Third party service provider outsourcing: Where does ultimate regulatory responsibility lie?
Firms are increasingly relying on technology provided by third parties, such as the Cloud, to gain entry to new markets, lower operating costs, fuel innovation and adapt to the digital economy. In recognising this trend, the FCA has made operational resilience and, specifically, outsourcing provided by third party service providers a cross-sector priority in its Business Plans of 2019-2020 and 2020-2021. Given the likely severe operational disruption COVID-19 is causing to firms, the FCA has reiterated its expectation that firms' outsourcing should be operationally resilient. The FCA's view on outsourcing provided by third party service providers is that, generally, managing the third parties that provide or support many financial services is clearly a firm’s responsibility; critical services may be outsourced but responsibility can not. This view is illustrated in the highly relevant joint FCA and PRA final notice given to R. Raphael & Sons plc for failing to manage its outsourcing arrangements properly.
The FCA accepts operational disruptions happen and is outcomes focused. It expects all firms to have contingency plans to deal with major events and that these plans have been tested. The FCA is actively evaluating the contingency plans of a wide range of firms. Given the FCA's outcomes focus and explicit expectations, is your firm aware of its outsourcing risks, where ultimate regulatory responsibilities lie and what action, if any, needs to be taken in the short and long term to avoid potential sanctions?
The FCA's view
The FCA states that "a firm would be outsourcing when they are involved in an arrangement where a service provider performs a process, service or activity on behalf of a firm which the firm would otherwise carry out itself."
The FCA's view is that, generally, managing the third parties that provide or support many financial services is clearly a firm’s responsibility; critical services may be outsourced but responsibility can not. Indeed, that was a message Mark Steward, the FCA's Executive Director of Enforcement and Market Oversight, emphasised with the publication of a final notice to R. Raphael & Sons plc in May 2019: "There is no lower standard for outsourced systems and controls and firms are accountable for failures by outsourcing providers."
The FCA considers an operational function as critical if a defect or failure in its performance would materially impair the continuing compliance by a firm with the conditions and obligations of its authorisation, the regulatory system, or its financial performance, or the soundness or the continuity of its relevant services and activities.
FCA Enforcement action
Outsourcing provided by third party service providers is an area where the FSA, historically, and the FCA, currently, have been active. In May 2019, the FCA and PRA fined R. Raphael & Sons plc (“Raphaels”), a retail bank, approximately £775,000 and £1,100,000 respectively for failing to manage its outsourcing arrangements properly. The breach occurred between April 2014 and December 2016. Despite this case being approximately a year old, it is worth carefully reconsidering for three reasons. First, the parallels that can be drawn to the situation presented by COVID-19 are highly relevant. The failings are in the context of the operation of outsourced critical services during a disruptive event. Second, it is a potential signpost of how the FCA may proceed in any action taken. Third, it provides a practical insight into the FCA's expectations.
In short, Raphaels' Payment Services Division relied on outsourced service providers to perform certain functions that were critical to the operation of its card programme. Raphaels failed to have adequate processes to enable it to understand and assess the business continuity and disaster recovery arrangements of its outsourced service providers - particularly how they would support the continued operation of its card programmes during a disruptive event. The absence of such processes posed a risk to Raphaels’ operational resilience and exposed its customers to a serious risk of harm. These risks crystallised on 24 December 2015 when a technology incident occurred at a card processor. The incident caused the complete failure of the authorisation and processing services it provided to Raphaels and lasted over eight hours.
Raphaels’ specific failings in relation to the incident resulted from deeper flaws in its overall management and oversight of outsourcing risk from Board level down. These included: a lack of adequate consideration of outsourcing within its Board and departmental risk appetites, the absence of processes for identifying critical outsourced services and flaws in its initial and on-going due diligence of outsourced service providers.
Points to reflect on
Building on the FCA publications in this area and wider thinking, firms may wish to reflect on the following when considering their outsourcing relationships with third party service providers:
- Operational risk: Has appropriate identification and management of operational risks associated with the use of third parties been undertaken?
- Has due diligence been done on those who may be outsourced to and is there adequate oversight of the outsourced relationship? For example, are there sub-outsourcing relationship?
- Has an assessment based on 'public interest impact' been undertaken? That is, an assessment of how disruption to these services could cause harm to their customers (retail and wholesale) or market integrity.
- Is the firm's culture as attuned as its relevant policies and procedures in dealing with such issues?
- People risk:
- Which senior manager is responsible for outsourced activity?
- What are they doing to mitigate outsourcing risk? How are they evidencing this?
- Legal Risk:
- In light of a firm's GDPR responsibilities, how is data that is outsourced treated?
- Has consideration been given to potential data breaches in outsourced relationships?
Megan Butler, the FCA's Executive Director of Supervision – Investment, Wholesale and Specialist, said in a speech on operational resilience in December 2019 that: "our starting point is the premise that operational disruptions happen…the outcomes we are seeking are more focussed on the continuity of supply of the financial products and services…Even in the event of severe operational disruptions." COVID-19 is for most businesses probably a severe operational disruption. Given the FCA's outcomes based approach and explicit expectations, is your firm aware of its outsourcing risks, where ultimate regulatory responsibilities lie and what action, if any, needs to be taken in the short and long term? The FCA expects all firms to have contingency plans to deal with major events and that the plans have been tested. The FCA is actively evaluating the contingency plans of a wide range of firms.
Practical guidance for COVID-19
Read the latest COVID-19 related updates on our hub.