Updated UK regulatory guidance around IT and data services outsourcing
Updated UK regulatory guidance on outsourcing of IT and data services
The UK conduct regulator (FCA) has published new guidance covering its requirements and expectations of firms who use and rely on external providers in respect of information technology (IT) solutions, architectures and related ancillary services e.g. the use of the ‘Cloud’ for data access, storage and retention etc. This equally relates to any outsourcing involving both other internal entities, for example of an intra-Group nature, as well as to unconnected external partners and organisations.
Firms will often outsource a range of functions, but though duties may be delegated on a day-to-day basis, the regulated firm(s) always remains fully responsible and accountable for fully discharging their individual regulated responsibilities. However, clearly a level of proportionality in arrangements and controls will equally be expected to be put into place to reflect the inherent importance, materiality or criticality of the associated function(s) or duties actually being outsourced on a case-by-case basis.
This finalised guidance (see FCA FG 16/5) follows consultation in late 2015, and covers a range of operational, governance and practice issues and aspects, including (but not limited to):
- Robust contractual obligations and relationship-management including any selection, appointment, and sub-contracting arrangements directly impacting supply and/or service standard commitments and liabilities
- Risk-management considerations and monitoring expectations, such as the risks and exposures posed by reliance being ‘concentrated’ with any entity or organisation
- Effective access and risk controls/reporting in regard to business premises and systems, and also outsource management and associated data centres
- Jurisdictional and cross-border provisions and implications involved with data processing, storage, access and management
- Contingency planning is respect to service disruption, failure and relationship exit
The guidance has been specifically designed to assist all FCA authorised firms in ensuring they meet the regulators ongoing expectations as to the effective oversight of all elements of the life-cycle of any outsource arrangement from appointment to exit/termination. And it is also intended to provide and encourage a practical working framework to facilitate future innovation and competition in the interest of UK consumers. But for firms, this feedback to the UK industry now provides the likely basis for the expected measures and risk management features that the FCA will want to put in focus during future supervisory and/or thematic review work around this topic.
One area where such technology considerations, and electronic systems and interfaces can practicably crossover many industry sectors and mechanisms for market delivery, access, distribution and service-administration etc. relates to underlying payment systems. In this regard, the UK of course already has a specific Payment Systems Regulator (PSR) operating alongside the FCA structure, but a Memorandum of Understanding (MoU) has now recently been updated for the first time between the various existing constituent regulatory agencies of the Bank of England (PRA), FCA and the PSR. This establishes the high-level framework for these agencies to share information and co-operate on common matters relating to UK payment systems.