Outsourcing and the impact of third-party service providers
The FCA is not proposing changes to the FCA’s Handbook rules and guidance on outsourcing or third-party service provision as part of this consultation, noting that existing rules and guidance in this area are already extensive.
While the FCA suggests the existing requirements for regulated outsourcing are adequate, it highlights “important regulatory developments” that are of relevance to outsourcing and other third-party service provision with implications for operational resilience, and in particular refers to guidelines provided by the European Supervisory Authorities.
In contrast, the PRA has set out new proposals on outsourcing and third-party risk management, including the use of cloud services, which it says will “steer firms to be resilient in their adoption of new technologies” and thus complement the proposals on operational resilience.
It is no surprise then that the proposals go further than any other outsourcing requirements in relation to “stressed exits” and having realistic plans for dealing with them.
The approach in the CPs reflects the Regulators’ concern that firms’ dependencies on outsourced service providers is increasing and that poor governance of those arrangements may lead to, or amplify, insufficient operational resilience in firms.
The Regulators’ expectations here are clear: firms should effectively manage their use of third parties to ensure that they can meet the required standard of operational resilience and firms should be able to remain within impact tolerance for important business services, irrespective of whether or not they use third parties in the delivery of these services.
Regulatory supervision
The FCA is proposing that it will provide “individual guidance” as to whether a firm’s compliance with the new rules is adequate and, if necessary, require a firm to take the necessary actions or steps to address any failure to meet the requirements.
FCA-regulated firms already have experience of this method of supervision with regards to compliance with capital requirements and are therefore likely to be familiar with the associated risk that the FCA can issue individual guidance that is not wholly appropriate for the particular firm.
While there is some scope for firms to discuss individual guidance with the FCA before any action is taken, ultimately if the FCA and the firm still do not agree, the FCA may use other tools available to it to require the firm to take specific steps in line with the FCA’s view.
The PRA plans to continue to use a wide range of existing tools and powers to support its supervision of operational resilience, including for example the senior managers’ regime, and its powers under section 166 of the Financial Services and Markets Act to require skilled persons’ reports.
Challenges ahead
