The FCA Are Reviewing Outsourcing as Part of Its Business Plan 18/19
As part of the FCA Business Plan 18/19 the FCA are currently reviewing arrangements that firms have in place when outsourcing. They recently launched a discussion paper on the subject and aim to release proposals in late 2019.
The catalyst for the cross-sector review of outsourcing is the fact that 17% of breaches reported to the FCA were due to a supplier of a regulated firm, rather than the firm itself. This represents the second highest root cause category of breaches! It’s for this reason a review has found its way into the Business plan for this year.
Most firms will already be aware of the requirements under SYSC 8 – Outsourcing, which can be summarised as:
Regulated firms remain accountable for the compliance of third party suppliers
Outsourcing must not impact on the senior managers accountability for the specific business function
The provider must maintain the relevant permissions and the outsourcer must ensure it is authorised for all activities the provider is undertaking on its behalf
Take reasonable steps to avoid undue operational risk, which usually consists of:
Due diligence checks prior to forming the relationship with the firm
A contract with strict SLA’s as well as clauses allowing the firm to undertake periodic due diligence, auditing and access to information
Due diligence should ensure the firm has the resources and expertise to comply with the SLA
Quality assurance measures to measure performance of the firm with a clear process to ensure service improvement and mitigation of identified risks
Special consideration and protection should be in place where the outsourced operation is critical to the firms delivery of its regulated service
Special arrangements for UCTIS firms such as ensuring suppliers providing advice to customers maintain records of telephone calls
The provider must co-operate with audits, quality assurance and directly with the FCA, if required. It is a good idea to include relevant contractual terms to ensure this happens
An exit plan should be in place should the provider be unable to provide the service or if the outsourcing firm finds reason to cease the service. Equally firms must have in place a disaster recovery plan in place.
Firms completing the above should be comfortable the review will not create major changes, however, the discussion paper does throw up an interesting question as to whether intra-group outsourcing will be in scope of the FCA rules.
Watch this space for a decision! If you would like to sign-up to our updates you can do so here: