The proposed guidance from the FCA for firms outsourcing to the Cloud is a ray of sunshine in a regulatory environment that is usually cast with the gloom of extra work and additional costs.
Nowadays, with financial institutions relying heavily on technology to provide them with a competitive advantage and to comply with regulation, the choice of outsource service providers is critical to a firm’s ability to perform and continue their business.
Selection of the a suitable outsource service provider is especially important to Senior Managers in the financial sector at a time when they are concerned about the new criminal offence relating to ‘a decision causing a financial institution to fail’; where they could be imprisoned for seven years and/or receive an unlimited fine, if their decision leads to the collapse of an institution.
Making the right decisions when outsourcing to the cloud and other third-party IT services can have serious consequences for the accountable individuals.
There is no doubt from the regulator’s perspective that a firm must appropriately identify and manage the operational risks associated with its use of third parties, including undertaking due diligence before making a decision on outsourcing. Regulated firms retain full responsibility and accountability for discharging all of their regulatory responsibilities and firms cannot delegate any part of this responsibility to a third party.
The good news is that if you choose to follow the guidance you are afforded a level of protection as:
‘The FCA will not take action against a person for behaviour that it considers to be in line with guidance, other materials published by the FCA in support of the Handbook or FCA-confirmed Industry Guidance, which were current at the time of the behaviour in question.’
Source: FCA Handbook DEPP 6.2.1(4)
The proposed guidance on ‘cloud’ vendors is not the complete answer to outsource service provider selection but it covers the key considerations, particularly in respect of a Request for Proposal (RfP) and the subsequent outsource agreement, under the headings:
- Legal and regulatory considerations
- Risk management
- International standards
- Oversight of service provider
- Data security
- Data Protection Act 1998
- Effective access to Data
- Access to business premises
- Relationship between service providers
- Change management
- Continuity and business planning
- Resolution (where applicable)
- Exit plan
The FCA reaffirms that the approach should be risk-based and proportionate, taking into account the nature, scale and complexity of a firm’s operations and the type of function being outsourced. To this end they provide useful definitions for determining if the function is considered critical or important, whether it is material outsourcing, or (for authorised payment institutions and authorised electronic money institutions) whether it relates to important operational functions.
In short, the proposed guidance is an excellent starting point that should be adopted by firms as it comprehensively covers all aspects of the contractual agreement. But there is more to effective vendor risk management, particularly in the cloud.
Other aspects to be considered involve the product or service itself, the commercials and the relationship.
The commercials are reasonably straightforward and at the end of the day they typically become a business decision about value for money and efficiency, but they can also be ludicrously one-sided around compensation for poor performance and must be properly thought through.
When it comes to the service and the relationship, outsourcing to a cloud solution brings its own distinct challenges. By definition the service could be provided from multiple locations around the globe. Consequently, the people responsible for providing the service may also be geographically distributed even if the primary relationship is with one local Account Manager or Salesman. All of this before you start to consider the complexities of an outsource business model that sub-contracts or uses multiple service providers.
Today, performing due diligence in the form of a targeted site visit to see for yourself exactly how operations are performed, how security is maintained or how service is delivered, can be difficult and costly. This becomes an ongoing challenge for auditors and regulators and a greater reliance may be placed upon third party assessment and international standards accreditation.
Over the coming months, Mavintree and Corix Partners, together with other associates, will continue to explore the challenges of vendor risk management in a series of articles and events, in line with the publication of the final FCA guidance on cloud outsourcing.
At time of posting, Rick Warley, Managing Director of Mavintree Limited.
Mavintree was a management consultancy firm specialising in operational risk, business continuity and crisis management.
The opinions expressed by guest bloggers are their views and do not necessarily reflect the opinions of Corix Partners.