SYSC 13.9 Outsourcing
As SYSC 3.2.4 G explains, a firm cannot contract out its regulatory obligations and should take reasonable care to supervise the discharge of outsourced functions. This section provides additional guidance on managing outsourcing arrangements (and will be relevant, to some extent, to other forms of third party dependency) in relation to operational risk. Outsourcing may affect a firm's exposure to operational risk through significant changes to, and reduced control over, people, processes and systems used in outsourced activities.
Firms should take particular care to manage material outsourcing arrangements and, as SUP 15.3.8 G (1)(e) explains, a firm should notify the appropriate regulator when it intends to enter into a material outsourcing arrangement.
A firm should not assume that because a service provider is either a regulated firm or an intra-group entity an outsourcing arrangement with that provider will, in itself, necessarily imply a reduction in operational risk.
Before entering into, or significantly changing, an outsourcing arrangement, a firm should:
- (1)
analyse how the arrangement will fit with its organisation and reporting structure; business strategy; overall risk profile; and ability to meet its regulatory obligations;
- (2)
consider whether the agreements establishing the arrangement will allow it to monitor and control its operational risk exposure relating to the outsourcing;
- (3)
conduct appropriate due diligence of the service provider's financial stability and expertise;
- (4)
consider how it will ensure a smooth transition of its operations from its current arrangements to a new or changed outsourcing arrangement (including what will happen on the termination of the contract); and
- (5)
consider any concentration risk implications such as the business continuity implications that may arise if a single service provider is used by several firms.
In negotiating its contract with a service provider, a firm should have regard to:
- (1)
reporting or notification requirements it may wish to impose on the service provider;
- (2)
whether sufficient access will be available to its internal auditors, external auditors or actuaries (see section 341 of the Act) and to the appropriate regulator (see SUP 2.3.5 R (Access to premises) and SUP 2.3.7 R (Suppliers under material outsourcing arrangements);
- (3)
information ownership rights, confidentiality agreements and Chinese walls to protect client and other information (including arrangements at the termination of the contract);
- (4)
the adequacy of any guarantees and indemnities;
- (5)
the extent to which the service provider must comply with the firm's policies and procedures (covering, for example, information security);
- (6)
the extent to which a service provider will provide business continuity for outsourced operations, and whether exclusive access to its resources is agreed;
- (7)
the need for continued availability of software following difficulty at a third party supplier;
- (8)
the processes for making changes to the outsourcing arrangement (for example, changes in processing volumes, activities and other contractual terms) and the conditions under which the firm or service provider can choose to change or terminate the outsourcing arrangement, such as where there is:
- (a)
a change of ownership or control (including insolvency or receivership) of the service provider or firm; or
- (b)
significant change in the business operations (including sub-contracting) of the service provider or firm; or
- (c)
inadequate provision of services that may lead to the firm being unable to meet its regulatory obligations.
- (a)
In implementing a relationship management framework, and drafting the service level agreement with the service provider, a firm should have regard to:
- (1)
the identification of qualitative and quantitative performance targets to assess the adequacy of service provision, to both the firm and its clients, where appropriate;
- (2)
the evaluation of performance through service delivery reports and periodic self certification or independent review by internal or external auditors; and
- (3)
remedial action and escalation processes for dealing with inadequate performance.
In some circumstances, a firm may find it beneficial to use externally validated reports commissioned by the service provider, to seek comfort as to the adequacy and effectiveness of its systems and controls. The use of such reports does not absolve the firm of responsibility to maintain other oversight. In addition, the firm should not normally have to forfeit its right to access, for itself or its agents, to the service provider's premises.
A firm should ensure that it has appropriate contingency arrangements to allow business continuity in the event of a significant loss of services from the service provider. Particular issues to consider include a significant loss of resources at, or financial failure of, the service provider, and unexpected termination of the outsourcing arrangement.