New regulations applicable to outsourcing by regulated firms in the financial sector have been proposed at an international, EU and UK level. The extent to which financial services firms are using third parties to carry out activities that the firms would normally have undertaken themselves has increased enormously in recent years, and regulators are becoming increasingly concerned to ensure that the attendant risks are correctly managed.

The rationale for a specific regulatory regime for outsourcing is threefold. Firstly, regulators want to ensure that outsourcing arrangements do not impact a firm's ability to comply with existing regulations or to be supervised. Secondly, regulators want to address any negative impact on a firm's risk profile resulting from outsourcing arrangements – outsourcing has the potential to transfer risk, management and compliance obligations to unregulated third parties located in low-cost jurisdictions, geographically and culturally distant from the firm. Thirdly, there is a desire to ensure a level playing field among firms operating in different countries.

Most regulators considering outsourcing activities take a similar approach. A regulated firm deciding whether to outsource any of its activities must consider the impact on its risk profile, and any resulting contract with a service provider must address certain risk considerations. Providers of outsourcing services and other non-regulated third parties will not be directly subject to any regulatory requirements, but are required by regulated firms to accept certain contractual provisions which indirectly introduce controls. In addition, the supranational regulators are addressing various types of risk which may arise from multiple outsourcing arrangements. Interestingly,however, none of the regulators has provided detailed guidance on the risks which may arise from offshore outsourcing.

This Alert looks briefly at the regulatory proposals currently being considered at an international, EU and UK level.1

International Developments

The Banking, Securities and Insurance Sectors

The Joint Forum was established by the International Organization of Securities Commissions (IOSCO), the Basel Committee on Banking Supervision and the International Association of Insurance Supervisors (IAS), to deal with issues common to the banking, securities and insurance sectors. In February 2005 the Joint Forum published a report entitled 'Outsourcing in Financial Services'. This report establishes a set of high level, voluntary principles designed to provide a minimum benchmark against which all financial institutions in the banking, insurance and securities sectors can gauge their approach to outsourcing. In addition, the report contains some broad pr inciples to help regulators take into account outsourcing in their regular risk review of firms.

The Joint Forum advises firms engaged in or considering outsourcing to adopt a comprehensive policy to assess whether and how activities can be outsourced, together with a comprehensive outsourcing risk management programme. Outsourcing firms should also enter into appropriate contracts with service providers and develop specific contingency planning for each outsourcing arrangement. There are no notification requirements.

The Securities Sector

IOSCO, an international association of securities regulators, has produced a set of principles on outsourcing, in this case specifically aimed at securities companies, that are designed to be complementary with the Joint Forum's set of principles. IOSCO's report entitled 'Principles on Outsourcing of Financial Services for Market Intermediaries' was issued simultaneously with the Joint Forum's report in February 2005.

In common with the Joint Forum's principles, IOSCO's principles are intended to operate on the basis of selfregulation. The regulated firm is encouraged to consider the impact that any outsourcing will have on its business and to adopt certain good practice procedures to manage the outsourcing arrangement. The principles are to be applied according to the materiality of the outsourcing arrangements, and do not require any notice to be given to the firm's regulator. Central to the principles is the notion that an outsourcing firm must retain full legal liability and accountability to the regulator for all outsourced functions. Moreover, the outsourcing firm must retain the competence and ability to ensure that the firm complies with regulatory requirements. National regulators should be aware of increased risks arising from one service provider providing outsourcing services to multiple regulated entities, and should take this into consideration as part of their oversight and examination programmes.

European Developments

The Banking and Investment Services Sectors

The outsourcing activities of regulated firms in the banking and investment services sectors are shortly to be subject to legal requirements following the implementation of Directive 2004/39/EC on Markets in Financial Instruments (MiFID). MiFID, which was adopted on 27 April 2004, must be implemented by the Member States by 30 April 2007. The Committee of European Securities Regulators (CESR) has been formally mandated to provide technical advice on the implementation of the MiFID, and the Financial Services Authority (FSA) is planning to consult on UK implementation of the requirements relating to systems and controls, including outsourcing, in the first quarter of 2006.

Article 13(5) of MiFID requires banks and investment firms that provide investment services or which undertake investment activities to take "reasonable steps to avoid undue additional operational risk" arising from material outsourcing arrangements. Such arrangements must not restrict the ability of the regulator to supervise the firm. Article 13 of MiFID will be supplemented by more detailed rules contained in so-called level 2 measures that are likely to take the form of directly applicable EU regulations. The first draft of these measures was published in May 2005 on the EU Commission's website. This includes a list of steps to be taken by any firm when entering into, managing and terminating an outsourcing arrangement "of critical or important operational functions or of any other investment services or activities". Most notable of these is, perhaps, the obligation to notify the regulator of any such outsourcing arrangement.

