Firms are increasingly relying on technology provided by third parties, such as the Cloud, to gain entry to new markets, to lower operating costs, to fuel innovation and to adapt to the digital economy. In recognising this trend, the FCA made operational resilience and, specifically, outsourcing provided by third party service providers a cross-sector priority in its Business Plan of 2019-2020. Operational resilience continues to be a key priority in its Business Plan of 2020-2021 given its broad market impact.
Given the likely severe operational disruption COVID-19 is causing to firms, the FCA has reiterated its expectation that firms' outsourcing should be operationally resilient. It accepts of course that operational disruptions happen, and it is outcomes focused. But it does expect all firms to have contingency plans to deal with major events and it expects these plans to have been tested. It is actively evaluating the contingency plans of a wide range of firms.
In light of the FCA's outcomes focus and explicit expectations, firms need to be aware of their outsourcing risks, where ultimate regulatory responsibilities lie and what action, if any, needs to be taken in the short and long term to avoid potential sanctions.
The FCA's view
The FCA's view is that a firm is outsourcing when involved in an arrangement where a service provider performs a process, service or activity on behalf of a firm which the firm would otherwise carry out itself.
Further, its view is that, generally, managing the third parties that provide or support many financial services is clearly a firm’s responsibility; critical services may be outsourced but responsibility cannot. Indeed, that was a message Mark Steward, the FCA's Executive Director of Enforcement and Market Oversight, emphasised with the publication of a Final Notice to R. Raphael & Sons plc in May 2019: "There is no lower standard for outsourced systems and controls and firms are accountable for failures by outsourcing providers."
The FCA considers an operational function as critical if a defect or failure in its performance would materially impair the continuing compliance by a firm with the conditions and obligations of its authorisation, the regulatory system, or its financial performance, or the soundness or the continuity of its relevant services and activities.
FCA Enforcement action
Outsourcing provided by third party service providers is an area where the FSA, historically, and the FCA, currently, have been active. In May 2019, the FCA and PRA fined R. Raphael & Sons plc (“Raphaels”), a retail bank, approximately £775,000 and £1,100,000 respectively for failing to manage its outsourcing arrangements properly. Despite this case being approximately a year old, it is worth carefully reconsidering for three reasons. First, the parallels that can be drawn to the situation presented by COVID-19 are highly relevant. The failings are in the context of the operation of outsourced critical services during a disruptive event. Second, it is a potential signpost of how the FCA may proceed in any action taken. Third, it provides a practical insight into the FCA's expectations.
In short, Raphaels' Payment Services Division relied on outsourced service providers to perform certain functions that were critical to the operation of its card programme. Raphaels failed to have adequate processes to enable it to understand and assess the business continuity and disaster recovery arrangements of its outsourced service providers - particularly how they would support the continued operation of its card programmes during a disruptive event. The absence of such processes posed a risk to Raphaels’ operational resilience and exposed its customers to a serious risk of harm. These risks in fact crystallised, when a technology incident occurred at a card processor. The incident caused the complete failure of the authorisation and processing services it provided to Raphaels and lasted over eight hours.
Raphaels’ specific failings in relation to the incident resulted from deeper flaws in its overall management and oversight of outsourcing risk from Board level down. These included: a lack of adequate consideration of outsourcing within its Board and departmental risk appetites, the absence of processes for identifying critical outsourced services and flaws in its initial and on-going due diligence of outsourced service providers.
Points for reflection
Building on the FCA publications in this area and wider thinking, firms may wish to reflect on the following when considering their outsourcing relationships with third party service providers:
- Operational risk:
- Is the firm's contingency plan functioning as expected? If not, have the issues been resolved? Have they been resolved with customers and the broader public interest in mind?
- Is the firm comfortable with the current position of those it is outsourcing to?
- Has due diligence been done on those who may be outsourced to and is there adequate oversight of the outsourced relationship? For example, are there sub-outsourcing relationship?
- Has an assessment based on 'public interest impact' been undertaken? That is, an assessment of how disruption to these services could cause harm to their customers (retail and wholesale) or market integrity.
- Is the firm's culture as attuned as its relevant policies and procedures in dealing with such issues?
- Is the firm considering terminating non-critical outsourcing relationships? If so, has consideration been given to the potential regulatory, litigation and public interest spill over effects?
- People risk:
- Which senior manager is responsible for outsourced activity?
- What are they doing to mitigate outsourcing risk? How are they evidencing this?
- Legal Risk:
- In light of a firm's GDPR responsibilities, how is data that is outsourced treated?
- Has consideration been given to potential data breaches in outsourced relationships?
Conclusion
In December 2019, Megan Butler, the FCA's Executive Director of Supervision – Investment, Wholesale and Specialist, said in a speech to TISA's Operational Resilience Forum that: "our starting point is the premise that operational disruptions happen…the outcomes we are seeking are more focussed on the continuity of supply of the financial products and services…Even in the event of severe operational disruptions." COVID-19 is for most businesses probably a severe operational disruption. Given the FCA's outcomes based approach and explicit expectations, is your firm aware of its outsourcing risks, where ultimate regulatory responsibilities lie and what action, if any, needs to be taken in the short and long term? In light of COVID-19, the FCA's expectations on contingency plans and its active evaluation of them, we expect we may be seeing some disciplinary outcomes in relation to them in years to come.