Don't Forget to Share this Post

A Look at the FCA's IT Outsourcing Guidance for Financial Services Firms

By Zorela Georgescu | Thursday, May 26th, 2016

Financial services firms are increasingly interested relying on third-party service providers to increase efficiencies and benefit from industry expertise. While outsourcing has grown, however, regulatory bodies such as the Securities & Exchange Commission (US) and Financial Conduct Authority (UK) have begun to evaluate outsourced relationship and provide guidance around how investment management firms should engage and manage these partnerships. In 2015, the FCA drafted a “guidance for firms outsourcing to the ‘cloud’ and other third party services.”

The document aims to ensure that risks associated with outsourcing are appropriately identified and managed.  Thirteen key areas of consideration are highlighted below.

  1. Legal and Regulatory Considerations. In undertaking the due diligence process, an investment firm should consider and compare operational risks associated with outsourcing to various providers (e.g. public vs private cloud) as well as any specific legal or regulatory obligations. Firms should identify and record contracts with all service providers, ensuring that compliance with any relevant requirements lives throughout the supply chain.

  2. Risk Management. Firstly, a firm must carry out a risk assessment to identify relevant risks.  After comparing these risks with industry best practices as well as relevant regulatory rules, the firm must take steps to mitigate risk – including assigning responsibility for managing risk across the firm and externally across service providers. A firm should require in contracts prompt and detailed notification and remediation of breaches, as well as contingencies outlining what would result from a provider’s failure to remediate a breach.

  3. International Standards. Investment firm should consider any external assurance that has already been provided when conducting their own due diligence. External assurance may be more relevant to some firms than others: for example, those firms in which the service accessed is relatively stable as well as uniform across the customer base.

  4. Oversight of a Service Provider. When it comes to relationships with service providers, firms should establish where responsibility and accountability begin and end. Managers should also allocate responsibility for the strategic management of service providers, ensuring that staff have sufficient skills and resources to oversee and test the outsourced activities, monitor and mitigate risk, and manage an exit or transfer from a third-party provider.

  5. Data Security. A firm should first identify its own appetite for risk, desired security exposure, and data sensitivity – similar to the risk analysis process typically associated with the development of a written information security plan. Thus, firms should exercise choice and control regarding the jurisdiction in which their data is stored, processed and managed. Firms should also be familiar with providers’ data loss and breach notification processes.

  6. Data Protection Act of 1998. According to the FCA, firms should comply with the eight principles of the Data Protection Act (DPA), a guidance separate from the Financial Conduct Authority. The DPA is overseen and regulated by the Information Commissioner’s Office (ICO). Therefore, firms should turn to the ICO’s guidance on cloud computing for relevant material. 

  7. Effective Access to Data. Critical for investment management firms is to establish with key service providers conditions for accessing data. For example, that notification requirements are reasonable and not overly restrictive; also, the firm may request to view data an unlimited number of times. In the same sentiment, firms should advise service providers that the regulator will not enter into a non-disclosure agreement with the service provider, but will treat any information disclosed in accordance with the confidentiality obligation set out in the Financial Services and Markets Act.

  8. Access to Business Premises. Firms and regulators alike can request onsite visits to relevant business premises if deemed necessary and required under applicable legal and regulatory requirements.  

  9. Relationships Between Service Providers. In a complex network of suppliers, firms should review all sub-contracting arrangements and verify that they comply with the firm’s own regulatory requirements. A firm should especially consider security requirements and effective access to data and business premises even in the case that they do not directly contract with an outsourced provider. Regulated firms should consider how service providers in their network relate to one another, and further, how service provider’s services might interfere with a firm’s internal systems or other third-party systems. In these considerations, firms might consult The Contracts (Rights of Third Parties) Act 1999.

  10. Change Management. Firms should establish provisions for making future changes to technology service provision, as well as plan for the testing of changes.  

  11. Continuity and Business Planning. A firm should devise a strategy for maintaining continuity of operations in the event that an unexpected disruption occurs. The strategy should include recovery as well as how recovery plans will be communicated. Regularly testing and updating the strategy is critical. Firms should also consider that disruptions could be caused by intentional cyber-attacks, and that these may compromise system availability.

  12. Resolution (where applicable). Services should be organized in such a way that they do not complicate the resolution or wind-down of the firm.  The outsourced provider and any subcontractor should agree that neither the entry into resolution nor a subsequent change in control arising from the firm’s entry into resolution will result in a termination event. For firms where insolvency procedures will be used, services should be set up to support the rapid return of the firms’ deposits or client assets.

  13. Exit Plan. A firm should have exit plans and termination arrangements that are understood, documented and regularly rehearsed. In addition, a firm should anticipate how a transition to an alternate service provider would be carried out, obliging the current service provider to cooperate fully. A firm should know how to remove data from a service provider’s system upon exit, as well as monitor concentration risk and consider the circumstances should the outsourced provider fail to do so.

The FCA acknowledges that outsourcing to the cloud is a reality for today’s investment firms.  The purpose of this particular guidance is to provide more specific direction for firms considering this type of outsourcing arrangement. The guidance, however, is not exhaustive, nor should it be read in isolation.

Don't Forget to Share this Post

Related Posts

How Can Eze Castle Integration help you?Contact us today!

Contact Us