SYSC 8.1 General outsourcing requirements
[Note: ESMA has also issued guidelines under article 16(3) of the ESMA Regulation covering certain aspects of the MiFID compliance function requirements. See
http://www.esma.europa.eu/content/Guidelines-certain-aspects-MiFID-compliance-function-requirements
.]
Application to a common platform firm
7For a common platform firm:
- (1)
the MiFID Org Regulation applies, as summarised in SYSC 1 Annex 1 3.2G, SYSC 1 Annex 1 3.2-AR and SYSC 1 Annex 1 3.2-BR; and
- (2)
the rules and guidance apply as set out in the table below:
Subject
Applicable rule or guidance
General requirements
Application to an MiFID optional exemption firm and to a third country firm
7For a MiFID optional exemption firm and a third country firm:
- (1)
the rules and guidance in this chapter apply to them as if they were rules or as guidance in accordance with SYSC 1 Annex 1 3.2CR(1); and
- (2)
those articles of the MiFID Org Regulation in SYSC 1 Annex 1 2.8AR and 3.2CR apply to them as if they were rules or as guidance in accordance with SYSC 1 Annex 1 3.2CR(2).
General requirements
1A common platform firm must:
-
(1)
when relying on a third party for the performance of operational functions which are critical for the performance of regulated activities, listed activities or ancillary services (in this chapter "relevant services and activities") on a continuous and satisfactory basis, ensure that it takes reasonable steps to avoid undue additional operational risk; and7
-
(2)
not undertake the outsourcing of important operational functions in such a way as to impair materially:
- (a)
the quality of its internal control; and
- (b)
the ability of the FCA7 to monitor the firm's compliance with all obligations under the regulatory system and, if different, of a competent authority to monitor the firm's compliance with all obligations under MiFID.
- (a)
The application of SYSC 8.1 to relevant services and activities (see SYSC 8.1.1 R (1)) is limited by SYSC 1 Annex 1 (Part 2)2 (Application of the common platform requirements).
2SYSC 4.1.1 R requires a firm to have effective processes to identify, manage, monitor and report risks and internal control mechanisms. Except in relation to those functions described in SYSC 8.1.5R and (for a common platform firm in article 30(2) of the MiFID Org Regulation)7, where a firm relies on a third party for the performance of operational functions which are not critical or important for the performance of relevant services and activities (see SYSC 8.1.1 R (1)) on a continuous and satisfactory basis, it should take into account, in a manner that is proportionate given the nature, scale and complexity of the outsourcing, the rules in this section in complying with that requirement.
2For the purposes of this chapter an operational function is regarded as critical or important if a defect or failure in its performance would materially impair the continuing compliance of a firm (other than a common platform firm)7 with the conditions and obligations of its authorisation or its other obligations under the regulatory system, or its financial performance, or the soundness or the continuity of its relevant services and activities.
For a UCITS investment firm and without7 prejudice to the status of any other function, the following functions will not be considered as critical or important for the purposes of this chapter:
-
(1)
the provision to the firm of advisory services, and other services which do not form part of the relevant services and activities of the firm, including the provision of legal advice to the firm, the training of personnel of the firm, billing services and the security of the firm's premises and personnel;
-
(2)
the purchase of standardised services, including market information services and the provision of price feeds;3
3 - (3)
the recording and retention of relevant telephone conversations or electronic communications subject to SYSC 10A7.3
2Other firms should take account of the critical functions rules (SYSC 8.1.4 R and SYSC 8.1.5 R) as if they were guidance (and as if should appeared in those rules7 instead of must) as explained in SYSC 1 Annex 1 3.3R(1)75.
If a firm (other than a common platform firm)7 outsources critical or important operational functions or any relevant services and activities, it remains fully responsible for discharging all of its obligations under the regulatory system and must comply, in particular, with the following conditions:
2-
(1)
the outsourcing must not result in the delegation by senior personnel of their responsibility;
-
(2)
the relationship and obligations of the firm towards its clients under the regulatory system must not be altered;
-
(3)
the conditions with which the firm must comply in order to be authorised, and to remain so, must not be undermined;
-
(4)
none of the other conditions subject to which the firm'sauthorisation was granted must be removed or modified.
