Outsourcing and operational resilience: Lessons from recent regulatory findings
As financial institutions increase their use of outsourcing, particularly in the FinTech sector, recent enforcement actions and authority publications offer useful indicators of key regulatory concerns.
How does a financial institution balance the increasingly popular outsourcing business model with its regulatory obligations? We know that in the FinTech space in particular, outsourcing provides an efficient way of rapidly tapping into new technologies without having to incur significant upfront costs of creating infrastructure and building up expertise. It also incorporates a scalability which can be quickly calibrated to match market demand, allowing for improved business agility and considerably reducing time to market. However, financial institutions must remain mindful that outsourcing brings with it inherent risks and, as emphasised by recent PRA and FCA enforcement actions, does not reduce a firm's regulatory burden. In particular, financial services firms using outsourcing must consider whether they have sufficient operational resilience to monitor and deal with disruption events relating to their outsourcers. They must also ensure that they understand the impact of third party technology failure on both their customers and operations. This is a particularly common issue: between October 2017 and September 2018, 17% of all incidents which firms reported to the FCA were caused by IT failure at a third-party supplier – the second highest root cause of disruption to services.
Recent regulatory findings offer financial institutions valuable guidance on the risks posed by outsourcing arrangements and the regulators' approach to operational resilience more generally. They are consistent with the broader FCA and PRA focus we have seen over the last two years on ensuring firms are able to prevent and respond to operational disruptions without causing harm to customer and the wider market. Learning points include:
1. Effective oversight over the entire outsourcing arrangement: firms must ensure they have effective oversight over all layers of the outsourcing arrangement, including any further third parties used by outsource providers.
2. Importance of outsourcing risk assessments: firms must rigorously assess their outsourced services and calibrate oversight and tolerance levels accordingly. This includes an obligation to identify critical outsourced services and functions, and establish an appropriate critical outsourcing risk appetite accordingly.
3. Demonstrable consideration of customers: in circumstances of a disruptive event caused by an outsource provider, firms must ensure they have sufficient controls in place to be able to keep all affected customers updated as to developments on a live basis. Firms must look to implement workarounds where possible, take steps to fully assess customer harm suffered and consider whether to proactively offer redress.
4. Senior management accountability: firms must ensure that there is senior management accountability for operational resilience, including with respect to outsourcing. As yet, no senior managers have been held personally accountable for a disruption event. However, we would expect regulators to be looking for a suitable opportunity to enforce in this space in due course.
5. Cultural shift: with respect to operational resilience more generally, firms must transition from a reactive "fix on fail" approach to a much more proactive assessment of a firm's resilience to disruptive events. This would include carefully calibrating board-approved impact tolerances, continuously testing response systems and running "war games" and test scenarios.
6. Consideration of wider prudential issues: firms must consider the impact of outsourcing and operational resilience issues not only on their customers but also on their broader operational stability. Investigations in this space are increasingly likely to involve both the FCA and the PRA, leading to potentially higher fines, and firms should take steps to put measures in place to minimise the impact of any disruptive events.