Outsourcing in Financial Services Infoline conference November 2016

Interpreting current FCA attitudes: cloud guidance, conduct risk and SYSC8/13

[email protected]

16 November 2016

Outsourcing in Financial Services 8th Annual Forum

Plan

• Landscape: what the regulators have to contend with

• RegTech

• Deeds, not words

• Regulators’ latest approach to cloud computing (and third party outsourcing)

• Conduct risk and outsourcing: do we actually know what they mean?

• Enforcement action in outsourcing and/or conduct risk

• This time, it’s personal

• Lessons learned/to be learned

www.blplaw.com © 2016 Mark Lewis and Berwin Leighton Paisner LLP

Guess who?


A sample of the landscape regulators have to contend with

• Cloud Computing

• AI, algorithmic trading and decision-making, software robotics, robo advice

• Blockchain and distributed ledger payments and processes

• Crypto currencies

• Big Data

• FinTech

• General Data Protection Regulation (GDPR)

• Ring fencing, recovery and resolution

• Challenger FIs and greater FS competition

• Cyber risk and cyber security, and…

• Brexit


A regulatory response?

• Project Innovate

• “Technology plays a fundamental and increasingly pivotal role in delivering innovative financial products and services. The FCA is committed to fostering innovation and technology – including RegTech – to promote effective competition in the interests of consumers”: https://www.fca.org.uk/firms/project-innovate-innovation-hub/regtech

• TechSprint

• Innovation Hub

• Themed Weeks

• Regulatory Sandbox


A regulatory response?


• FG 16/5 – Guidance for firms outsourcing to the ’cloud’ and other third-party IT services, https://www.fca.org.uk/publication/finalised-guidance/fg16-5.pdf

• Not binding, but….: 1.8

• ’Cloud’ = public, private and hybrid models, IaaS, PaaS, SaaS: 1.4. Is that important?

• ”From a regulatory perspective, the exact form of service…does not, in itself, alter the regulatory obligations placed on firms. It is important to note that where a third party delivers services on behalf of regulated firm – including a cloud provider – this is considered outsourcing and firms need to consider the relevant regulatory obligations and how they comply with them”: 3.3

• Categorisation: outsourcing of critical or important, material or important operational functions (payment institutions, electronic money institutions): 3.6


FCA’s approach to cloud computing

FG 16/5


Legal and regulatory considerations Access to business premises, including regulatory and firm and audit access – SYSC 8 and Sol II Art. 274 (insurers)

Risk management, including off- and near-shoring

Relationship between service providers -outsourcing/cloud supply chains

International standards Change management

Oversight of service provider Continuity and business planning

Data security Resolution (where applicable)

DPA 1998 [GDPR] Exit plan

Effective access to data - SYSC 8.1.8(9)

What is “conduct risk”?

• FCA Risk Outlook March 2013 – signals new approach to conduct risk: ” consumer detriment arising from the wrong products ending up in the wrong hands, and the detriment to society of people not being able to get access to the right products”: https://www.fca.org.uk/publication/business-plans/fca-risk-outlook-2013.pdf

• OECD 2013 report on conduct risk – international principles emerging: https://www.oecd.org/finance/financial-education/G20EffectiveApproachesFCP.pdf

• But what does ”conduct risk” actually mean?

• 2013 narrow definitions, but….• With increased use of technology and automation to shape consumer

products, services and front-middle-back office customer engagement

• Conduct risk is now actually also about IT systems and applications and data integrity, cyber security, resilience data privacy and operational risk


What is ”outsourcing”?

• FCA Thematic Review TR15/7 Delegated authority: Outsourcing in the general insurance market https://www.fca.org.uk/publication/thematic-reviews/tr15-07.pdf

• “The term ‘delegated authority’ is widely used in the general insurance industry to describe a variety of arrangements. At the core of these arrangements is external delegation by insurers, involving the outsourcing of functions to intermediaries and other third parties. This is often accompanied by the allocation of other related functions between the parties involved.”: 1.2

• ”Outsourcing and any accompanying allocation of functions can take many different forms and can relate to all stages of an insurance product life-cycle from product development, through underwriting, distribution and sales, to claims and complaint handling.”: 1.3

• See also “outsourcing” definitions in PRA/FCA Handbook (Glossary) and TR15/7 reference to SYSC 3.2.4 G: defines external delegation as ‘outsourcing’, noting that ‘guidance relevant to delegation within the firm is also relevant to external delegation (‘outsourcing’).’