7A UCITS investment firm should take account of the provisions that apply to a common platform firm in relation to its MiFID business in accordance with SYSC 8.1.-2G.
A UCITS investment firm7 must exercise due skill and care and diligence when entering into, managing or terminating any arrangement for the outsourcing to a service provider of critical or important operational functions or of any relevant services and activities.
A UCITS investment firm7 must in particular take the necessary steps to ensure that the following conditions are satisfied:
-
(1)
the service provider must have the ability, capacity, and any authorisation required by law to perform the outsourced functions, services or activities reliably and professionally;
-
(2)
the service provider must carry out the outsourced services effectively, and to this end the firm must establish methods for assessing the standard of performance of the service provider;
-
(3)
the service provider must properly supervise the carrying out of the outsourced functions, and adequately manage the risks associated with the outsourcing;
-
(4)
appropriate action must be taken if it appears that the service provider may not be carrying out the functions effectively and in compliance with applicable laws and regulatory requirements;
-
(5)
the firm must retain the necessary expertise to supervise the outsourced functions effectively and to4 manage the risks associated with the outsourcing,4 and must supervise those functions and manage those risks;
4 -
(6)
the service provider must disclose to the firm any development that may have a material impact on its ability to carry out the outsourced functions effectively and in compliance with applicable laws and regulatory requirements;
-
(7)
the firm must be able to terminate the arrangement for the outsourcing where necessary without detriment to the continuity and quality of its provision of services to clients;
-
(8)
the service provider must co-operate with the FCA7 and any other relevant competent authority in connection with the outsourced activities;
-
(9)
the firm, its auditors, the FCA7 and any other relevant competent authority must have effective access to data related to the outsourced activities, as well as to the business premises of the service provider; and the FCA7 and any other relevant competent authority must be able to exercise those rights of access;
-
(10)
the service provider must protect any confidential information relating to the firm and its clients;
-
(11)
the firm and the service provider must establish, implement and maintain a contingency plan for disaster recovery and periodic testing of backup facilities where that is necessary having regard to the function, service or activity that has been outsourced.
A UCITS investment firm7 must ensure that the respective rights and obligations of the firm and of the service provider are clearly allocated and set out in a written agreement.
If a UCITS investment firm7 and the service provider are members of the same group, the firm may, for the purpose of complying with SYSC 8.1.7 R to SYSC 8.1.11 R and SYSC 8.2 and SYSC 8.3, take into account the extent to which the UCITS investment firm7 controls the service provider or has the ability to influence its actions.
A firm (other than a common platform firm)7 must make available on request to the FCA78all information necessary to enable the FCA78to supervise the compliance of the performance of the outsourced activities with the requirements of the regulatory system.
2Other firms should take account of the outsourcing of important operational functions rules (SYSC 8.1.7 R to SYSC 8.1.11 R) as if they were guidance (and as if should appeared in those rules7 instead of must) as explained in SYSC 1 Annex 1 3.3R(1)75.
As SUP 15.3.8 G explains, a firm should notify the FCA7 when it intends to rely on a third party for the performance of operational functions which are critical or important for the performance of relevant services and activities on a continuous and satisfactory basis.
[Note: recital 44 to7 the MiFID Org Regulation7]
2Additional requirements for a management company
6A management company must retain the necessary resources and expertise so as to monitor effectively the activities carried out by third parties on the basis of an arrangement with the firm, especially with regard to the management of the risk associated with those arrangements.
[Note: article 5(2) of the UCITS implementing Directive]
6A management company should be aware that SUP 15.8.6 R (Delegation by UCITS management companies) and COLL 6.6.15A R (Committees and delegations) contain requirements implementing article 13 of the UCITS Directive in relation to delegation that will apply to it.