Eze Castle Integration

Hedge IT Blog

Financial Conduct Authority's Dear CEO Letter: UK Cloud Summit Recap, Part 2

By Kulvinder Gill,
Tuesday, May 20th, 2014

We’re back for Part Two of our UK Cloud Summit seminar recap. Last week on Hedge IT, we explored connecting to the cloud. In today's article, we will dive into the most talked about UK regulation: the Financial Conduct Authority’s (FCA) Dear CEO letter. We will cover how the letter affects IT outsourcing and the steps firms can take to mitigate service provider risk and adhere to the Dear CEO letter guidance.
 FCA
The “Dear CEO” letter was issued in December 2012 to all UK asset managers and expressed concern about the endemic outsourcing risk in the sector, particular around asset managers having effective business continuity plans (BCP) and exit strategies in place with their service providers in the event of service provider failure.

Since the letter was issued, the FCA has asked firms that they demonstrate they have a clear handle on what they outsource and why, a full understanding of the potential impacts of failure, and contingency plans that are viable, robust, and realistic.

The UK regulator's primary focus to date has been on asset managers outsourcing middle and back office functions to service providers, but this could soon be extended to IT service providers, too, since a large number of firms are outsourcing a substantial amount of their technology to IT providers.

Both regulators and investors want to see managers conduct rigorous operational due diligence on their service providers. Below is a list of outsourced risks, failure assessments and mitigation approaches for asset managers:

  • Sourcing Strategy: Firms should articulate a clear and concise sourcing strategy and this should include their contingency approach

  • Service Provider Exposure: Firms must know their overall exposure to providers

  • Impact Assessment: The business impacts of a provider failure must be understood and firms must have responses to failure preparedDue Diligence

  • Contingency Planning: Firms must have a defined contingency plan

  • Service Provider Selection Criteria: Firms must evaluate if the provider maintains contingency plans or disaster recovery plans

  • Contract Review: Contracts may well need revision to update exit terms and provide for exit plans for potential failure situations

  • Risk Monitoring: Establishing a set of forward looking financial and non-financial indicators (KRIs) and trigger points will be a useful adjunct to existing service indicators (KPIs) and help provide early warning of possible failure or disruption

Additional information:

Categorized under: Security  Hedge Fund Regulation 



Recent Posts / All Posts