It's all very well to issue regulatory guidance – but it's what you do to enforce it that really counts. The UK financial services regulatory agencies have imposed fines exceeding $2 million on a UK bank that did not implement enough oversight on an outsourced provider of technology services.
In a move that emphasises the firmer approach being adopted by UK regulators when it comes to compliance with technology outsourcing rules, the Financial Conduct Authority (FCA) and the Prudential Regulatory Authority (PRA) have jointly fined R. Raphael & Sons plc ("Raphaels") £1,887,252 for failing to properly manage its technology outsourcing arrangements between April 2014 and December 2016. This fine followed an investigation by the FCA and PRA which revealed that: "Raphaels' systems and controls supporting the oversight and governance of its outsourcing arrangements were inadequate and exposed customers to unnecessary and avoidable harm and inconvenience".
The FCA has had regulatory guidance in place for years in relation to the use of outsourced technology services by regulated entities. In 2015, this was extended to cover the use by regulated entities of cloud services. Regulated entities in the financial services sector are required to retain full accountability for discharging their regulatory obligations, and to ensure that the use of outsourced technology services does not materially impact the continuity of their operations.
Raphaels, a savings and lending bank, offers prepaid card and charge card programmes in the UK and across Europe. Various functions associated with these programmes, including the authorisation and processing of card transactions, are performed by outsourced third-party service providers. The investigation highlighted that Raphaels did not have adequate processes to assess the "business continuity and disaster recovery arrangements" of those outsourced service providers, which posed a risk to Raphaels' continued operations during a disruptive event. This risk came to light in 2015 when an incident at an outsourced service provider caused the total failure of the authorisation and processing services provided to Raphaels.
In the regulatory agencies' view, the failings highlighted by the incident were the result of Raphaels' flawed management and outsourcing risk assessment processes between 2014 and 2016 (though Raphaels revised its outsourcing policies and procedures after 2016), specifically:
a. inadequate consideration of outsourcing by Raphaels' board and departmental risk assessment processes;
b. a lack of procedures to identify critical outsourced services; and
c. flaws in its due diligence procedures for outsourced service providers.
While the FCA/PRA investigation shows the importance that the regulators attach to compliance with guidance on the use of external technology services, the fact that Raphaels' fine was reduced by 30% due to its cooperation with the investigation also indicates that the FCA still prefers to work with regulated entities where it's possible to do so.
This most recent fine was not the first one levied against Raphaels – in November 2015, the PRA also fined Raphaels £1,278,165 for failings in relation to its governance and oversight of outsourced functions.
Other UK regulatory fines relating to outsourcing rules in the financial services sector have also previously been made by the FCA, including against Stonebridge International Insurance (2014, £8.4 million) and Aviva (2016, £8.2 million).
The fines highlight the high standard to which the FCA will hold outsourced regulated activities, and that it has no intention to let such failures go by unchecked. Financial services firms that choose to outsource regulated activities (and heavily rely on them) should ensure that they have adequate measures to assess associated risks, and that at all times they have complete oversight of the activities the outsourced service providers are performing.
It's a useful reminder that any outsourcing by a regulated entity in the financial services sector needs to be undertaken carefully and in compliance with the issued guidance. In particular, given the regulators' focus on operational resilience, entities must retain the ability to recover from any service interruption affecting outsourced service delivery.
In addition to the obligations imposed on them by the FCA and PRA, financial institutions operating in the EU will also need to comply with the European Banking Authority's revised Guidelines on outsourcing arrangements from 30 September 2019. In particular, these Guidelines clarify that management are responsible for the institution and its activities at all times. This re-iterates the importance of having appropriate measures in place to assess the risks associated with outsourcing arrangements and making enough resources available to appropriately manage those arrangements.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved