From SYSC8 due diligence to Data Security, Disaster Recovery and Financial Crime, IP Sentinel has the answer

What is the Regulatory Framework for IT Outsourcing?

The FCA places specific requirements on regulated entities under its supervision. The requirements are stated in the broad based principles of the FCA, as set out in the FCA Handbook, and further requirements are set out in specific sourcebooks in the Handbook.

Under the guiding principles, managing and maintaining your IT systems (including email, file storage, archives, backups, instant & SMS messaging etc) falls under Principle 2 (‘a firm must conduct its business with due skill, care and diligence’) and Principle 3 (‘a firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems’) of the FCA Handbook. The principles are generic and designed to guide behavior rather than be prescriptive rules to be followed. However to re-enforce the principles, the FCA maintains a set of sourcebooks that contain a set of  rules, each such rule being defined as ‘required’ or merely ‘guidance’. In terms of IT, the appropriate source book is Senior Management Arrangements, Systems and Controls or SYSC.  SYSC “amplifies” Principle 3 and is intended to ensure that the system and controls applied in a business are appropriate to the business being undertaken.

So can I outsource?

Short answer : YES

Under SYSC 8.1 General Outsourcing Requirements, the FCA sets out the rules under which a Regulated Entity may outsource a Function to a third party, and the manner in which it is instantiated and maintained. After the FCAs “Dear CEO” letter in late 2013 it is clear that Information Technology is a Function that is governed by these rules.

You always keep the Responsibility

The primary outsourcing precept, described in SYSC 8.1.6, is that whilst the FCA allows for outsourcing the delivery of a Function it insist that the responsibility for that Function always remains with the Regulated Entity.

Comprehensive and regular Due Diligence is mandatory

SYSC 8.1.7 sets out that a Regulated Entity must “exercise due skill and care and diligence when entering into, managing or terminating any arrangement”. This means that a firm has to have a clear idea of what it is that they are outsourcing and the boundary between delivery and responsibility in a range of areas that may not be in the core skill of the firm. Information Technology often falls into this area.

The due diligence required to understand what services are being offered, the capabilities and the ongoing business model of the chosen Information Technology outsource supplier is a highly domain specific activity. The ongoing management of an outsourced Function requires that a Regulated Entity have a close understanding of what it is that the outsource provider does to ensure that all the Regulated Entities responsibilities are being serviced sufficiently.

You must know and manage what you are outsourcing

SYSC 8.1.8 defines in greater detail what a Regulated Entity must provide for in an outsourcing arrangement. Meeting the detailed requirements as listed is almost impossible without a significant degree of Information Technology skill either contracted in to assist or existing as staff of the Regulated Entity.

Summary

Meeting the Regulations as set out in SYSC 8.1 is a non-trivial exercise. It certainly is not a case of getting 3 quotes and choosing the middle one. The due diligence process to choose a vendor and the ongoing management of that vendor is a task that requires a high level of domain experience.