FCA publishes regulatory checklist for banks thinking about outsourcing IT services

Out-Law News | 31 Jul 2014 | 10:41 am | 3 min. read

Banks should assess the financial viability of technology suppliers, whether the outsourcing of IT services can achieve necessary interoperability and data security, and think about how they will retrieve their data when exiting from IT outsourcing contracts, the City regulator has said.

The considerations are among those listed in a new non-exhaustive checklist produced by the Financial Conduct Authority (FCA) for banks to refer to when thinking about using third party technology to deliver critical services.

IT contracts expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said by publishing its checklist the FCA is taking a new approach to how it oversees sourcing in the banking sector.

"In the past the FCA has largely stuck to its core set of rules around sourcing, particularly when it comes to banks that are subject to MiFID," McFadyen said. "This new approach shows it taking a much more holistic view of the issues that, in practice, should be covered by banks from a good practice procurement perspective rather than just a regulatory perspective. This is aligned with the approach taken by other regulators around the world, such as the OCC in the US with its extensive vendor management guidance."

"If I were a regulated firm, be I a bank or not, I would look at how this checklist can be applied to other procurements I am running as through it the FCA is clearly setting a standard that it expects firms to meet," he said.

When banks outsource the delivery of critical banking services to suppliers they are required to adhere to a number of regulatory obligations and must obtain notify the FCA before implementing those arrangements.

In its paper containing its checklist of things banks should give consideration to when thinking about entering into critical technology outsourcing agreements (6-page / 126KB PDF), the FCA outlined what it hopes the banks will achieve in complying with their regulatory duties.

In particular it said that banks should look to ensure that, at the time of an FCA authorisation, the IT services they are outsourcing "are effective, resilient and secure and have been appropriately designed to meet expected future as well as current business needs so as to avoid risks to our objectives".

Banks must also be able to "provide reasonable assurance" that each outsource serving provider (OSP) "will deliver its services effectively, resiliently and securely" and must have "appropriate arrangements" in place to ensure "on-going oversight" of its OSPs and "the management of any associated risks such that the firm meets all its regulatory requirements".

"Above all, a regulated firm should be clear that it retains full accountability for discharging all of its regulatory responsibilities," the FCA said. "It cannot delegate any part of its responsibility to a third party."

The checklist recommends that banks ask themselves a number of questions before deciding to enter into critical IT outsourcing arrangements. It said banks should consider whether there is a "clear business case or rationale" to support a decision to outsource and whether the decision has taken account of "the business risks associated with use of third parties".

Banks should also assess technical issues, such as whether the IT solutions being provided can be tailored to the banks' requirements and whether the banks' data can be "readily extracted from a service provider’s systems and downloaded to a firm’s own systems".

The financial viability of OSPs, the interoperability of OSPs' systems with other suppliers' and the banks' own systems, compliance with data protection laws, incident management and ownership of intellectual property rights when changes are made to the way the technology is being provided are just some of the other issues banks should give consideration to before entering into outsourcing agreements, the FCA said.

The regulator also stressed the importance of good governance by banks over their technology suppliers and recommended that banks put in place an "exit plan" for when their IT contracts with suppliers are due to come to an end.

"[Banks should ask themselves how they will] transition to an alternate service provider; get its data back; [and how] the data [will] be removed from the service provider’s systems [at the end of a contractual relationship]," the FCA said.

Technology law expert Luke Scanlon of Pinsent Masons said: "This checklist will prove helpful in focussing organisations on the key issues that arise in any technology procurement or development as seen from the regulator’s perspective. In my view though, the FCA could have placed more emphasis on the importance of particular issues, for example – incident management."

"Following Waking Shark II which highlighted that many are still confused about which regulators to report to when, the checklist could be seen as underselling the importance of comprehensively dealing with all issues that arise in the event of a data breach or security incident," he said.