FCA Record Keeping – Are you sure you want to outsource that?

Posted on Posted in COBS 11.8, Regulation, Security, SYSC 8.1, SYSC 9.1, Virtual CTO

Is your firm compliant with the FCA regulations on Archiving?

Let’s imagine you’ve outsourced your IT to your preferred IT outsourcing provider and they have stated that they will provide a 7 year archiving service…

Is that any good to you? – Probably not without a thorough understanding of your responsibilities and understanding how your outsource provider intends to deliver you the archiving service

What are the regulations?

The key regulations are set out in SYSC 9.1 – General rules on record-keeping & COBS 11.8 – Recording telephone conversations and electronic communications.
If you have outsourced these functions to a 3rd party then that is governed by the regulations set out in SYSC 8.1.

SYSC 9.1 – General rules on record-keeping

A firm must arrange for orderly records to be kept of its business and internal organisation, including all services and transactions undertaken by it, which must be sufficient to enable the appropriate regulator or any other relevant competent authority under MiFID or the UCITS Directive to monitor the firm’s compliance with the requirements under the regulatory system, and in particular to ascertain that the firm has complied with all obligations with respect to clients.

That’s pretty much everything done on a regulated firms systems.

Records need to be kept for at least 5 years. The records need to be easily accessible by the FCA, any corretions or amendments need to be tracked and version-ed and everything needs to be stored on an immutable (No alteration) medium.

COBS 11.8 – Recording telephone conversations and electronic communications

The scope of COBS 11.8 is focused primarily on the types of activities in which a firm or its personnel engage. The rule applies to a firm:

  • receiving, executing or arranging the execution of client orders;
  • carrying out transactions on behalf of the firm (proprietary trading);
  • executing or placing orders on behalf of a client (discretionary trading).

You should record any conversations or communication “intended to lead to the conclusion of an agreement” (COBS 11.8). However general conversations about market conditions, corporate finance and treasury functions and activities by service providers are exempted by COBS 11.8.9. The rule covers telephone recordings as well as “communications made by way of facsimile, e-mail and instant message devices.” (COBS 11.8.7 Guidance). Any equipment provided by the firm, including mobile phones, blackberry etc is covered (COBS 11.8.5 R)

Records need only be kept for 6 months. The records need to be easily accessible by the FCA and stored on an immutable (No alteration) medium.

Anything Else

Yes. It is important to bear in mind the impact of SYSC 8.1 on how you arrange your archiving. You have the responsibility as a firm to maintain your records and calls as set out above. You are required to undertake and maintain ongoing due diligence on your provider, set up any relationship so that you can switch it to another provider with minimal impact and ensure everything is documented. This needs to survive any change in supplier or supplier bankruptcy.

What does that mean in practice

If your outsource provider goes titsup.com you still have the responsibility to provide the FCA access to your archive within a reasonable period. In this case you will face a negotiation with your providers liquidators who may not honor the contract that you thought you had in place.

If your provider uses a 3rd party to deliver your Archiving and Call Recording and they fall out with them where do you stand if the 3rd party draws stumps and ceases to be a supplier to your outsourcing provider. Where is your data then?

If your outsource provider looses your data through a systems failure or outside attack what do you tell the FCA?

How do we make sure we are compliant

SYSC 8.1. requires that you understand what you are doing when you outsource something. If you are not then get some assistance. (Plug – IP Sentinel can help you with this). Ensure that any agreement is watertight in regards the return of your data & ensure that there is a documented process in place to make it happen. Ask to see any 3rd party contract your IT provide may be relying on. Consider some form of living will provisions for your IT Outsource provider. Above all think through all the bad things that could happen in your relationship with your provider & their systems and the relationships that they have with their providers and their providers systems. The FCA won’t care that a 3rd party to your 3rd party is having a bad hair day, in fact they will point to SYSC 8.1 say it’s your responsibility and you need to do something about it PDQ

If you have any questions about this topic then please call IP Sentinel on +441825701870