FCA Issues Guidance on IT Outsourcing

The Financial Conduct Authority (‘FCA’) has historically been rather Delphic about the status of Information Technology (‘IT’) in regards the SYSC and COBS rules.  The language in the rule books describes “systems” and “processes” but is not specific about the implementation of or the platform upon which they exist.

For instance Record Keeping (SYSC 9.1) requires that all business related records are kept for a minimum of five years, this is what is defined as a critical operational function and subject to General Outsourcing (SYSC 8.1) rules should it be outsourced.  However SYSC 9.1 does not state that the IT systems, without which the critical function cannot be delivered, are therefore also a critical function.

Typically Information Technology in regulated firms is, depending on the size of the organisation, given to the lowest bidder or the founder’s nephew.  This is because IT is perceived as not being a regulated function. Given this fact the processes by which it is outsourced and managed are not as rigorous as for example Fund Administration or Portfolio Management.  These types of services have always been considered critical and therefore the process is governed by the General Outsourcing (SYSC 8.1) rules and generally followed by firms who are outsourcing those functions.

However it is patently absurd to think that large swathes of the SYSC & COBS rules can be critical operational functions whereas the underlying IT that delivers them is not.  How would a firm do Business Continuity (SYSC 4.1.7) without IT systems, data backups, telephones etc?  It’s not possible to do compliance (SYSC 6.1.4) unless the compliance function can monitor a firm’s email and file storage system.  Detecting financial crime (SYSC 3.2.6 & SYSC 6.1.1) is difficult if not impossible without access to call records, emails, databases, CRM systems, instant messaging, and web site access logs.

The FCA has recognised this issue and has provided guidance in a note entitled “Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions

The key point is made in the introduction of the document

“Where a third-party service is critical to a regulated firm’s business operations, the service provider will be regarded as an outsource service provider (OSP) and the regulated firm is subject to a series of regulatory obligations.”

Note the FCA make clear that this is to do with “Business Operation” which is how the entire business is managed rather than “operational functions which are critical for…” which is a much more specific set of processes.

So if you are a regulated entity that is outsourcing part or all of your IT what does this mean to you?

It’s all in SYSC 8 but these are the 3 main highlights:

A regulated firm should be clear that it retains full accountability for discharging all of its regulatory responsibilities. It cannot delegate any part of its responsibility to a third party.

For example if a provider loses your email Archive or Data backups it’s still your responsibility to produce any records the FCA should demand of you.  You cannot fail to produce them and claim it was the archive vendors responsibility.

A regulated firm must exercise due skill and care and diligence when entering into, managing or terminating any arrangement to a service provider.

A pre engagement Due Diligence process should be implemented and maintained for each vendor of services, this needs to cover not only financial & service competence but also specific COND & PRIN related information about conflicts of interest, politically connected employees, pay policy, ongoing training, AML process, dealing policy, etc., etc.

A regulated firm must establish appropriate arrangements for the on-going oversight of its vendors and the management of any associated risks such that the firm meets all its regulatory requirements.

This means that it’s not good enough to outsource IT and let the vendor get on with it, a firm needs to retain enough competence to manage the outsource partner/vendor.  This means that the regulator expects a firm to understand how their outsourced IT is being delivered to them and whether it is actually being done in a way that is consistent with the regulations. The note itself asks “Do the firm’s staff have the appropriate skills to perform the oversight role effectively?” Somewhat ironically this is an area that also may well have to be outsourced as most firms are traditionally light on IT experience.

So in summary if you, as a firm, outsource your IT – email, archiving, backup, portfolio management systems, customer relationship management, desktop support, telephones & voice recording, customer web based reporting, etc., etc. – you are subject to the regulations in SYSC 8.1.

If you would like any assistance in regards to the implications of IT governance under the SYSC & COBS rule books, SYSC 8 Due Diligence Process, IT vendor review, IT vendor management or even FCA compliant IT infrastructures please contact James Hogbin at IP Sentinel – james@ip-sentinel.com – 01825 701870.