The Banking Sector

The Committee of European Banking Supervisors (CEBS) is developing high-level principles on outsourcing aimed at the banking sector, with the aim of promoting supervisory convergence between Member States, particularly in the context of the Capital Requirements Directive (CRD). In April 2004 CEBS issued a paper for consultation: the consultation period has now expired, and it is expected that the CEBS will finalise the report shortly.

The principles set out in broad terms what supervisory authorities should expect from firms entering into outsourcing arrangements. CEBS is proposing a three-tier classification of activities: (i) strategic or core activities which cannot be outsourced; (ii) non-strategic but material activities, which should be pre-notified to the supervisory authority; and (iii) non-strategic and non-material activities, which do not have to be pre-notified, but for which the firm must remain responsible for ensuring that any supervisory guidelines are still met.

The Insurance and Occupational Pensions Sectors

In the development of a new solvency system to be applied to various insurance undertakings (the Solvency II Project), the EU Commission has asked the Committee of European Insurance and Occupational Pensions Supervisors (CEIOPS) to advise on appropriate standards for increasing the level of convergence of the supervisory process, making reference to problems which may arise in a number of areas including internal controls for outsourcing. At this stage CEIOPS' advice consists of broad principles on potential implementing measures which do not make specific mention of outsourcing, but the intention is that CEIOPS will elaborate on these principles, potentially later this year.

UK Developments

At a UK level there are already FSA regulations in place that provide guidance on outsourcing by firms regulated by the FSA. The FSA addresses outsourcing in the context of operational risk, in terms of processes, people, systems and external events. The overarching FSA principle is that regulated firms must take reasonable care to organise and control their affairs responsibly and effectively with adequate risk management systems. All of the FSA regulations on outsourcing stem from this.

The key to the FSA's approach is that a firm cannot, by outsourcing or delegating its activities to a service provider, divest itself of its legal or regulatory obligations. Firms are therefore advised by the FSA to put in place "appropriate safeguards" for any outsourcing or delegation of activities to a service provider. They should (i) identify, assess and manage the risks arising from an outsourcing arrangement; (ii) ensure, both contractually and operationally, that there are appropriate access r ights to the service provider's premises, people and information for themselves, their auditors and the regulators, and (iii) consider contingencies, both in the sense of business continuity for the day-to-day operation and the exit strategy.

Given its risk-based approach, the FSA takes a particular interest in "material outsourcing". An outsourcing is considered to be material if it involves the outsourcing of services of such importance that weakness or failure of the services would cast serious doubt upon the firm's continuing satisfaction of the threshold conditions or of compliance with Principles for Businesses in the FSA Handbook. Materiality needs to be judged by the firm in relation to the impact of the outsourced service on its activities. The outsourcing of Internal Audit or Compliance and most front-office functions are considered to be material.

Any firm proposing to enter into, or significantly change, a "material outsourcing" arrangement is required to notify the FSA of this, and to ensure that the outsourcing does not restrict the FSA in exercising its supervisory powers.2 A member of the firm's senior management, who should be an approved person, should take responsibility for each material outsourced function. That person should have direct and unfettered reporting lines to him from the individuals responsible for the material outsourced services at the service provider.

In addition to these regulations applicable to all regulated firms, the FSA has developed detailed sets of principles which banks, building societies and insurers should adopt in any outsourcing arrangements. Although the principles applicable to insurance companies are somewhat different from those for banks and building societies, the essence of each of these sets of principles is the same. They focus on the factors to be considered before deciding whether to outsource any activities, issues to be covered in the contract with the supplier, and the ongoing management of the relationship with the supplier.

In 2002 the FSA stated that it would create a harmonised set of more detailed minimum standards on outsourcing that would be applicable to regulated firms. These were due to come into force in December 2004. However, in September of that year the FSA announced that the implementation of the proposed new guidelines, which by that stage had reached the status of "near-final text",would be delayed for all regulated firms other than insurance companies. The reasoning behind this was largely due to the inevitable changes that will need to be made to the text for regulated firms other than insurance companies following the implementation of MiFID and the CRD. Accordingly, on 31 December 2004 standards forming part of the FSA Handbook on 'Senior Management Arrangements, Systems and Controls' (SYSC) came into effect for insurance companies only. Standards similar to these, exceeding them where necessary to meet the MiFID and CRD requirements, are scheduled for implementation in 2006 for other categories of regulated firms.

Conclusion

It is expected that in the next couple of years there will be significant changes in the regulatory regime applicable to outsourcing in the financial sector as the regulators address their concerns. Any regulated firms considering outsourcing should ensure that they are up-to-date with the latest requirements.

1 For information regarding regulatory developments in the US, please see the Sidley Austin Brown & Wood Alert on the FDIC study entitled "FDIC study proposes best practices to address privacy concerns raised by offshore outsourcing".

2 This requirement does not apply to an investment company with variable capital or a firm qualifying as an undertaking for collective investment in transferable securities.

This article has been prepared by Sidley Austin Brown & Wood LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Readers should not act upon this without seeking professional counsel.