This article first appeared in the Issue 9 of Business & Technology Sourcing Newsletter.
The coming into force of the EU Market in Financial Instruments Directive (MiFID) on November 1, 2007, will have implications for firms operating in the financial services sector throughout Europe. This article outlines the implications for firms operating in the financial services sector in the UK.
Outsourcing Arrangements Affected by the Implementation of MiFID
Currently, financial services firms operating in the UK that are regulated by the Financial Services Authority (FSA) must notify the FSA in advance of proposed outsourcing of "material contracts". A major outsourcing activity will be a material contract. The FSA has issued guidance on prudent practice for outsourcing arrangements that it expects to see and this has been incorporated in the required systems and controls in the FSA Handbook.
New systems and controls provisions of the FSA Systems & Controls (SYSC) Handbook, which are applicable to outsourcing by firms, have been published and will come into effect on November 1, 2007. The new provisions introduce a change of emphasis in the regulation of outsourcing in the financial services sector and some new procedural factors for firms contemplating outsourcing arrangements in this area.
MiFID and the new SYSC rules do not take a negative approach to outsourcing in the financial services sector. They are designed, however, to ensure that reasonable steps are taken to avoid undue additional risk as a result of outsourcing, and that no outsourcing of important operational functions is undertaken if such outsourcing materially impairs either the quality of internal controls or the ability of the FSA to monitor the firm’s compliance with regulatory obligations.
Thus, the emphasis shifts, from "material contracts" under the existing regime, to a more risk-based analysis of whether the particular arrangements relate to "critical" or "important" operational functions. Some guidance as to what this means is given in new section SYSC 8.1. Critical functions are those that relate to performance of regulated activities by the outsourcing firm, while important operational functions relate to that firm’s ability to operate internal controls or permit the FSA to monitor the firm’s activities. These are broad concepts and are certainly not more narrow than the current "material contracts" considerations. They do, however, expressly preclude applicability to the outsourcing of a firm’s advisory services — such as legal services — which do not form part of the firm’s product offering, and the provision to the firm of standardized services such as market data feeds. The new rules extend the firm’s analysis concerning its proposed outsourcing arrangements to include an assessment of whether the principles relevant to outsourcing of critical and important functions might also be "appropriate and proportionate" to any proposed outsourcing of non-critical or important functions.
SYSC 8.1 sets out binding rules that a firm must observe in relation to outsourcing of critical or important functions. This is a change from the existing position under which there is simply guidance to be followed by a firm proposing to enter outsourcing arrangements. In many respects the rules are no different from the current guidance and are consistent with good practice in any sizeable outsourcing arrangement.
The firm will have to be satisfied that it has chosen a supplier with the ability, capacity, and requisite authorizations to carry out the outsourced services–a due diligence obligation. A firm will also be required to have reporting and supervision mechanisms in place through good governance, reporting obligations, and service-level commitments. Other obvious areas such as disaster recovery and continued ability to provide the services in the event of termination for poor service or otherwise are covered by specific rules.
A new rule requires the firm to retain the necessary expertise to supervise the outsourced functions effectively and manage the risks associated with the outsourcing. A firm will need to consider carefully just how much resource is required to manage and supervise the outsourced functions and, in fact, to manage the risk. This risk will cover not just the way in which the service provider provides the service, but will also involve an assessment of the risks arising from the way in which the firm itself interfaces with the service provider. A light will be shone on a particularly dark area for the management of outsourcing relationships. This is a reflection of the shift in emphasis in the new rules towards a regime that looks at risk to the activities of the firm and its customers rather than control of particular situations as in the "material contracts" approach to supervision.
The new rules will generally remove the need for prior notification to the FSA before outsourcing. Where portfolio management for retail clients is being outsourced to a service provider located outside the EEA which is not regulated in its home country and/or there is no cooperation agreement between the FSA and the home regulator of the service provider, prior notification will still be required. Under the new rules, when notified, the FSA will have a reasonable time–interpreted as meaning one month–in which to make observations on the proposed arrangements.
Any notification to the FSA of arrangements for offshore outsourcing of portfolio management for retail customers must include details of, among other matters, how the service provider is committed to devoting sufficient competent resources to providing the services. In dealing with this issue, the firm will have to explain how the problem of minimizing staff turn-over, or churn, in the supplier’s service center will be managed.
Summary and Actions for Firms
The new rules governing outsourcing in the financial services sector become effective November 1, 2007. At that time, firms, and the individuals managing them, will move from a system of guidance and approval by the regulator to a system of binding rules regulating outsourcing of critical or important functions and, in addition, application of those rules in an appropriate and proportionate fashion to outsourcing by the firm of other functions.
In substance, the rules should largely reflect no more than sound and prudent practice in any outsourcing relationships. However, in relation to the management of the outsourcing relationships, firms will be required to retain skills and exercise risk management not just for the services provided by the service provider, but also in relation to the way in which the firm manages its outsourced activities. Inevitably, this will lead to the need for more resources and skills in the areas of management and audit to be retained by firms in the financial services sector that outsource their activities.
It is also important to note that the new rules will apply retroactively. Thus, while firms will not be required to re-write their existing outsourcing arrangements, it will be prudent for them to confirm, particularly for arrangements that may not have been "material contracts" - and therefore not previously notified to the FSA - that the arrangements do meet the new rules in areas such as retention of appropriate skills and resources and management of risk.
Mark’s practice covers the technology aspects of corporate transactions, outsourcing, e-commerce, internet businesses, online gambling businesses, and other privacy work involving trans-border data flows. He is rated as a leading lawyer in business process outsourcing, information technology, and intellectual property by Chambers UK. His experience includes acquisition and licensing of systems and software, IT and telecommunications outsourcing particularly in the financial services sector and consulting on intellectual property issues affecting the IT industry.
Copyright © 2007, Mayer Brown LLP and/or Mayer Brown International LLP. This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
Mayer Brown is a combination of two limited liability partnerships: one named Mayer Brown LLP, established in Illinois, USA; and one named Mayer Brown International LLP, incorporated in England.