Raphaels Bank fine highlights the consequences of outsourcer service failures
The £1.89m fine levied by the PRA and FCA against Raphaels Bank highlights the importance of robust and effective management of outsourcing arrangements and the… Read more
The £1.89m fine levied by the PRA and FCA against Raphaels Bank highlights the importance of robust and effective management of outsourcing arrangements and the consequences of getting things wrong in this area.
Background
Raphaels engaged outsource service providers to provide services to its Payment Services division, including the management of its card programmes and the authorisation of payment transaction requests from card payment systems. On Christmas Eve 2015, a technology incident at a card processor providing services to Raphaels led to the complete failure of all services it provided to Raphaels for three of its card programmes. The incident lasted for over eight hours and resulted in nearly 3,500 of Raphaels’ customers being unable to use their prepaid cards and charge cards in this time. In total some 5,356 transactions – including a mixture of POS, ATM and online transactions – could not be authorised. The aggregated value of the transactions was just over £550,000.
The FCA, in its final notice in relation to the case, stated:
“The cause and duration of the incident reflected shortcomings in Raphaels’ understanding of the business continuity and disaster recovery arrangements of the card processor. The Firm had no adequate processes for capturing and assessing information regarding these arrangements, particularly how they would support the continued operation of the card programmes during a disruptive event.”
The FCA also noted that Raphael’s lack of any understanding of these business continuity arrangements, and the absence of adequate processes for capturing and assessing information about these arrangements, “exposed the Firm and its customers to a serious risk of harm” and that because “Raphaels was unaware of the risk, it could take no steps to manage or mitigate it.”
These failings in relation to the IT incident resulted from deeper flaws in Raphaels’ governance of its outsource service providers and is yet another example of the importance of having robust governance and oversight processes in place to ensure that outsourcing arrangements are properly and effectively managed.
The FCA also identified a number of shortcomings in Raphaels’ outsourcing policy including:
- Failure to provide a process for identifying ‘critical’ outsourced services and functions
- Failure to establish a risk tolerance threshold for the outsourcing of critical services and functions
- The absence of any guidance for the Bank’s staff on how to apply the requirements of SYSC 8 of the FCA Handbook in practice
Business context
Outsourcing plays a key role in the delivery of financial services products to end customers. When managed effectively, outsourcing can deliver an improved customer experience whilst also resulting in products being cheaper for end consumers due to the cost savings and efficiencies achieved by the provider of those products.
However, as regulators have long pointed out, outsourcing also introduces new risks which, if not managed effectively, can result in poor outcomes for consumers and even the total failure to deliver the very products and services which are the subject of the outsourcing arrangement.
EBA Guidelines on Outsourcing
The FCA’s and PRA’s findings in this case are an important reminder of the importance of robust and effective management of outsourcing arrangements. They are also timely given the new outsourcing guidance issued by the European Banking Authority which comes into effect in September 2019.
Financial services institutions in the EEA will need to ensure that any new outsourcing arrangements entered after into on or after 1st October 2019 adhere to these guidelines. Firms will also need to begin the process of reviewing existing outsourcing arrangements against the guidelines, with a view to ensuring that these are compliant with the guidelines by 31st December 2021.
The EBA guidelines provide additional clarity on the standards expected of financial services firms in the management of their outsource relationships, including governance requirements and the establishment of an effective outsourcing policy. The Raphaels case provides a timely reminder of some of the areas firms need to consider in this respect; this is particularly true when the level of the fine is considered in the context of the relatively small number of impacted customers and transactions. We will be discussing the EBA guidelines and their implications for financial services customers and suppliers at our roundtable seminar on 4 July 2019. Please click here to register your interest in attending.
Key questions to ask
Effective management of outsource relationships arguably begins with firms remembering that, as regulators have stated repeatedly, it is possible to outsource an activity but not the responsibility for that activity. Against this background, firms need to ask a number of questions and ensure their outsourcing contracts, governance arrangements, systems and controls take adequate account of the answers:
- Do you understand the risks involved in the outsourcing of this particular area of operations, and have you implemented appropriate measures to manage and mitigate those risks?
- Are the reporting arrangements and management information you receive from your outsource service providers sufficient to enable the identification of new or emerging risks, or risks which have or may be about to crystallise?
- Do you have an effective outsourcing policy in place providing practical guidance on the application of the regulatory outsourcing requirements, and which is based on the importance and business criticality of the outsourcing contract?
- Do you have clearly documented incident escalation and resolution plans in place, including, where applicable, plans to bring activities back in house?
- What business continuity and disaster recovery plans do your outsource providers, and their supply chain, have in place, and are you satisfied that these will avoid disruptions in the provision of services to your clients and the delivery of poor outcomes to them?
- Are your contractual arrangements with outsource service providers adequately documented? Do they provide a formal framework for all of the above, including rights of audit to enable you to verify that your outsource service provider has the necessary systems and controls in place?
How Kemp Little can help
We work with a variety of clients on their outsourcing contracts. Our team brings a wealth of knowledge and experience on:
- The drafting and negotiation of outsourcing contracts;
- Drafting of internal policies and procedures covering outsourcing service provider selection, management and oversight; and
- Reviews of regulatory compliance arrangements, including governance and outsourcing provider oversight.
To register for our upcoming roundtable seminar on the new EBA guidelines on outsourcing, please click here.
Share this blog
Share this Blog
- Adtech & martech
- Agile
- Artificial intelligence
- EBA outsourcing
- Brexit
- Cloud computing
- Complex & sensitive investigations
- Connectivity
- Cryptocurrencies & blockchain
- Cybersecurity
- Data analytics & big data
- Data breaches
- Data rights
- Digital commerce
- Digital content risk
- Digital health
- Digital media
- Digital infrastructure & telecoms
- Emerging businesses
- Financial services
- Fintech
- Gambling
- GDPR
- KLick DPO
- KLick Trade Mark
- Open banking
- Retail
- SMCR
- Software & services
- Sourcing
- Travel