA’s Principles for Business, Threshold Conditions and SYSC requirements. It must have regard to the interests of its customers. The firm should document its reasons. A member of the firm’s senior management, who should be an approved person, should be responsible for any material outsourcing. That person should also be responsible for ensuring that adequate systems and controls are in place in order to monitor and control risks arising from the outsourcing. Firms should also be aware that suppliers’ employees may be subject to individual approval under the APER rules
• a firm should verify that a supplier is competent, financially sound and with appropriate expertise, and can devote sufficient adequate resources to the proposed outsourcing on an on-going basis. A firm should also monitor the supplier’s performance.

Need for a written agreement
FSA considers that a firm should have a written agreement with its supplier addressing the following points:

• clear reporting line
• requirement to provide information about developments
• protecting customer confidentiality
• restricting sub-contracting
• observation of FSA’s rules
• requirement to inform of developments which may impact the supplier’s obligations
• setting out data protection obligations
• giving right to terminate on supplier’s change of control or insolvency
• including service level agreements with specified targets, including appropriate reports, reviews and remedies
• granting rights of access to FSA and the firm’s internal and external auditors
• orderly termination and handover of records.

Additional requirements
Firms should additionally:-

• maintain a contingency plan for where the supplier fails or the contract terminates
• carefully review each outsourced function and determine how it will remain able to comply with FSA’s requirements under the proposed outsourcing
• note that there are particular requirements for the outsourcing of internal audit
• check both legal and regulatory enforceability if the supplier is overseas.

For further information please contact Simon Morris by telephone on +44(0)20 7367 2702 or by e-mail at [email protected].