The FCA’s six steps for outsourcing technology solutions with due diligence
This month, the Financial Conduct Authority (FCA) took a small but symbolic step forward in its role to regulate the UK’s financial sector. For the first time in history, it published specific regulations regarding the outsourcing of any third-party technology providers.
But by taking a holistic approach and failing to pin down any specific regulations for the now-prevalent cloud computing solutions, the FCA remains far behind their US counterparts. Already in July 2012, the Federal Financial Institutions Examination Council circulated a joint interagency statement, which considered specific technological solutions including both traditional software and cloud-based systems.
A regulatory reminder
The FCA’s approach is far more top-level, leaving firms’ risk and compliance departments to interpret its guidance in relation to their specific needs, and to ensure they implement sufficiently risk-averse assessments before confirming any contracts. Of course, these assessment systems should already be in place in most financial services firms, especially as these companies have been among the quickest to embrace the latest waves of technology.
The FCA’s advice predominantly serves to remind firms that they retain full accountability for determining whether their own actions and those of all their third-party suppliers fall within the regulator’s recommended risk framework. As with any supplier, it is key that the decision to outsource your technological requirements will enhance the resilience, security and scalability of your business.
Raising questions, not answers
By laying out four pages of key questions, the FCA leaves you to decide which considerations are most relevant to you and how you should best answer them within its wider guidelines. It acts as a checklist of sorts, from which you can devise tailored guidelines to ensure every department is working towards the same goal of bigger profitability for minimal risk.
The following phases summarise the FCA’s perceived outsourcing journey, and the big questions to ask at each stage:
- Decide to outsource critical technology services – Consider whether a third-party provider can be more successful than an in-house team, and whether they can fully meet your risk-mitigating needs.
- Select the right third-party provider – Weigh up the price, performance and exit plan suitability for each prospective supplier.
- Create a contract with built-in governance – Ensure that you can remain accountable for all the supplier’s activities, and that the supplier sufficiently understands your specific service issues and general risk management principles.
- Pre-empt operations – Assess the framework of your partnership in order to account for your maintenance, scalability and emergency repair needs.
- Check data protection regulations – Ensure that your new contract complies with all the government’s and FCA’s data privacy regulations.
- Define your service protection processes – Make sure all relevant employees understand the procedures for security, incident and disaster management, and have contact details for the relevant people within your supplier’s organisation.
Do you want to know more about safe and transparent ways of conducting business? Go directly to our download center and download our latest eBooks and Whitepapers for free!