• Even so, a wide view and definition of outsourcing that took the general insurance market by surprise, especially in delegating underwriting and claims management


Enforcement action in outsourcing and/or conduct risk I


Stonebridge International Insurance,August 2014 (FCA)

http://www.fca.org.uk/news/fca-fines-stonebridge-international-insurance-limited-84m

Pope and Legerton, TailorMade Independent (TMI), March 2015 (FCA)

https://www.fca.org.uk/news/press-releases/fca-bans-and-fines-two-individuals-pension-advice-failings

Outsourced intermediary sales, breach of FCA Principles 3 and 6

Deficiencies in training materials designed by S. Inadequate quality assurance by S of outsourced intermediary sales and contact centre post-sales cancellation calls. S failed to undertake proper oversight of outsourced operations, and failed to obtain adequate management information to oversee TCF by outsource providers. S unable properly to monitor its systems and controls in European operations because its compliance function was inadequately resourced

Breach of Principle 7

Failure to assess suitability of SIPP investments, to manage conflicts of interest and to oversee TMI’s compliance function (outsourced to external consultants). Problems compounded when TMI failed to act quickly enough when outsourced compliance function warned P and L about conflicts of interest. Both banned and P fined

Enforcement action in outsourcing and/or conduct risk II


Raphaels Bank, November 2015 (PRA)

http://www.bankofengland.co.uk/publications/Documents/news/2015/093.pdf

Aviva Pension Trustees UK and Aviva Wrap UK, October 2016 (FCA)

https://www.fca.org.uk/publication/final-notices/aviva-pension-trustees-uk-limited-aviva-wrap-uk-limited.pdf

Breach of Principle 3 and PRA Threshold Conditions

R failed to manage intra-group outsourced ATM arrangements properly – putting safety and soundness at risk. Lack of appropriate controls and oversight of outsourcing, suitable intra-group outsourcing agreements and proper DD of the outsourcing arrangements. Also resulted in inadequate oversight and control over R’s regulatory capital

Breaches of Principle 3, Principle 10 (Clients’ Assets) and associated rules in the Client Assets sourcebook (“CASS rules” –first CASS case for outsourcing oversight breaches)

Outsourced administration to TPAs of client moneys and external reconciliations relating to custody assets

Firms failed to retain the necessary expertise to supervise the outsourced functions effectively and to manage the risks associated with the outsourcing (also SYSC 8.1.6R and SYSC 8.1.8(5)R)

”With outsourced arrangements firms remain fully responsible for compliance with… CASS rules. Firms are reminded that regulated activities can be delegated but not abdicated. Other firms with similar outsourcing arrangements should take this as a warning that there is no excuse for not having robust controls and oversight systems in place to ensure their processes comply with our rules when CASS functions are outsourced”: Mark Steward, FCA Director of Enforcement and Market Oversight


IAR: outsourcing and conduct risk

• “Performance of each of the…key functions may be outsourced to another undertaking, in accordance with the provisions in the EU Solvency II Regulations, and with guidelines issued by the European Insurance and Occupational Pensions Authority (EIOPA). However, there also needs to be appropriate oversight of any outsourced functions. The PRA expects the governance map to set out which key functions have been outsourced (in whole or in part), the name of the service provider, and the identity of the key function holder within the firm who has the responsibility for oversight of that function”: Supervisory Statement SS35/15 Strengthening individual accountability in insurance, September 2016, 2.31 http://www.bankofengland.co.uk/pra/Documents/publications/ss/2016/ss3515update.pdf

• Similar provisions for the banking accountability regime

• IAR/SMR to be extended to all firms by 2018

Lessons learned/to be learned

• Technology and outsourcing are merging

• Technologies are developing quickly, and new service models will follow, but….

• The same regulatory duties apply, with or without technology

• Project Innovate does not include free passes out of enforcement for firms who get it wrong using technology

• Effective regulatory risk management requires a careful analysis of prudential and conduct risks arising as a result of the technological developments and business service models you may be tempted to adopt

• See what the regulators actually do (enforcement) and have regard to their published guidance and interpretation – not rhetoric

• Oh, and this is getting personal to senior management


Outsourcing in Financial Services Infoline conference November 2016

Economy & Finance

Transcript of Outsourcing in Financial Services Infoline conference November 2016