Technology and compliance experts have said advisers should assume their platform will suffer an outage at some point and put together contingency plans for when it does, to avoid scrutiny from regulators.
At the start of July the Financial Conduct Authority, together with the Bank of England and the Prudential Regulation Authority, published a 48-page paper on the need for the financial services sector to make its technology more resilient to cyber attacks and outages.
It came after the problems faced by Visa, TSB, Aegon and Aviva, which all saw technology failures preventing them from offering their full service.
The paper stated senior managers should take responsibility for creating back-up plans if their systems go down but it also highlighted the issue of outsourcing, stating boards and senior managers needed to have oversight of any activities which were provided by third parties.
Andrew Husband, partner and head of operational resilience at KPMG, said: "Boards are already taking this seriously but overseeing an extensive network of third parties is a complex task which is getting ever harder as the asset management landscape evolves. The regulator’s discussion paper aims to raise the bar and continually challenge the sector on this issue.
"Firms are certainly likely to be subject to increasing regulatory scrutiny if they fail to provide a suitable level of monitoring and oversight of outsourced providers and this has had a critical impact on business services."
Under existing regulations, firms have to understand the extent of their outsourced activities and perform risk assessments. This includes assessing supplier criticality and ability of firms to change provider should this need to happen.
Mr Husband said the discussion paper built on the existing requirements and was moving towards a step up in boards' and senior managements’ oversight to more clearly identity and understand "critical service providers".
Caroline Bradley, group risk and regulatory director at Tenet, said: "We review the terms and conditions of any outsourced provider, as well as undertake due diligence to understand their security measures and what their contingency plans are in event of a system outage or cyber attack, but ultimately, this is obviously not something that we can prevent.
"In the case of a platform, the risk lies with that outsourced provider and they would bear the liability for any cyber attack or outage. Customer services issues may arise that advisers will have to manage if they recommended a provider with poor systems and controls, so robust due diligence is key."
The three regulators said firms should establish the resilience of any outsourced providers and make sure they have a plan in place if these suffer an outage themselves.
They also said boards and senior management should assume individual systems and processes that support business services will be disrupted, and increase the focus on back-up plans, responses and recovery options.
They have also suggested the use of time limits for how long outages should last and have recommended that firms stress test their systems for "severe but plausible" scenarios.
Rakesh Majithia, outsourcing and third party risk partner for PWC, said: "Over recent years the complexion of third party supply has changed beyond recognition.
"Supply chains have got more complex, there is now an increased reliance on intragroup arrangements, innovative fintechs continue to emerge and of course the use of Cloud service providers has expanded massively.
"All of these elements have combined to make the effective management and oversight of third-party arrangements more challenging than ever and many firms are playing catch up.
"Regulators wouldn't necessarily take action against a firm simply because their outsourced provider suffers an outage. But if customers suffer harm as a result of a firm’s failure to have sufficient contingency arrangements in place to deal with such an event, and/ or there were deficiencies in other aspects of the firm’s risk management activities, regulators may take a different view.
"The discussion paper is very clear that disruptions and outages will happen. It is the way firms respond to these incidents and the plans they have in place to mitigate the impact to customers and the financial system as a whole that is crucial."
The FCA did not respond to a request for comment on whether advisers could run into trouble if the platforms they recommend to clients ran into problems in the future.
damian.fantato@ft.com
