Khepri's A to Z: Enhancing Operational Resilience through Strategic Outsourcing - Buy and Sell-Side Compliance
Introduction
Operational resilience has become a pivotal concern for financial institutions and particularly for investment businesses who will outsource almost all the operational and technology aspects of managing investments or funds.
Therefore, operational resilience and oversight is of critical importance to this sector.
FCA Rules and Guidelines
Whilst the FCA is focusing on outsourcing in the context of market infrastructure providers and other large institutions, their rules and guidelines apply widely to all types of investment businesses. Useful reads include:
• Principle 3: Management and control
• SYSC 3/ SYSC 8: Systems and Controls / Outsourcing
• SYSC 15A: Operational resilience*
• FG 16/5: Guidance for firms outsourcing to the “cloud”
• EBA Guidelines: Outsourcing*
• WDPG: The Wind-Down Planning Guide (Useful in the context of an outsourcers role when winding down the business)
*noting that this has a narrower scope of application than the other resources listed but is still useful guidance on good practices
Understanding Outsourcing
Outsourcing is the practice of delegating specific business functions or processes to third-party service providers. It is a strategic move often aimed at cost reduction, enhanced efficiency, and access to specialised expertise. However, the benefits of outsourcing are accompanied by inherent risks, especially in the context of operational resilience.
Notwithstanding that it has outsourced activities, it is important to understand that a firm remains fully responsible for discharging all its obligations under the regulatory system and that:
• the outsourcing must not result in the delegation by senior personnel of their responsibility; and
• the relationship and obligations of the firm towards its clients under the regulatory system must not be altered.
Key steps on the path to outsourcing
Although the precise steps should be assessed on a case-by-case basis, the following are a useful guide:
• Strategic rationale: it is useful to understand what a firm wishes to achieve by outsourcing and if this is defined at the outset the success or otherwise of the arrangements can be more clearly measured.
• Due Diligence: Prior to entering into outsourcing agreements, firms must conduct thorough due diligence on their service providers. This includes assessing their financial stability, track record, and their ability to maintain operational resilience.
• Integration with current risk and control matrix: The firm should ensure that their current risk and control matrix is updated to reflect the role of any outsourcing parties.
• Contractual Agreements: The FCA requires firms to have robust contractual agreements in place with service providers. These agreements should outline the expectations, responsibilities, and service levels to ensure operational resilience.
• Governance: SMCR responsibility statements should be updated to reflect those relevant to the oversight of outsourced providers. Consideration should also be given to whether additional individuals are certified staff due to the role they play in managing the outsourcing risks.
• Monitoring: There should be agreed service level standards and these should be periodically monitored.
• Exit Strategies: Firms are also encouraged to develop clear exit strategies to mitigate risks associated with the termination of outsourcing agreements. This ensures a seamless transition of critical functions back in-house if necessary.
Operational Resilience
This is a hot FCA topic.
Operational resilience is not solely the responsibility of the financial institution. Service providers also play a crucial role in ensuring that critical functions are not disrupted. The FCA's guidelines reinforce the need for collaborative efforts between financial firms and their outsourcing partners to maintain operational resilience.
Therefore, it is important to think about what would happen if a service provider were to fail, the impact this would have on the business and its clients and, if this were to persist, when would it cause the business to fail or clients to suffer material detriment. Various scenarios should be considered, and the response mapped out with support from the relevant service provider(s).
Challenges and Considerations
While the FCA's approach is laudable, it's not without its challenges and considerations. Financial institutions must carefully balance the benefits of outsourcing with the potential risks. These challenges include:
• Cybersecurity Risks: The increasing reliance on technology in outsourcing can expose firms to cybersecurity vulnerabilities. Adequate safeguards must be in place to protect sensitive data.
• Regulatory Compliance: Meeting regulatory requirements is an ongoing challenge, especially as regulations evolve. Firms must stay updated and adapt to changes in regulatory frameworks.
• Vendor Management: Effective vendor management is essential for outsourcing success. This includes ongoing monitoring and assessment of service providers.