short lines

A BALANCE OF RISK: OUTSOURCING AND FINANCIAL SERVICES

February 2004

Financial services regulators are interested in operational as well as financial risks. Financial institutions are becoming ever more complicated. Pressures on costs have seen many business processes transferred to external providers. New services have emerged with novel contractual structures.

FS regulation is in a transition phase at all levels. Soon, there will be new capital adequacy requirements at international and European levels (Basel II: the New Capital Accord; and CAD3: the Capital Adequacy Directive) including requirements to account for operational (in addition to credit and market) risks.

For all these reasons, as outsourcing arrangements replace direct management control the contractual arrangements of firms the FSA supervises will be an increasing area of its focus.

Background

Under the Financial Services and Markets Act 2000 (" FSMA "), the FSA regulates deposit takers (including Banks and Building Societies); insurers (including Lloyds); investment companies and others conducting regulated activities in the UK (" Regulated Firms ").

The FSA applies its handbook (the " Handbook ") which includes sourcebooks containing rules and guidance, and manuals containing compliance procedures. These are the subject of ongoing consolidation (Consultation Paper 97) which will lead to an Integrated Prudential Sourcebook for all firms.

Under Consultation Paper 142 (" CP142 "), the FSA has specifically consulted on its rules and guidance for the management of operational risk: "the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events" (Basel II). These will apply to many outsourcings and services contracts.

The latest draft of Chapter 3A - Operational Risk: Systems and Controls (" SYSC 3A ") issued under CP142 in October 2003, deals with the internal operations of Regulated Firms (IT, people, security etc) and will form a new chapter in the Senior Management, Systems and Controls (SYSC) sourcebook.

Previously outsourcing was only covered in the Interim Sourcebooks for Banks and Building Societies. Section 7 of SYSC 3A (the " Guidelines ") will apply this guidance to all Regulated Firms. The FSA hopes to implement the final text on 31 October 2004 .

The background Principles and Rules

The Handbook provides general rules issued under s138 FSMA. The primary obligations with which every Regulated Firm should comply are set out in Section 2.1.1R of the Principles for Business sourcebook (the " Principles ") and the Threshold Conditions sourcebook.

Principle 3 of the Principles requires a firm to " take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems ". More specifically in the SYSC sourcebook, Section 3.1.1R requires firms to take reasonable care to establish and maintain such systems and controls as are appropriate to its business. The new chapter SYSC3A is aimed at providing detailed guidance on compliance with Section 3.1.1R in so far as it relates to operational risk.

The consequences of breaching a rule allow the FSA to impose sanctions such as fines and public censure and ultimately withdraw a firm's authorisation to conduct regulated business. It can also give personal rights of action for breach of a statutory duty. However, it is not an offence, nor does it make a transaction void or unenforceable.

The FSA's General Approach

The Guidelines are only guidance (issued under s157 FSMA) and are not directly enforceable. They are not prescriptive but are more a non-exhaustive list of what the FSA considers to be good practice. It is for Regulated Firms to judge how the Guidelines should be followed, which will vary depending on the business type and the size and impact of the outsourcing project.

The Guidelines apply to all "outsourcings": i.e. "the use of a person to provide customised services to a firm". Importantly, this covers all forms of service provision rather than just the traditional outsourcing model where an existing business function is transferred to a supplier. Importantly this is likely to mean that ASP arrangements may be caught including those for the supply of underwriting systems and trading platforms and other FS products.

The Guidelines can be considered in two parts: pre-supplier selection and post-supplier selection.

Pre-Supplier Selection

At the outset of an outsourcing project the Guidelines suggest Regulated Firms should put in place an appropriate project management structure defining the planning, approval and implementation process with roles and responsibilities for project team members.

If the project is a 'material outsourcing' then the firm should notify the FSA of its intention to outsource. Material outsourcings are those of such importance that " weaknesses, or failure of the services would cast serious doubt upon the firm's continuing satisfaction of the Threshold Conditions or compliance with the Principles". What is "material" will depend on the business and must be determined case by case by the Regulated Firm itself rather than the FSA.

Notification to the FSA should occur at the same time as the firm sends out its ITT /RFP to potential suppliers. While this is not prescribed in the Guidelines, it is advisable to involve the FSA as early as possible to begin the dialogue with them.

As part of their initial review of the proposed arrangement the Guidelines suggest Regulated Firms should analyse the impact of the arrangement on their overall risk profile and business strategy including the continuing ability to meet their regulatory obligations. The Guidelines suggest this also happens on a regular ongoing basis since the risk profile is likely to vary at different stages of the life cycle of the outsourcing arrangement.

The Guidelines also suggest that Regulated Firms carry out due diligence on the potential supplier's financial stability and expertise. This should include how it would transition the service from the current arrangements to the supplier and what ability the supplier has to ensure business continuity and generally manage operational risks.

Post Supplier Selection

The Guidelines provide a list of provisions to be considered when drafting and negotiating the contract with the supplier. Most of these are things that one would expect to see in any outsourcing agreement (e.g. relationship management; information ownership and confidentiality; adequate guarantees and indemnities; business recovery and continuity arrangements; change management; termination rights and exit management).

Of primary importance for material outsourcings, is the requirement for the FSA to be granted the right to access the supplier's premises during reasonable business hours, whether or not on notice and for Suppliers to be required to deal with the FSA in an open and co-operative way. (Sections 2.3.5R and 2.3.7R of the Supervision manual respectively.)

The Guidelines raise three main points on appropriate relationship management frameworks: (1) defining clear service levels with both qualitative and quantitative performance targets; (2) continuously monitoring performance through a series of self-certification and internal and external review (i.e. by the firm's auditors and by independent benchmarking); and (3) implementing an effective remedial and escalation process in the event of poor performance.

The final consideration suggested in the Guidelines concerns managing business continuity if the supplier suffers a significant loss of service, gets into financial difficulties or if there is an unexpected termination of the outsourcing arrangement.

Conclusion

The Guidelines are a useful addition to the Handbook. Not only are they a good practice checklist for every outsourcing project, whether 'material' or not, having adequate systems and procedures to comply with them is likely to reduce a Regulated Firm's capital adequacy requirements when Basel II and CAD3 come into force. With the date for implementation of the Guidelines soon approaching, institutions should look now at making sure they have the systems and processes in place to manage outsourcing projects as the FSA would like them to.

Jim Leason

Useful URLs:-

The FSA's website: http://www.fsa.gov.uk/
Consultation Paper 142: Operational Risk Systems and Controls: http://www.fsa.gov.uk/pubs/cp/cp142.pdf
The Basel Committee on Banking Supervision Website: http://www.bis.org/bcbs/