Make your IT Outsourcing FCA Compliant

Posted on Posted in IT Sytems, Security, Virtual CTO

In my previous post Is your IT Outsourcing arrangement FCA compliant? I highlighted why your IT Outsourcing probably didn’t meet SYSC 8.1 or SYSC 9.1.  In this post I set out what you would need to take into consideration.

Quick Recap

Under SYSC 8.1 General Outsourcing Requirements, the FCA sets out the rules under which a Regulated Entity may outsource a Function to a third party, and the manner in which it is instantiated and maintained. After the FCAs “Dear CEO” letter in late 2013 it is clear that Information Technology is a Function that is governed by these rules.

The primary outsourcing precept, described in SYSC 8.1.6, is that whilst the FCA allows for outsourcing the delivery of a Function it insist that the responsibility for that Function always remains with the Regulated Entity.

You need due diligence at every stage

Furthermore SYSC 8.1.7 sets out that a regulated entity must “exercise due skill and care and diligence when entering into, managing or terminating any arrangement”. This means that a firm has to have a clear idea of what it is that they are outsourcing and the boundary between delivery and responsibility in a range of areas that may not be in the core skill of the regulated entity. Information Technology often falls into this area.

If you don’t know how to do due diligence then you need to get the skills or you will fall foul of the FCA

The details

The meat of the issue is in SYSC 8.1.8 which defines in greater detail what a Regulated Entity must provide for in an outsourcing arrangement. Requiring a Regulated Entity to take “the necessary steps to ensure that the following conditions are satisfied:”

(1) the service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally;

This means that a Regulated Entity needs the skills to understand if any given service provider is actually able to provide what they are offering to supply. This implies that as part of the outsourcing process the firm has or has hired some domain expertise to assess the service provider

(2) the service provider must carry out the outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider;

Note the FCA would like the firm to establish methods, which is difficult if a firm does not have any domain experience in Information Technology.

(3) the service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing;

Most small Regulated Entities do not have an Information Technology staff member but are required to supervise the service provider and check that they are doing it properly.

(4) appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements;

This requires that a Regulated Entity understands what is an effective method of supplying Information Technology services and appreciates the appropriate action to take with an Information Technology provider that is not doing so. The Regulated Entity must also be aware of any laws that may apply to the outsource provider (including SYSC 9.1 and COBS 11.8.5).

(5) the firm must retain the necessary expertise to supervise the outsourced functions effectively and to manage the risks associated with the outsourcing ,and must supervise those functions and manage those risks;

This clearly states that a Regulated Entity requires a degree of Information Technology skill in order to outsource their Information Technology department. If the business model is complex in Information Technology terms then the Regulated Entity should maintain enough experience in house to manage the outsourced risks

(6) the service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements;

Note that a Regulated Entity is required to understand the impacts of any given disclosure. Without relevant domain understanding of Information Technology this would be almost impossible.

(7) the firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients;

Most Information Technology outsourcing are on a per user per month basis with a system approach that makes it near impossible to swap vendors. SYSC 9.1 Record Retention services and delivery are often held at a 3rd party to the 3rd party and are therefore almost impossible to terminate, let alone move with no detriment to service.

(8) the service provider must co-operate with the appropriate regulator and any other relevant competent authority in connection with the outsourced activities;

Most Information Technology providers are un-regulated and there is no competent authority that regulates the Information Technology services market.

(9) the firm, its auditors, the appropriate regulator and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the appropriate regulator and any other relevant competent authority must be able to exercise those rights of access;

This is often is missed in Information Technology service contracts or actively written out of them.

(10) the service provider must protect any confidential information relating to the firm and its clients;

As the FCA defers to the Information Commissioner in the UK this means that any Information Technology service provider should be registered with the ICO and be bound by their terms on Data Protection

(11) the firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced.

This is covered by most Information Technology providers however it is important for a Regulated Entity to ensure that at least an annual test is included in the service.